Between April and September, hackers made as much as $15 million by impersonating senior executives at as many as 150 companies using what appear to be legitimate Microsoft Office 365 email addresses in a bid to make their attacks more successful. The FBI, the Secret Service and Microsoft have all been informed, according to Mitiga, an Israeli cybersecurity startup that claims to have uncovered the attacks.
It’s a classic but hugely successful case of what’s known as business email compromise (BEC) fraud where crooks impersonate company partners and convince them to send money to their bank accounts. For instance, the hacker will set up email server domains so they could be mistaken for a real business, such as forb3s.com rather than forbes.com. Mitiga said that in one case it investigated, a hacker had learned of a target’s wire transfer by somehow gaining access to an employee’s Office 365 email account. Then, just as the money was about to be sent by the unnamed victim organization, the fraudster impersonated the recipient and sent new wire instructions so they received the money rather than the legitimate seller. The latter never received the money they were due.
After looking into that attack, Mitiga discovered a significant number of other, possibly-linked BEC frauds that may’ve been perpetrated by the same group. They used 15 different Office 365 accounts to register 150 additional domains, all of them registered on Wild West Domains and designed to imitate other legitimate businesses, Mitiga said.
“We believe that the threat actor chose to use Office 365 in order to improve the likelihood of a successful attack, thanks to the credibility it can generate,” the company wrote in a report released Wednesday. “The threat actor’s use of the same technology stack reduced both suspicious discrepancies and the likelihood of triggering malicious detection filtering, which ultimately contributed to the rogue emails slipping through.”
Mitiga is unsure if the attacks were all launched by the same group, but claimed to have found “digital fingerprints” that indicated it could be possible. As for victims, they remain unnamed but Tal Mozes, cofounder and CEO at the startup, “they are global and many U.S.-based and span various sectors, including law firms, construction, finance and retail.”
Federal investigators were informed of the attacks in August and Microsoft was contacted last week. The FBI hadn’t responded to a request for comment. Microsoft didn’t provide comment on the alleged frauds, but said in a statement that Office 365’s email filtering tools goes some way to protecting customers from attacks.
“Phishing is an industry-wide ongoing challenge and Microsoft is constantly monitoring new attack patterns and hardening our services to help keep customers secure,” a spokesperson added. “To further protect customers, Defender for Office 365 (formerly Office 365 ATP) includes rich capabilities to thwart targeted and advanced attacks such as business email compromise, credential phishing and email account compromise. We encourage customers to adopt these advanced protections and practice safe computing habits online, as outlined on our website and blog.”
BEC gone wild
The attacks are the latest in an ever-growing and already huge line of BEC attacks that have cost companies billions of dollars.
In April, the FBI revealed that between January 2014 and October 2019 it had received complaints totaling more than $2.1 billion in actual losses from BEC scams “using two popular cloud-based email services.” It didn’t say whether or not Microsoft’s Office suite was one of those services. The feds also warned that it expected to see a rise in BEC fraud related to the Covid-19 pandemic. In one case, the FBI said a financial institution received an email from a fraudster pretending to be the CEO of a company who had previously scheduled a transfer of $1 million, requesting the payment be made sooner and to a different account “due to the Coronavirus outbreak and quarantine processes and precautions.”
Forbes has also been keeping tabs on BEC scams being investigated by law enforcement. In one particularly nasty case investigated by the FBI towards the end of last year, Vermont-based Encore Renewable Energy was convinced by a trickster to send $2 million to someone pretending to be a regular partner. According to a search warrant obtained by Forbes, money ended up in bank accounts in Hong Kong, though was traced and locked down before the criminals could launder it.