Cybercriminals Target Execs in Microsoft 365 Credential Attack to Launch Internal BEC Scams



cybercriminal bec attackA new phishing attack spotted in the wild by security researchers at Trend Micro demonstrates how compromised data in an initial cyberattack is purposed in subsequent attacks.

We all know in concept that any data stolen/compromised/collected by the bad guys is then sold on the dark web, used to extort a ransom, or used to conduct further malicious activity. In the case of this latest attack, dubbed Water Nue, cybercriminals have been targeting executives at over 1000 companies around the world, attempting to compromise their Microsoft 365 credentials. While the concept of stealing Microsoft 365 credentials isn’t new, some of the details of this attack are interesting to note:

  • Attackers use hosting company SendGrid’s email automation to send emails and use SendGrid-generated links to obfuscate the final spoofed M365 logon page URL.
  • Additional “Xmailer” headers citing a mix of email clients are added to confuse email scanning solutions
  • Once credentials are verified and access to the executive’s account is achieved, the bad guys send off BEC emails to the exec’s subordinates, asking for fake invoices to be paid, such as the one below. (BTW, this tactic implies there is some manual diligence done, where the bad guy with access is figuring out who to send emails to, how large an invoice would not raise any red flags, etc.)
water-nue-email-sample-originating-ip

This scam highlights the steps cybercriminals are willing to take to avoid detection by security solutions. And once an account is compromised, the BEC requests look legitimate to fellow internal employees.

To avoid being a victim of such scams, organizations need to have employees undergo continual Security Awareness Training where they will learn about these kinds of scams, the need to always confirm requests via a secondary means (e.g., via phone), and to always put emails under scrutiny – especially when it involves the transfer of money.


Get Your CEO Fraud Prevention Manual

CEO-Fraud-PagesCEO fraud has ruined the careers of many executives and loyal employees, causing over $26 billion in losses. Don’t be the next victim. This manual provides a thorough overview of how executives are compromised, how to prevent such an attack and what to do if you become a victim.

Get Your Manual

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://info.knowbe4.com/ceo-fraud-prevention-manual

Subscribe To Our Blog


Free Cybersecurity Awareness Month Resource Kit




Get the latest about social engineering

Subscribe to CyberheistNews