Cybersecurity company Trend Micro reports having uncovered a campaign to compromise the Office 365 accounts of more than a thousand senior-level executives, especially those in finance departments. Rather than using the “spray and pray” phishing approach that is so common, each attack was a focused spear-phishing attack against each targeted executive.
One group, who the Trend Micro researchers have named “Water Nue”, appear to be behind the attacks. Once they successfully compromise an executive’s account, they use it to send fraudulent invoices or other documents to lower level employees in an effort to trick them into transferring money to bank accounts held by the fraudsters, a practice that is known as business email compromise (BEC).
In a company blog post, the researchers wrote about this group:
“The threat actor behind this campaign is interesting for several reasons. It appears that their technical capabilities are limited despite being able to successfully target high-level employees globally. While their phishing tools are basic (i.e., no backdoors, trojans, and other malware), they made use of public cloud services to conduct their operations. The use of cloud services allowed them to obfuscate their operations by hosting infrastructures in the services themselves, making their activities tougher to spot for forensics. This tactic has become more commonplace among cybercriminals.”
The researchers describe how they initially noticed phishing attacks from a collection of email domains, and on investigating further, they found they were targeting high-level executives, especially in finance departments. In one case for an Africa-based bank, the senior financial officer’s email account had been used to send a fraudulent invoice requesting payment to a Hong Kong bank account.
The attackers make use of cloud-based email delivery services to send an email with a clickable link, such as to listen to a voicemail. Clicking the link for the resource then redirects the user to the group’s phishing site, which mimics the official Office 365 login page. Anyone entering their details will have them forwarded to the threat actors, after which they can be used to gain access to the executive’s account and send emails.
The researchers note that the campaign continues to operate, with Water Nue getting around blacklisted and deactivated domains by simply switching to new ones and using different infrastructure.
The blog post suggests a number of precautions that organisations can take to avoid falling foul of such attacks, which they point out can be harder to spot than typical phishing campaigns because they are focused on an individual. First, it recommends educating employees, from the top executives to junior level employees, about the different types of threats, such as through the cybersecurity training we provide at Pro-Networks as part of our IT support and services. Second, it suggests using additional verification protocols for sensitive requests, such as phoning the executive who purportedly made the request. Thirdly, it suggests that employees watch out for suspicious content in emails, such as strange writing styles and odd-looking domains.