Cybercriminals Target Execs in Microsoft 365 Credential Attack to Launch Internal BEC Scams

A new phishing attack spotted in the wild by security researchers at Trend Micro demonstrates how compromised data in an initial cyberattack is purposed in subsequent attacks.

We all know in concept that any data stolen/compromised/collected by the bad guys is then sold on the dark web, used to extort a ransom, or used to conduct further malicious activity. In the case of this latest attack, dubbed Water Nue, cybercriminals have been targeting executives at over 1000 companies around the world, attempting to compromise their Microsoft 365 credentials. While the concept of stealing Microsoft 365 credentials isn’t new, some of the details of this attack are interesting to note:

• Attackers use hosting company SendGrid’s email automation to send emails and use SendGrid-generated links to obfuscate the final spoofed M365 logon page URL.
• Additional “Xmailer” headers citing a mix of email clients are added to confuse email scanning solutions
• Once credentials are verified and access to the executive’s account is achieved, the bad guys send off BEC emails to the exec’s subordinates, asking for fake invoices to be paid, such as the one below. (BTW, this tactic implies there is some manual diligence done, where the bad guy with access is figuring out who to send emails to, how large an invoice would not raise any red flags, etc.)

This scam highlights the steps cybercriminals are willing to take to avoid detection by security solutions. And once an account is compromised, the BEC requests look legitimate to fellow internal employees.

To avoid being a victim of such scams, organizations need to have employees undergo continual Security Awareness Training where they will learn about these kinds of scams, the need to always confirm requests via a secondary means (e.g., via phone), and to always put emails under scrutiny – especially when it involves the transfer of money.