What have we seen?
Our Security Analysts have noticed a recent trend of Office 365 accounts being compromised across a range of businesses and sectors.
As with every security incident, our Analysts correlated information gathered within our threat intelligence database (GTIN), and cross checked with trusted threat intelligence collaborators. We assessed the pattern of behaviour and identified indicators of compromise which linked the activity back to a new campaign by a Nigerian threat actor.
How do they operate?
Below is an explanation of how the attacker operates in relation to the Cyber Kill Chain.
After researching high priority targets (Such as CEO, financial department and IT staff) through the use of services such as LinkedIn, the attacker would then attempt to enumerate email addresses as part of the reconnaissance stage of the Cyber Kill Chain by combining the name of the high priority employee with common email address formats such as email@example.com or firstname.lastname@example.org.
They would then bulk send emails (commonly using Google’s GMail), usually consisting of one or two characters, to a list of potential email addresses associated with the company and checking the delivery status of the email to determine whether the email address exists. It is common to find that these emails have numerous employee email addresses CC’d.
After finding a suitable target address, the attacker will research an employee or group of employees within the business with the goal of finding relevant information to utilise in the creation of highly targeted spear phishing emails which will be delivered in the following ways.
Weaponisation and Exploitation
This stage appears to happen around a week after the reconnaissance activity. There are two known methods of payload delivery by this threat actor, each of which use the previously mentioned highly targeted phishing email.
The first of these methods utilise an organisation’s lack of a SPF record, which when implemented will specify a list of authorised host names or IP addresses that emails can originate from for a given domain name.
Without the SPF record present the attacker is able to send emails on behalf of users within the organisation, for example the attacker may be able to pose as the IT department and send a crafted email to someone such as the CEO with the goal of capturing credentials for certain services.
This is precisely the goal for the threat actor as they look to gain access to important staff members’ Office 365 accounts.
In the event that the organisation has a properly configured SPF record, the attacker would employ the second delivery method: the attacker would register a similar domain to the target organisation, or one of their trusted third parties, and use formatting trickery to their advantage to pose as a member of the organisation or third party.
For example, if the target organisation was “Test Limited” and had registered the domain testlimited.tld, the attacker would register a domain such as testiimited.tld, then format hyperlinks in an email in such a way that testiimited.tld appears as testIimited.tld (NB: this domain is presented with a capital letter ‘i’) which unless the end user is aware of this tactic may fool them into clicking on the link. Like with the previous method, the goal here is to steal credentials for Office 365.
Command and Control
When the attacker has compromised the target’s Office 365 account, the first activity seen in the Office 365 audit logs will be a quick succession of successful logins, once from a Nigerian telecoms provider and multiple times from a separate hosting provider. The targets we have seen were UK based and the hosting provider utilised by the attacker was also UK based, this may vary if the target resides in other countries but this has yet to be confirmed.
The next action taken by the attacker is to configure a rule in Office 365 to forward all emails to a GMail email address controlled by the attacker. This is done as part of a second stage of reconnaissance with the purpose of learning communication behaviours of the target such as level of formality, slang or common language used and who they communicate with inside the business. Tied in with assessing company policy on activity such as authorising financial transactions, the attacker would then later attempt to pose as the VIP individual and get the finance department to authorise a transaction to a bank account associated with the threat actor.
The next stage of activity seen in Office 365 audit logs will be a rule to move certain emails from a users inbox into a little used folder such as “RSS Feeds”.
The criteria for moving these emails would mean they contain the following strings in the subject or body of the email:
- “MS Chart”
- Email address seen in forwarding rule (this has been omitted to comply with GDPR)
We believe the goal of the threat actor with this email moving rule is to prevent the end user from being notified of the compromise by the IT department.
An example of this would be if the IT department has an audit rule configured in Office 365 such as an email notification when a forwarding rule is configured to an external email account, then the IT department would attempt to email the end user asking for justification for configuring the rule but this email would be hidden from the end user.
We also found evidence that the attacker will delete all enumeration emails and the original spear phishing email. These tactics allow the attacker to persist for longer in the victims compromised account.
How can I prevent this?
Recommended preventative actions for this attack method are as follows:
- Enable auditing in Office 365 to generate email alerts on logon activity from unauthorised source countries, and alert when users configure email forwarding rules.
- Ensure your business has a correctly configured SPF record to mitigate the chance of being the victim of email spoofing based attacks, and to reduce the risk of trusted third parties, clients and supply chain partners falling victim to email spoofing attacks where an attacker poses as your business.
- Enable multi factor authentication for Office 365 accounts where possible prioritising VIP users such as directors, IT staff, finance department and managers.
- It is essential that all employees are trained in detecting, reporting and helping to prevent common attack methods such as phishing emails, fraud and common malware distribution methods such as via an exploit kit or Trojan. Additionally it is important that this training is kept up to date and that employees are aware of new trends in attack methods to reduce security risk to the business.