15/03/2023

Financial BEC through M365 AiTM Attack

Summary:

Our Security Partner, Jisc is currently investigating multiple incidents of business email compromise (BEC) leading to financial fraud. These incidents are targeting both high-value and lower-level user accounts with particular focus on those linked to finance roles. An important aspect to note is that MFA was enforced on the compromised user accounts. This MFA bypass appears to have been facilitated by Adversary-in-The-Middle (AiTM) phishing sites.

An attacker will phish a target user through impersonation of a legitimate M365 login page in order to steal the user password before redirecting the user to the legitimate site for login with MFA, at which point they can steal the session cookie allowing the attacker to continue the authenticated session on the site. We have then seen changes made to the user account configurations to change the method of second factor for the MFA.

This technique is not new however, we have seen an uptick in the number of incidents in the last week potentially due to a spiderweb effect of trusted people between institutions in the sector becoming compromised. Microsoft released a blog on the technique in July 2022 which is linked in the references section.

Recommendation(s):

Due to these attacks specifically targeting finance for monetary reward, we recommend extra vigilance is stressed for those in finance roles and those whose identity could be leveraged to socially engineer other staff to make fraudulent payments.

  • User training
    • Alongside strong security configuration, help users to identify and report phishing messages by being aware of what the threat is and the common features. The NCSC’s ‘Top Tips for Staff, linked in the references section, helps to explain this
  • Enable conditional access policies
    • Restrict MFA registration to trusted devices/locations only
    • Ensure authentication can only take place from an Intune managed / Azure AD joined device – – this can be achieved by utilising device filters within Conditional Access (block for any device not marked as corporate), however ideally look to use compliance to help determine endpoint security posture.
    • Implement Geo-blocking controls and monitor for any remote authentication failures.
  • Continuously monitor for suspicious or anomalous activities:
    • Hunt for sign-in attempts with suspicious characteristics (for example, location, ISP, user agent, use of anonymiser services, and use of “OfficeHome” application in particular).
    • Hunt for unusual mailbox activities such as the creation of Inbox rules with suspicious purposes or unusual amounts of mail item access events by untrusted IP addresses or devices. Defender for Cloud Apps (Office 365 Cloud App Security in A3 tenants) can be used to identify and prevent access from anomalous IP addresses such as VPN’s and known bad IP addresses
    • If using A5 licensing, ensure Risk based events are being intercepted and reviewed, these attacks are often flagged as high risk. Conditional Access can be used to prevent high risk sessions (as opposed to the standard recommended action of ‘require MFA’)
  • A strong indicator of attacks using this type of phishing site can be found in Azure audit and sign-in logs: unusual source IPs for successful authentication, alongside the following details in the authentication tab: MFA requirement satisfied by claim in the token
  • Important note: persistence techniques identified
    • App Passwords have been used by threat actors as a way for persistence following BEC. App Passwords work around MFA entirely as a way for legacy clients to still authenticate without honouring modern authentication & MFA. It is recommended you disable basic authentication to prevent this abuse either at a service level within M365 > organisation settings > modern authentication, OR by disabling via conditional access, OR by PowerShell to configure an authentication policy to your tenant.

Inbox rules have also been observed and have been used to continuously exfiltrate email data from compromised accounts, and/or to delete inbox data, to achieve persistence and discretion objectives.

Depending on your deployed Microsoft license plan and associated configuration, available mitigation controls and alerting techniques will vary. Please see the referenced Microsoft article for further details.

References:

Keeping Up To Date With Us Is Easy, Sign Up To Our Newsletter Today!

Stay in touch with emPSN, so that you get the latest e-safety advice and invites to our community events.

Our partners