The fraudsters ran their campaigns from the cloud and used phishing attacks and email forwarding rules to steal financial information

Microsoft has shut down a sprawling Business Email Compromise (BEC) operation that had its infrastructure hosted in several web services. Using these cloud-based assets, the threat actors infiltrated hundreds of mailboxes across multiple organizations and got their hands on sensitive financial data.

“Attackers used this cloud-based infrastructure to compromise mailboxes via phishing and add forwarding rules, enabling these attackers to get access to emails about financial transactions,” said Microsoft.

Partly thanks to their use of multiple web services, the threat actors were able to stay under the radar. To confound detection, they would carry out their activities for different IPs and timeframes, which made them hard to track, since it didn’t appear that their actions were connected or part of a larger operation.

To gain a foothold in their target’s systems, the attackers started with a phishing attack through which they stole login credentials and gained entry to the mailboxes, and then set up email forwarding rules. Microsoft highlighted that multi-factor authentication is a useful tool in preventing such attacks.

The phishing email contained an HTML attachment masquerading as a voice message. Once the victim clicked on the attachment it would manifest as a Microsoft sign-in page with the username already filled out – much like normal enterprise login pages operate.

However, once the target entered their password and attempted to sign in, the page would generate a “file not found” error message. Meanwhile, the login credentials would be sent to the attackers. From there on, they set up the forwarding rules and the BEC campaign could begin in earnest.

“These forwarding rules allowed attackers to redirect financial-themed emails to the attacker-controlled email addresses [email protected] and [email protected]. The attackers also added rules to delete the forwarded emails from the mailbox to stay stealthy,” Microsoft explained.

Once the company uncovered the operation, it worked with law enforcement agencies and industry partners to take down the infrastructure powering the scam operation.

BEC scams – a costly and perennial problem

According to the FBI’s 2020 Internet Crime Report, BEC scams are the costliest scam, as losses emanating from 19,000 reports of these scams reached a total of nearly US$2 billion last year. It is worth noting that losses from BEC scams amounted to more than the combined losses from the next six costliest types of cybercrime combined.