Mitiga uncovered a widespread and well-executed Business Email Compromise (BEC) campaign in which cybercriminals are impersonating senior executives using Office 365’s email services in order to intercept sensitive communications and then alter wire transfer details and redirect funds to rogue bank accounts.

Our investigation revealed the following pattern

1. All of the threat actor’s rogue email accounts utilized Office 365 in order to reduce suspicious discrepancies and avoid malicious detection systems.

2. All of the rogue domains used in this campaign have been registered on Wild West Domains (a domain registrar owned by GoDaddy).

3. The rogue domains imitated those of legitimate businesses.

Based on this pattern, Mitiga has identified that over 150 organizations may have been impacted worldwide. To the best of our knowledge, this BEC campaign has successfully netted over $15M to date (and counting).

All pertinent details of our investigation have been provided to both law enforcement and Microsoft.

Background on Global BEC Campaign

Mitiga was called-in to investigate a large commercial transaction that was severely compromised. While we cannot divulge specific details about our client and the exact context in which the attack took place, we can state that it was part of a multi-million-dollar global transaction.

Our investigation determined that the threat actor’s attack extended over several months, included careful preparation, as well as monitoring and manipulation of email traffic before and during the transfer of funds.

When the transaction between the buyer and the seller reached the payment phase, the threat actor, who had previously intercepted the wire transfer details, impersonated the senior parties in the transaction, and provided the buyer with altered wire instructions.

Once the wire was executed and the funds did not reach the seller’s bank account, the incident began to unravel, and Mitiga was called-in to investigate.

Modus Operandi of Attackers

Image for post

Upon investigation, Mitiga’s Incident Response team identified rogue domains through which the threat actor’s emails were sent. These domains were similar to the buyer’s and seller’s own domains, but with minor changes which were difficult to notice. For example, if the original domain was ‘buyer.com,’ the rogue domain was ‘buyerr.com’.

All the malicious domains utilized in this BEC attack were registered through a GoDaddy-owned domain registrar called, ‘Wild West Domains’.

We believe that the threat actor chose to use Office 365 in order to improve the likelihood of a successful attack, thanks to the credibility it can generate. The threat actor’s use of the same technology stack reduced both suspicious discrepancies and the likelihood of triggering malicious detection filtering, which ultimately contributed to the rogue emails slipping through.

Another characteristic of this attack is that a ‘Forwarding Rule’ was created within email mailboxes of the impacted party. This rule automatically transmitted all emails to an external email account, presumably belonging to the threat actor.

This provided the threat actor with full visibility of the transaction and allowed for the introduction of the fake domain at just the right moment, i.e., when the wire transfer details were provided.

The threat actor then used filtering rules to discreetly move messages originating from certain email addresses from the inbox folder into a concealed folder. This was done to hide unwanted communication from the actual mailbox owner, for example, emails expressing concern from the legitimate parties — thereby extending the time to discovery of the attack in order to complete obfuscation of the wire transfer.

We know for certain that this BEC attack was not a singular event. Rather than use a brand-new Office 365 account for each target, the threat actors used the same Office 365 account. As a result, we identified over 150 additional domains, all of them registered on Wild West Domains, imitating other legitimate businesses, and connected to one of 15 different Office 365 accounts.

Our professional assessment, shared by the authorities we’re collaborating with, led us to determine that we have identified an extensive global BEC campaign, run by one or more cybercrime groups, that leverages the credibility of Office 365 to perform highly efficient Business Email Compromise attacks.

Mitiga Recommendations

In order to safeguard your organization and its email accounts from this BEC campaign, we recommend the following security measures:

  1. Enforce Office 365 password updates.
  2. Enforce Office 365 2-factor authentication.
  3. Examine forwarding rules in email accounts.
  4. Set rules to prevent bulk forwarding of emails outside of the organization.
  5. Search for hidden folders within inboxes.
  6. Block legacy email protocols, such as POP, IMAP, and SMTP1, that can be used to circumvent multi-factor authentication.
  7. Ensure changes to mailbox login and settings are logged and retained for 90 days.
  8. Enable alerts for suspicious activity, such as foreign logins, and analyze server logs for anomalous email access.
  9. Consider subscribing to a domain management service.
  10. Increase awareness and review controls for wire transactions (phone authentication in addition to email, as well as verify signatures and accounts).
What are the top 5 new security challenges in cloud environments?

LAST UPDATED:

April 7, 2025

Don't miss these stories:

From Breach Response to Platform Powerhouse: Ofer Maor on Building Mitiga for Cloud, SaaS, and Identity Security

Solutions Platform Helios AI Cloud Security Data Lake Cloud Threat Detection Investigation and Response Readiness (TDIR) Cloud Detection and Response (CDR) Cloud Investigation and Response Automation (CIRA) Investigation Workbench Managed Services Managed Cloud Detection and Response (C-MDR) Cloud Managed Threat Hunting Cloud and SaaS Incident Response Resources Blog Mitiga Labs Resource Library Incident Response Glossary Company About Us Team Careers Contact Us In the News Home » Blog Main BLOG From Breach Response to Platform Powerhouse: Ofer Maor on Building Mitiga for Cloud, SaaS, and Identity Security In this premiere episode of Mitiga Mic, Mitiga’s Co-founder and CTO Ofer Maor joins host Brian Contos to share the journey behind Mitiga’s creation—and how it became the first purpose-built platform for cloud, SaaS, and identity detection and response. Ofer discusses why traditional incident response falls short in modern environments, how Mitiga built its platform from real-world service experience, and the crucial role of automation and AI in modern SOC operations.

Helios AI: Why Cloud Security Needs Intelligent Automation Now

Mitiga launches Helios AI, an intelligent cloud security solution that automates threat detection and response. Its first feature, AI Insights, cuts through noise, speeds up analysis, and boosts SecOps efficiency.

Hackers in Aisle 5: What DragonForce Taught Us About Zero Trust

In a chilling reminder that humans remain the weakest component in cybersecurity, multiple UK retailers have fallen victim to a sophisticated orchestrated cyber-attack by the hacking group known as DragonForce. But this breach was not successful using a zero-day application vulnerability or a complex attack chain. It was built on trust, manipulation, and a cleverly deceptive phone call.

No One Mourns the Wicked: Your Guide to a Successful Salesforce Threat Hunt

Salesforce is a cloud-based platform widely used by organizations to manage customer relationships, sales pipelines, and core business processes.

Tag Your Way In: New Privilege Escalation Technique in GCP

GCP offers fine-grained access control using Identity and access management (IAM) Conditions, allowing organizations to restrict permissions based on context like request time, resource type and resource tags.

Who Touched My GCP Project? Understanding the Principal Part in Cloud Audit Logs – Part 2

This second part of the blog series continues the path to understanding principals and identities in Google Cloud Platform (GCP) Audit Logs. Part one introduced core concepts around GCP logging, the different identity types, service accounts, authentication methods, and impersonation.