Scammers exploit Office 365 to target high-ranking executives – CyberNews.com

  • An attacker steals executives’ credentials by impersonating DocuSign
  • Using the stolen credentials, an attacker goes through the corporate emails and files, looking for any correspondence about upcoming transactions
  • An attacker sets up a fake company bank account
  • An attacker sends an email thread asking to change the recipient’s bank account due to technical issues

A sophisticated business email compromise (BEC) campaign targets CEOs and CFOs to drain millions from corporate accounts.

It all starts with a phishing email crafted specifically for an individual executive in the organization. If they swallow the hook, criminal masterminds conduct reconnaissance of the victim’s environment and carefully craft an attachment to redirect corporate transactions.

Israeli cybersecurity Startup Mitiga says this is a widespread campaign targeting large transactions of up to several million dollars each.

“The attackers combine high-end spear-phishing with an adversary-in-the-middle (AiTM) attack to circumvent multi-factor authentication (MFA) and a Microsoft 365 design flaw that allows them to create access persistency with MFA,” the company said.

In one case, a third party responsible for conducting the transaction received a fraudulent email saying that the company’s account was frozen due to an ongoing quarterly financial audit and adding that it would temporarily use another account.

The thread was regarding an ongoing transaction and contained all the recent messages with a “Reply All” option, making it seem legitimate. The fake email did not only contain the entire original thread but also included all the original recipients.

Or it only seemed so, as cybercriminals, in fact, created similar fake domains and users on those domains in a way that would be barely visible to avoid raising suspicion. For example, scammers impersonated Foobar (the company receiving the funds in the transaction) by creating a fake domain, F00bar.

Mitiga’s investigation concluded that criminals compromised one of the executives, who was on the email thread regarding the transaction account. In this case, the user’s password was reset, and all the sessions were revoked. However, if the threat actors were successful, the involved parties could have sufferedmillions in losses. Attackers created an account in Singapore, hoping to successfully redirect the legitimate transactions and steal the funds.