A Chain of Business Email Compromise and Phishing Attacks

Attackers use an array of phishing methods to chain Business Email Compromise fraud and credential theft to impact multiple victims.

Ironshare were recently contacted by a customer who reported receiving a suspicious email from one of their clients. This post will share some of the evidence we found during the analysis of what first seemed like a typical phishing attack.

After initial investigation we started to identify this as a chain of attacks that spanned multiple organisations and victims. We witnessed four organisations that were involved in the overall attack.

Impact Summary

Here is a summary of how the four companies were impacted.

  • Company A
    • Successful phishing attack originating via email
    • Compromised email account
    • Attempted Business Email Compromise fraud (success unknown)
    • Email account used to forward phishing attacks to Company A’s partners.
  • Company B
    • Receives an email from Company A with an attached malicious word document containing links to a credential stealing web form.
    • Successful attack resulting in a compromised email account of a company director
    • Attacker attempts Business Email Compromise fraud by sending a modified version of a recent invoice from Company C, to the accounting team, containing the bad guys bank details.
    • User flags this as unusual and prevents the transfer of funds.
    • Director’s email account is used to forward phishing email to Company C’s.
  • Company C (our customer)
    • Multiple personnel in Company C receive an email from Company B containing a link to a proposal document.
    • Company C report this suspicious email to Ironshare for review as it has come from one of their customers.
    • Link directs to a compromised Microsoft OneNote account page that contains another link to a supposed proposal document.
    • Link actually forwards the users to typeform.com and not a document, where a malicious form has been setup to steal the credentials for common email services.
    • Early suspicions from the users meant that although the link was clicked by 1 person no accounts were compromised.
  • Company D
    • This company was likely compromised prior or in parallel to the Company A & B.
    • Although the vector used is unknown, its likely this was also an email phishing attack.
    • A compromised office 365 account was used to host the proposal document link in OneNote, that we saw during attack on Company C.

Evidence

Unfortunately we could not get access to samples of all the evidence from each company but include here some of the key items we can share.

After successfully compromising the directors email account at Customer B, the attackers used this access to perform Business Email compromise fraud. They intercepted an email from Company C which contained an invoice for a recent purchase. This was sent from the director to the accounting team.

Instead of just modifying the existing invoice the attackers decided to take the content and copy into a template of their own and for some reason slightly the total invoice value. This invoice looks nothing like the original and combined with the change of value triggered the user to suspect this as malicious activity.

Thankfully the accounting team did not have access to transfer funds, they identified this as highly suspicious, meaning the BEC attack was not successful.

CompB BEC Invoice

The directors account was then used to send the below phishing email to Company C’s personnel who were included in the above invoice email.

As you can see the email was not particularly convincing in terms of its content. It did not look like or represent an normal email from director, but it did come from an other wise trusted source email address.

CompC Phishing email

Unsure of the where this link would take us, we ran the URL through our Threat Grid sandbox as per our normal process to determine its intent.

As stated in the email, clicking the link did take us to a Microsoft OneNote subscription belonging to Company D. The OneNote page was amended to allow Guest access, with an image and another link added to represent the supposed proposal.

CompD OneNote

The image doesn’t represent a valid proposal. It’s heavily blurred content are barely readable, but we can just make out this reads as a Consulting Proposal Template, most possibly just downloaded from an online template site.

CompD OneNote Proposal Image

Once the Click to view proposal link in the OneNote page is accessed you are redirected to TypeForm.com, where a malicious form has been poorly branded as an Office 365 sign in page.

We have a few red flags here including the address pointing to typeform.com instead of OneDrive, the site display name and the branding of the page looks nothing like an official Microsoft sign in page.

CredStealerForm1

The form tries to convince the users to sign in to view the document, in an attempt to steal the users credentials (email and password).

By clicking the sign in button, a new page is loaded that asked to select a email domain. A drop down menu list is displayed, containing some of the common email domains, showing the attackers are not precious about grabbing user details to maximise the service they can compromise.

CredStealerForm2

Once the user has selected the email domain the form then proceeds to request the email and password of the users account.

CredStealerForm5

Once the users details are entered, they are captured and stored for the attackers later use and this page is displayed which likely confuses the user.

This may have well read: ‘Thanks for providing your details we now have access to your account!’

Conclusion

We recently worked with our customer to investigate a potential new phishing threat that was not blocked or flagged by their email security. This wasn’t detected as it used trusted emails and common cloud services listed as safe, to complete the attack. After initial investigation we identified that one of their customers had been compromised.

After talking to Company B we started to understand the wider attack and they informed us of another party who were involved. Leading to a total of four organisations that were visible to us.

Ironshare liaised with Companies B, C & D, informing them of the threat and identified account compromises.

Our MSP blocklists were updated to prevent access to the domains and URLs, so that all our customer were protected.

We submitted these threats to both Cisco Umbrella and Phish Tank to review and place these into their global blocklists, while we work with Company D to take down the content from their OneNote account.

These types of chained phishing attacks are not a rare occurrence, and happen more often that you think, but this was the first time we had investigated different vectors that had touched this number of companies.

Thankfully for our customer, the security awareness we have been performing has helped to educate their users to identify phishing threats such as this, and prevented their users  from being compromised themselves.

Now for the techie bits

Below are some of the IOCs we witnessed during this investigation:

Domains

weaorg-my.sharepoint[.]com

onedrive98343.typeform[.]com

URLs

httpx://weaorg-my.sharepoint[.]com/:o:/g/personal/showarth_wea_org_uk/EgFuQlDGDn1AuTE3qNs3maYBoK02d7Wb1U-TnF_kxfl0Iw?e=pCfEJP

httpx://onedrive98343.typeform[.]com/to/Az32Z8If

Ironshare – Security Simplified

CyberAssessment
CyberRound-UpSignUpBanner