Researchers unpack massive email scam targeting dozens of companies
When researchers at the cybersecurity firm Sygnia responded earlier this year to a compromised email account at an unnamed company, they stumbled upon a sprawling campaign of business email compromise involving dozens of organizations whose infrastructure the attackers utilized in going after additional victims.
The hackers would compromise an email account of an employee for a given company, bypass Microsoft Office 365 authentication, and gain persistent access to the account. Then, they would use that account to to go after other targets.
“The phishing mails spread in a worm-like fashion from one targeted company to others and within each targeted company’s employees,” researchers with the Israeli cybersecurity firm said in a report published Tuesday. “All analyzed emails contain the same structure, only differing in their title, senders’ account and company, and attached link.”
Sygnia’s investigation revealed that the attack was part of a broad campaign that potentially impacted dozens of organizations — the company would not say exactly how many — around the world in a sprawling campaign of business email compromise, or BEC.
The report comes on the heels of a recent FBI public service announcement estimating that BEC compromises were linked to more than $50 billion in actual and attempted losses across more than 275,000 attacks between 2013 and 2022. The FBI reported that between December 2021 and December 2022 there was a 17% increase in identified actual and attempted losses worldwide, with a particular focus on the real estate sector.
“In the past few years, Sygnia’s IR teams have engaged in numerous incidents in which world-wide organizations were targeted by BEC attacks,” Sygnia’s researchers wrote in their report. “While some of these attacks were focal and concentrated, some were widely spread and affected massive number of cross-sectors victims.”
In the campaign detailed on Thursday, targets were sent an email with a link to a “shared document,” leading to a file sharing website with a previously compromised legitimate company name in the URL. Trying to view the document brought up a page showing that the contents were protected by Cloudflare, a tactic likely designed to prevent proactive analysis of the site showing where it would lead, the researchers said.
Getting through the Cloudflare wall led to a fraudulent Microsoft authentication site generated by a phishing kit, which was being hosted on a domain with varying IP addresses over time, with the most recent dating to January 2023. Records associated with the domain itself had been updated on June 2, suggesting an ongoing campaign.
In all, the investigation revealed more than 170 domains and subdomains connected to the attacker’s infrastructure, with further analysis revealing nearly 100 malicious files communicating back to the infrastructure, some of which were related to the FormBook infostealer malware family, the researchers said.
