What is the end goal of your run of the mill phishing attack?

[-]

yParticle@reddit

One payload we've seen lately is using the (legitimate) compromised mailbox to send out phony invoices or to request a subordinate to transfer money somehow (usually gift cards). They often use that account's contacts to generate a list of targets so the target is more likely to trust the source. They then create mailbox rules to hide any replies to these messages so the owner won't see what's happening or respond to inquiries from the target.

Reply

[-]

Bartghamilton@reddit

This is why you need an alert any time a mail rule is created. Can’t tell you how many times that helped us identify and stop these things quickly.

Reply

[-]

drowningfish@reddit

This. Most of the BEC attacks (even with MFA) were scripted attacks that always created the suspicious rule. I have our SOC actively monitoring for this and alerting me whenever it happens. I wish I could automate the remediation though. To thwart these BEC attacks, however, I've been working on requiring all C/BYOD devices to be managed via an MDM and restricting all other access beyond this

Reply

[-]

Crafty_Individual_47@reddit

Why not block such rules using a policy?

Reply

[-]

drowningfish@reddit

ATM I don't have the licensing for the remediation. As for blocking the rules, that would be difficult since there are legit business use cases for creating those rules to allow users to manage their incoming email. Unless you know of a why to block the "pattern of behavior"?

Reply

[-]

Crafty_Individual_47@reddit

Blocking mailforward outside own domains is fairly easy https://support.microsoft.com/en-us/office/stop-auto-forwarding-emails-in-office-365-business-premium-7224ae95-ac5d-4454-9f21-2f4d1a17eb79 if any forward rules are needed for business then mailflow rules should be used instead.

Reply

[-]

drowningfish@reddit

Hmm, these aren't forwarding rules. I am already blocking these and already being alerted when a user tries. What these BECs are doing, at least from my experience, is create MAILBOX RULES that are MOVING emails from the Inbox into another obscure folder. This is what my SOC monitors and what I act on.

Reply

[-]

Crafty_Individual_47@reddit

Those are likely server side rules so blocking powershell does help alot. Usually the New-InboxRule powershell command is what security solution monitor.

Reply

[-]

drowningfish@reddit

Once an attacker manages to replay a user's token after a user foolishly falls for a phishing hit, that attacker has the same power over that user's o365 account as the user so the attacker can create those rules on the mailbox at will via automated scripts or just manually. So, afaik, the TA doesn't need to get the user to do anything. I've had data exfiltrated from a user's OneDrive via a BEC once. You are correct, though, a managed device is the way to go short of enforcing FIDO complaint methods which are currently not financially reachable for my organization ATM. I expire all session tokens every five days, so if a TA sat on a token to replay later, over 5 days, it would be DOA

Reply

[-]

Crafty_Individual_47@reddit

Yes if it is an replay attack then rules are usually created using EWS API. MS is actually retiring access to the EWS API on 2026 from everyone else than MS services so after that it is a manual thing to TA’s.

Reply

[-]

drowningfish@reddit

I wasn't aware of that deprecation. Nice.

Reply

[-]

rootofallworlds@reddit

Can you similarly block rules that delete or junk incoming mail though? Since that’s commonly used by attackers.

Reply

[-]

Crafty_Individual_47@reddit

You can disable ability to create ALL server side rules with ”Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -RulesEnabled $false” But client side rules would still work. Moving emails to a folder would mean they have access to the mailbox and onky help would be confitional access rule to allow only managed devices. MFA and preventing token reuse policies help alot. I have seen many case where token is used for access instead of password. But again licenses are needed.

Reply

[-]

AmountAny8399@reddit

Blocking rules would hinder the workflow of loads of departments. HRIS systems commonly alert HR when a new employee has completed signing, an accounting manager is frequently overloaded with being CC’d on non relevant communications, etc. What would be more appropriate would be an alert or potential account lockout if an abnormally high number of emails are sent or moved at once.

Reply

[-]

Crafty_Individual_47@reddit

No need to allow forward rules outside 365. Cloudapp security alerts for such rules if wanted.

Reply

[-]

Typical_Warning8540@reddit

What script or code do you use to list all mail rules on all mailboxes without having delegate permissions to all mailboxes?

Reply

[-]

DeifniteProfessional@reddit (OP)

Can you make an alert for ANY mail rule?

Reply

[-]

Bartghamilton@reddit

Haven’t tried to make one for specific rules, but yes, normally make one that alerts if any rule is created. Get the rare false alert but when you look it’s easy to see the rules that aren’t issues…like a rule that moves any email from sales into sales folder, etc. and the bad guy rules are pretty easy to judge as well.

Reply

[-]

Bartghamilton@reddit

Looking at the thread and wanted to point out we do block the auto forward. But allow users to create rules. We just want to see the rule as most of the time it’s a compromised account. MS is smart enough not to see out of office rules as created rules so you don’t have to worry about alerts on those.

Reply

[-]

Crafty_Individual_47@reddit

We do the same with addition to block access and revoke sessions if we see rules that move all emails to different folder(s).

Reply

[-]

NominalDeterminate@reddit

Valid active credentials they can monetise in some fashion I'd imagine.

Reply

[-]

MihaLisicek@reddit

This Plus, they can sit on all the email accounts, just waiting for that one invoice to come, that they can then delete, and change bank acc info, and resend again from spoofed domain. This is something that happens quite a lot, someone just reading emails until the "right" one comes along

Reply

[-]

NominalDeterminate@reddit

Persistence is harder to do with high value users, typically business accounts, as there tends to be a security service that will detect and lock down. In those case they try and exploit their victims' contact list in the of chance this hits paydirt if at least allows the campaign to continue

Reply

[-]

MihaLisicek@reddit

I agree with you, but, i would say this is applicable for big organizations, for smaller companies, security is still mostly just praying that nothing happens. Statistically, incidents are "discovered" on average only after a bit more than 180 days (i think actual number was 189) since they actually happened. I've seen way too many of those kind of incidents happen in companies with 50-100 employees. They just don't want to invest into security. Scammers can still walk away with 6 digit payout from those companies. Honestly, i would download all contacts to try and sell them, but if possible, i would just stay there until i am detected, hoping for even better payout.

Reply

[-]

NominalDeterminate@reddit

That persistence stat tends to mean someone who's got on to the network, not so much a compromised email acct. In my experience even the smallest business gets the message when they see five figures walk out the door thanks to a successful impersonation fraud.

Reply

[-]

EastDallasMatt@reddit

How are they getting access if you have MFA enabled? Is this a problem with using Microsoft MFA?

Reply

[-]

Crafty_Individual_47@reddit

By stealing and reusing tokens.

Reply

[-]

bjc1960@reddit

What we have seen is company X gets hacked. The attacker gets invoices. They send the invoices to us with a homonym domain and then tell us to change bank account info. Accounting then does not follow their own controls and sends money to hacker. One thing I started doing is disabling outlook web access for those who fail a phishing simulation. We have a number of controls including "requiring compliant devices", but one more control, recommended by our insurer, won't hurt us.

Reply

[-]

rootofallworlds@reddit

I got an email claiming my letting agent (for my own flat) has changed and giving new bank details. You bet my sweet ass I’m verifying that in person or by telephone before paying next month’s rent.

Reply

[-]

Murky-Breadfruit-671@reddit

one of our customers had (for not the first time either) gotten a fake like that from our company, the address on the wire instructions was an old folks home in florida. we're in the midwest. sadly our bank had been bought, the customer called their sales rep and didn't do anything specific, just asked if anything had changed, which within the last 2 months it had. they lucked into it but got 6 figures out of them.

Reply

[-]

pdp10@reddit

> Accounting then does not follow their own controls and sends money to hacker. Perhaps there's less need to trap users into clicking on a link, as a "phishing test", and more need to red team the Accounts Payable department directly.

Reply

[-]

patmorgan235@reddit

The end goal is always money Sell the compromised users credentials on the dark web Harvest data front the users mailbox/OneDrive (to be sold on the dark web, or used to create another targeted attack) Try and intercept payments through Business Email Compromise Drop payloads on end-users and compromise some workstations to try and ransomware

Reply

[-]

R8nbowhorse@reddit

Unless it's a very targeted attack, the actors doing the phishing rarely do anything else. 99% of it are phishing bots that crawl through lists with thousands of mail addresses, save the harvested credentials & put them up for sale. This kind of software is increasingly sold as a SAAS product, so whoever is doing the phishing didn't even build the tools. Then, someone else buys those credentials & uses them for example for their own phishing campaign, or tries to steal data etc. What you're seeing is likely just a slightly more sophisticated bot that also uses successfully harvested credentials to scrape that accounts & propagate the payload to all of them.

Reply

[-]

Legionof1@reddit

Phishing is a non specific attack, spear fishing is targeted.

Reply

[-]

patmorgan235@reddit

Don't be pedantic.

Reply

[-]

R8nbowhorse@reddit

That's exactly what i explained? And spear phishing is just a term coined for targeted phishing, it's still phishing.

Reply

[-]

imnotaero@reddit

1. Phishing attack 2. ??? 3. Profit In contrast with the South Park gnomes, however, there are lots of really well-known things you can slot in at 2. But almost always, the end goal is profit. For instance, 2 can be "dwell in an accountant's email inbox until invoices are discussed, and change an attachment such that money is routed to you instead of your victim." Or it can be "log into a user's machine remotely and escalate privilege until we own the domain, destroy the backups, exfiltrate data, and run ransomware, and extort the victim for bitmoney." Or in your example, they use the account to do more phishing until they catch a fat and juicy account.

Reply

[-]

imnotaero@reddit

Also, a lot of time the people who are collecting valid credentials are just selling them to the people who are doing (2) somehow.

Reply

[-]

Jeremy_Zaretski@reddit

* Leverage against victims so that they can demand anything. * Information exfiltration. * Sabotage.

Reply

[-]

EbbNegative1062@reddit

They are using the compromised account to send something from a legit organization. It could be emails with links, it could be attachments, with links, from OneDrive and shared. Once they are in, they are looking to use this account to go after others who might trust this user.

Reply

[-]

JustDandy07@reddit

Find the account of the person that pays the bills. Intercept a large wire transfer and have the sender change the recipient information to your account. That or get some admin credentials and insert some ransomware.

Reply

[-]

Nick85er@reddit

Access retention, monitoring for additional hops, eventual machine/network compromise - but typically they will use the compromise account as a vector to reach out to known contacts and try to establish Trust and commit financial fraud

Reply

[-]

LRS_David@reddit

Later on they will send an email to various people trying to get them to buy gift cards or change their payroll deposit account. Or other things to try and get $$$ out of someone at the firm. They use real names but the "FROM:" email address is almost always a nonsense looking GMail account. Had a bookkeeper fall for the change my paycheck deposit account. One one person one time but still.

Reply

[-]

dracotrapnet@reddit

I see vendors that get phished, the attacker downloads their mailbox and parks it for later. Then they send phishing emails from the account until they get shut down. Round 2 they crack open the downloaded mailbox data, seemingly hunt down primarily recent sent invoices emails and contacts then set those aside. A year or two later they create a typo-domain and start sending out these invoices asking for status updates on already paid invoices, "Oh our banking info has changed, make any payments to X bank routing and account". If they can't find an invoice open to be paid they try to get banking info changed anyways. "Oh my mistake, I see it here - it was applied to another invoice. I'll fix it. We still need to update our banking info for future invoices." Bob's your uncle, they get future monies. I probably find one of these typo-domain and previously compromised user impersonation about once a month from a vendor. Often the account compromised is accounting. Often it's a previously seen phished vendor. I go dragnet and find contact info to report the typo-domain, lay out the issue hard that the previous BEC included CUSTOMER DATA that is now being used to defraud their customers. Sometimes I also report it to the FBI. Lately I haven't had time or energy to send them my findings. I know our accounting@ is frequently sent phishing and unsolicited emails. Fortunately that address is a honey pot! Our real accounting user addresses are also often targeted. They are supposed to be migrating all incoming invoices to shared mailboxes by site name-accounting. If they were real hard on everyone contacting them directly it would help avoid a lot of randos sending in fake linkedin invoices, fake CEO "hey plez pay (fake)vendor I forgot about this invoice and it's L8 late late". It won't fix BEC phishes where the attacker vacs up the entirety of a vendor's mailbox and tries collecting on old invoice data and redirect future payments to a fraudulent bank account.

Reply

[-]

ohyeahwell@reddit

Business email compromise: get into corp email, convince someone to send money to the wrong place. $12.3B business in 2023.

Reply

[-]

donith913@reddit

In 2020 the company I worked for had a user open an attachment in a phishing email. The result was ransomware, company wide. *sigh*

Reply

[-]

joeyl5@reddit

What endpoint security were they using?

Reply

[-]

donith913@reddit

At the time it was SEP, but that wasn’t the biggest problem. A lack of AD hygiene, a lack of visibility into all of the endpoints the company had and a really poor response from security when they had an indication something was wrong all made it much worse.

Reply

[-]

Valdaraak@reddit

I've worked somewhere that had a client lose $2m to a phishing scam. Someone's mailbox there got compromised, the attacker found emails about payments being due for a company they did business with (us), deleted them, attacker registered misspelled domains, impersonated us, and sent the real invoice over to the accounting department at the client. Went back and forth for over a month (at no point did the client call us to verify), and they eventually wired the payment out to the attacker (we don't even accept wires for payment). The end goal is money. Whether that's impersonations, re-directing wires, or extortion. Money is the goal.

Reply

[-]

smnhdy@reddit

Money, or influence.

Reply

[-]

Visible_Spare2251@reddit

When we experienced this they tried to install an app that can be used to export all mailbox contents. Presumably to then use in scams either against us or companies we work with.

Reply

Reply to Post

51 Comments