We're proud to be named a 2024 Publisher's Choice winner!

We're an RSA Conference 2024 Innovation Sandbox Finalist!

Mitiga uncovered a widespread and well-executed Business Email Compromise (BEC) campaign in which cybercriminals are impersonating senior executives using Office 365’s email services in order to intercept sensitive communications and then alter wire transfer details and redirect funds to rogue bank accounts.

Our investigation revealed the following pattern

1. All of the threat actor’s rogue email accounts utilized Office 365 in order to reduce suspicious discrepancies and avoid malicious detection systems.

2. All of the rogue domains used in this campaign have been registered on Wild West Domains (a domain registrar owned by GoDaddy).

3. The rogue domains imitated those of legitimate businesses.

Based on this pattern, Mitiga has identified that over 150 organizations may have been impacted worldwide. To the best of our knowledge, this BEC campaign has successfully netted over $15M to date (and counting).

All pertinent details of our investigation have been provided to both law enforcement and Microsoft.

Background on Global BEC Campaign

Mitiga was called-in to investigate a large commercial transaction that was severely compromised. While we cannot divulge specific details about our client and the exact context in which the attack took place, we can state that it was part of a multi-million-dollar global transaction.

Our investigation determined that the threat actor’s attack extended over several months, included careful preparation, as well as monitoring and manipulation of email traffic before and during the transfer of funds.

When the transaction between the buyer and the seller reached the payment phase, the threat actor, who had previously intercepted the wire transfer details, impersonated the senior parties in the transaction, and provided the buyer with altered wire instructions.

Once the wire was executed and the funds did not reach the seller’s bank account, the incident began to unravel, and Mitiga was called-in to investigate.

Modus Operandi of Attackers

Image for post

Upon investigation, Mitiga’s Incident Response team identified rogue domains through which the threat actor’s emails were sent. These domains were similar to the buyer’s and seller’s own domains, but with minor changes which were difficult to notice. For example, if the original domain was ‘buyer.com,’ the rogue domain was ‘buyerr.com’.

All the malicious domains utilized in this BEC attack were registered through a GoDaddy-owned domain registrar called, ‘Wild West Domains’.

We believe that the threat actor chose to use Office 365 in order to improve the likelihood of a successful attack, thanks to the credibility it can generate. The threat actor’s use of the same technology stack reduced both suspicious discrepancies and the likelihood of triggering malicious detection filtering, which ultimately contributed to the rogue emails slipping through.

Another characteristic of this attack is that a ‘Forwarding Rule’ was created within email mailboxes of the impacted party. This rule automatically transmitted all emails to an external email account, presumably belonging to the threat actor.

This provided the threat actor with full visibility of the transaction and allowed for the introduction of the fake domain at just the right moment, i.e., when the wire transfer details were provided.

The threat actor then used filtering rules to discreetly move messages originating from certain email addresses from the inbox folder into a concealed folder. This was done to hide unwanted communication from the actual mailbox owner, for example, emails expressing concern from the legitimate parties — thereby extending the time to discovery of the attack in order to complete obfuscation of the wire transfer.

We know for certain that this BEC attack was not a singular event. Rather than use a brand-new Office 365 account for each target, the threat actors used the same Office 365 account. As a result, we identified over 150 additional domains, all of them registered on Wild West Domains, imitating other legitimate businesses, and connected to one of 15 different Office 365 accounts.

Our professional assessment, shared by the authorities we’re collaborating with, led us to determine that we have identified an extensive global BEC campaign, run by one or more cybercrime groups, that leverages the credibility of Office 365 to perform highly efficient Business Email Compromise attacks.

Mitiga Recommendations

In order to safeguard your organization and its email accounts from this BEC campaign, we recommend the following security measures:

  1. Enforce Office 365 password updates.
  2. Enforce Office 365 2-factor authentication.
  3. Examine forwarding rules in email accounts.
  4. Set rules to prevent bulk forwarding of emails outside of the organization.
  5. Search for hidden folders within inboxes.
  6. Block legacy email protocols, such as POP, IMAP, and SMTP1, that can be used to circumvent multi-factor authentication.
  7. Ensure changes to mailbox login and settings are logged and retained for 90 days.
  8. Enable alerts for suspicious activity, such as foreign logins, and analyze server logs for anomalous email access.
  9. Consider subscribing to a domain management service.
  10. Increase awareness and review controls for wire transactions (phone authentication in addition to email, as well as verify signatures and accounts).
What are the top 5 new security challenges in cloud environments?


May 4, 2024

Don't miss these stories:

Mitiga Wins Global InfoSec Award for Cloud Threat Detection Investigation & Response (TDIR)

We’re proud to report that at the open of today’s RSAC24, Mitiga was awarded the Publisher's Choice Cloud Threat Detection Investigation & Response (TDIR) from Cyber Defense Magazine (CDM), the industry’s leading electronic information security magazine.

Here's Why Traditional Incident Response Doesn’t Work in the Cloud

Traditional incident response (IR) learned from on-premises investigations doesn’t work in the cloud. Today's threat actors are finding misconfigurations and vulnerabilities to allow them to penetrate cloud environments.

Why Did AWS Replace My Role’s ARN with a Unique ID in My Policy?

After several years of working with AWS, IAM remains one of the most frequently used services in my daily routine. Yet, despite my familiarity with it, a recent production incident taught me that there’s always more to learn.