Analysis of a real business email compromise (BEC) attack in New Zealand

Egress | 17th Feb 2023

Egress’ threat analysts detected a phishing campaign that followed a successful account takeover (ATO) attack. Sent from a legitimate compromised account, the phishing campaign included brand impersonation and an unusual payload, which combined credential theft with invoice fraud.

The campaign was sent to over 6,000 recipient addresses, including Egress customers at which point it was detected by Egress Defend. At the time of writing, Virustotal showed that the payload was only detected by 6/58 antivirus scanners and URL/domain blocklisting services, and the campaign had bypassed at least different six secure email gateways (SEGs) in the customer organizations we analyzed.

Vector and type: Email phishing

Techniques: Business Email Compromise

Payload: Phishing link to harvest credentials and make fraudulent payments

Targets: Organizations in North America and the UK

Platform: Microsoft 365

Bypassed secure email gateway: Yes

Who got breached? New Zealand freight organization (name removed for anonymity purposes)

Quick summary: How this business email compromise (BEC) attack happened

A cybercriminal obtained access to an employees’ work email account and used it to create a highly stylized phishing email, which they sent over 6,000 times between February 1st – 3rd, 2023. The email was sent from a shared mailbox or group email address for the Accounts team.

The phishing campaign passed all email authentication checks and the attack contained a two-step malicious payload within a hyperlink that aimed to steal the recipients’ credentials for onward ATO attacks and obtain fraudulent payments.

What the phishing emails looked like

The cybercriminal used a standard email using the account they had obtained access to.

The email contained the company name in the subject line, as well as details about a fraudulent invoice. These details were repeated within the main body of the email, which also referenced changes to bank detail for payment of the invoice.

As the phishing campaign was launched from a compromised legitimate account, it was sent from the company’s trusted domain and contained the company’s legitimate logo in the email signature and head office information and privacy statement in the footer, 100% matching what is also on the company’s website.

Phishing email sent following an account takeover (ATO) attack with malicious hyperlink payload. Egress Defend banners displaying as detecting the attack.

Phishing email sent following an account takeover (ATO) attack with malicious hyperlink payload. Egress Defend banners displaying as detecting the attack.


Payload analysis

The payload was contained with a malicious hyperlink in the first line of the email. The display text for the hyperlink was the recipient’s email address.

When clicked, the hyperlink opened a phishing website that auto-downloaded a file onto the recipient’s computer. This file contained JavaScript that ran three main functions:

  1. It opened a convincing rendering of a Microsoft Office 365 login page, posing as legitimate Microsoft application login interface. This page had full functionality to input user credentials (emails address and password), which the cybercriminal could use for further ATO attacks.
  2. The second macro function (comprised of several smaller functions) was logic that FORCED the user to type in their password multiple times and stored the data in an SQL table located in Russia.
  3. The final macro function worked to ‘man-in-the-middle’ two-factor authentication (2FA) tokens. This would take any 2FA data and send it immediately onwards to a legitimate 2FA system to authorize access.

(See below for insights into why this payload was unusual.)

At the time of writing, the malicious payload was only identified by 6/58 antivirus scanners and URL/domain blocklisting services on Virustotal.

At the time of writing, the malicious payload was only detected by 6/58 antivirus scanners and URL/domain blocklisting services on Virustotal

At the time of writing, the malicious payload was only detected by 6/58 antivirus scanners and URL/domain blocklisting services on Virustotal

Egress analysis: ATO attacks and an unusual payload

ATO attacks

This phishing campaign followed a successful ATO attack that gave the cybercriminal access to a legitimate Accounts email address (accounts@). This address is trusted within the supply chain and, as it was sent from the company’s legitimate domain, it passed all email authentication tests. Once an attack from a compromised legitimate address arrives in a recipient’s inbox, it can be very difficult for them to detect that it’s a phishing email.

This email contained social engineering, including trust signals, to further entice the victims to click. It’s highly likely that the subject matter of the phishing email (payment of an invoice) matched content that’s usually sent from the ‘accounts@’ email address and highlighted that the company’s bank details had changed, both of which can reduce a recipient’s suspicion.

As well as being sent from a legitimate email address, the email contained the company’s logo and disclaimer footer, both of which act as trust signals.

We don’t know how the original email account was compromised but the attacker’s payload included credential theft, so there is the potential that the first ATO attack happened as a result of a phishing email. We can say with more certainty that, unless detected and neutralized, further ATO attacks could have happened following the attack.

During the attack, the cybercriminal also had access to the original account’s recipient addresses, including supply chain contacts.

An unusual phishing payload

The payload of this phishing attack contained some interesting hallmarks.

Firstly, the attacker executed an unusual two-step payload to both steal Microsoft credentials and obtain fraudulent payments. This makes the attack more potentially damaging to the recipient organizations, which could simultaneously suffer ATO attacks themselves and lose funds.

The payload was also an emerging threat and only detected by 6/58 vendors, likely leaving many recipient organizations vulnerable if they don’t use those vendors or an integrated cloud email security (ICES) like Defend.

The payload also had some additional interesting hallmarks.

The second macro, which prompted the recipient to enter their credentials multiple times. There are two main reasons for multiple entries and, if successful, both can add value to the attacker:

  1. To confirm the password is correct (increasing the success rate for further ATO attacks)
  2. To obtain multiple passwords if the recipient believes they’ve entered the wrong one. These passwords could then be used for other potential applications (it’s likely we’ve all been in a position where our ‘default’ password doesn’t appear to work, so we second guess and input other known passwords to be sure). This forced “reinput” feature exploits that behavior

Finally, the third macro worked to negate the security benefits of 2FA (this article goes into more detail about how multi-factor authentication can be exploited in phishing attacks).

Stopping advanced phishing threats with Defend

Defend uses intelligent detection techniques, including natural language processing and natural language understanding, that make it highly effective at detecting advanced phishing threats, including emails sent from compromised legitimate accounts.

Integrated directly within Outlook, Defend can detect attacks that get through other security technologies and provide employees with real-time warnings and advice. Defend also rewrites URLs and can prevent employees from visiting phishing websites.

As seen in this example, Defend detected the attack to keep customer organizations safe from being victims of ATO and invoice fraud.

Book your personalized Defend demo today.