'Florentine Baker Group' Use Microsoft 365 Functionality to Scam Private Equity Firm Out of $1.2 Million

hackerA new investigation by Check Point’s Incident Response Team (CPIRT) demonstrates how brazen cybercriminals are and the lengths they will go to in order to see their scam succeed.

Cybercriminals were able to divert well over $1 million in funds from a PE firm back in December, according to a newly released CPIRT report. This CEO fraud attack involved the targeting of specific firms, a ton of intel gathering, the use of malicious mailbox rules, lookalike domains, impersonation, and either intercepting or starting new wire transfers.

Here’s how the scam works:

  • Target the CEO or CFO of a PE firm with malware designed to take over their machine
  • Watch the email conversations, looking for opportunities to misdirect wire transfers
  • Divert inbound emails related to pending wire transfer transactions to an attacker-used mailbox folder
  • Setup a lookalike domain impersonating the PE firm
  • Send emails using the lookalike domain impersonating those involved with the wire transfer to the PE firm, taking over the email thread without the PE firm realizing (think cut and paste, including those in the other firm, and using the new domain as the from address. All replies will now no longer involve the other PE firm).
  • Continue to reroute inbound emails from the other firm, isolating any legitimate communications from the other firm
  • Commit wire fraud by providing new banking details to an existing (but pending) wire transfer

Additionally, the scammers also looked through countless emails between the compromised mailbox and their bank, identifying contacts at the bank to whom they sent new wire requests.

In all, the PE firm was scammed out of $1.2 million, with only about half of the money being recovered.

So, what can organizations learn from this kind of scam?

There are a few best practices to put into place that could have prevented this scam:

  • Use Security Awareness Training to teach users how to spot malicious emails, impersonated logon pages, and suspicious content. This attack started with a simple email impersonating Microsoft 365, requiring the PE firm employee to provide their credentials online to a spoofed website. Training would also teach users to identify when they are being socially engineered by an attacker impersonating a company with which you do business.
  • Use two-factor authentication with Microsoft 365 (formerly Office 365) to ensure only the mailbox owner has access. While we have seen Microsoft’s two factor authentication broken by some sophisticated attackers, gaining initial access doesn’t provide ongoing access with two-factor authentication enabled.
  • Put policy in place that requires verification of email-based wire requests via another medium. Phone is a good choice, providing the call is made immediately and to a number establish well before the request (as scammers have begun to use deepfake audio). This goes for both changes to inbound wires and any outbound wire requests.

Discover dangerous look-alike domains that could be used against you! 

Since look-alike domains are a dangerous vector for phishing attacks, it's top priority that you monitor for potentially harmful domains that can spoof your domain.

Our Domain Doppelgänger tool makes it easy for you to identify your potential "evil domain twins" and combines the search, discovery, reporting, risk indicators, and end-user assessment with training so you can take action now.

DomainDoppelgangerResults-1Here's how it's done:

  • Get detailed results of look-alike domains found similar to your primary email domain
  • You can now quiz your users with your look-alike results
  • Get a summary PDF that contains an overview of the look-alike domains and associated risk levels discovered during the analysis
  • It only takes a few minutes to discover your “evil domain twins”!

Find Your Look-Alike Domains!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews