Attackers use an array of phishing methods to chain Business Email Compromise fraud and credential theft to impact multiple victims.
Ironshare were recently contacted by a customer who reported receiving a suspicious email from one of their clients. This post will share some of the evidence we found during the analysis of what first seemed like a typical phishing attack.
After initial investigation we started to identify this as a chain of attacks that spanned multiple organisations and victims. We witnessed four organisations that were involved in the overall attack.
Here is a summary of how the four companies were impacted.
Unfortunately we could not get access to samples of all the evidence from each company but include here some of the key items we can share.
After successfully compromising the directors email account at Customer B, the attackers used this access to perform Business Email compromise fraud. They intercepted an email from Company C which contained an invoice for a recent purchase. This was sent from the director to the accounting team.
Instead of just modifying the existing invoice the attackers decided to take the content and copy into a template of their own and for some reason slightly the total invoice value. This invoice looks nothing like the original and combined with the change of value triggered the user to suspect this as malicious activity.
Thankfully the accounting team did not have access to transfer funds, they identified this as highly suspicious, meaning the BEC attack was not successful.
The directors account was then used to send the below phishing email to Company C’s personnel who were included in the above invoice email.
As you can see the email was not particularly convincing in terms of its content. It did not look like or represent an normal email from director, but it did come from an other wise trusted source email address.
Unsure of the where this link would take us, we ran the URL through our Threat Grid sandbox as per our normal process to determine its intent.
As stated in the email, clicking the link did take us to a Microsoft OneNote subscription belonging to Company D. The OneNote page was amended to allow Guest access, with an image and another link added to represent the supposed proposal.
The image doesn’t represent a valid proposal. It’s heavily blurred content are barely readable, but we can just make out this reads as a Consulting Proposal Template, most possibly just downloaded from an online template site.
Once the Click to view proposal link in the OneNote page is accessed you are redirected to TypeForm.com, where a malicious form has been poorly branded as an Office 365 sign in page.
We have a few red flags here including the address pointing to typeform.com instead of OneDrive, the site display name and the branding of the page looks nothing like an official Microsoft sign in page.
The form tries to convince the users to sign in to view the document, in an attempt to steal the users credentials (email and password).
By clicking the sign in button, a new page is loaded that asked to select a email domain. A drop down menu list is displayed, containing some of the common email domains, showing the attackers are not precious about grabbing user details to maximise the service they can compromise.
Once the user has selected the email domain the form then proceeds to request the email and password of the users account.
Once the users details are entered, they are captured and stored for the attackers later use and this page is displayed which likely confuses the user.
This may have well read: ‘Thanks for providing your details we now have access to your account!’
We recently worked with our customer to investigate a potential new phishing threat that was not blocked or flagged by their email security. This wasn’t detected as it used trusted emails and common cloud services listed as safe, to complete the attack. After initial investigation we identified that one of their customers had been compromised.
After talking to Company B we started to understand the wider attack and they informed us of another party who were involved. Leading to a total of four organisations that were visible to us.
Ironshare liaised with Companies B, C & D, informing them of the threat and identified account compromises.
Our MSP blocklists were updated to prevent access to the domains and URLs, so that all our customer were protected.
We submitted these threats to both Cisco Umbrella and Phish Tank to review and place these into their global blocklists, while we work with Company D to take down the content from their OneNote account.
These types of chained phishing attacks are not a rare occurrence, and happen more often that you think, but this was the first time we had investigated different vectors that had touched this number of companies.
Thankfully for our customer, the security awareness we have been performing has helped to educate their users to identify phishing threats such as this, and prevented their users from being compromised themselves.
Below are some of the IOCs we witnessed during this investigation:
weaorg-my.sharepoint[.]com
onedrive98343.typeform[.]com
httpx://weaorg-my.sharepoint[.]com/:o:/g/personal/showarth_wea_org_uk/EgFuQlDGDn1AuTE3qNs3maYBoK02d7Wb1U-TnF_kxfl0Iw?e=pCfEJP
httpx://onedrive98343.typeform[.]com/to/Az32Z8If
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
