Phishing and Spoofing Schemes on Office 365

In the past year or so, we’ve seen an uptick in a particular methodology of international cybercriminals preying on US and Canadian businesses. Knowing what their tactics are can help keep you and your customers safe.
The start of the attack is usually when the criminals obtain the Office 365 username and password for somebody in the finance department of a company. They might do this with a username and password obtained in a data breach, or by sending massive blasts of phishing emails or texts out to see who bites. They’re usually thwarted by accounts with Multi-Factor Authentication turned on, and since this is a crime of opportunity, they will just move on from such protected accounts.

Once they have a username and password, they’ll use a VPN service to mask their IP to look like they’re in a location in the US. This is because Office 365 will often block or require additional screening for international connections. By using a VPN host, they appear to be local.

Next, they read through the email of the user in question, looking specifically for when invoices were sent out. They’ll target particular customers by faking legitimate-looking invoices and sending them from the compromised user’s account. This email may contain a PDF invoice, or a link to a QuickBooks Payments or other look-alike site that the compromised company has used historically.

Another trick here is that the phishers may set up a look-alike domain for the compromised company. For instance, if the victim is joe@acme-corporation.com, they might buy acme-corporatiom.com and create an email address named joe@acme-corporatiom.com there. They’ll CC that address on their future emails, so that they have a copy of all communications if they lose access to the compromised account later.
That’s not the only way they stay in a user’s account. They’ll also set up something called an RSS redirect. Outlook Online has a feature allowing users to create and RSS Feed, which is essentially a machine-readable webpage that will publish any email you drop into that folder. The attackers will set up a rule in Outlook copying some or all messages to that feed, so they can read all the email coming into the account without having to log in. Since users rarely check their Outlook rules, this can go undetected for years.

The next step is convincing the victim customer to pay their invoice to a new ACH or wire address. Usually the first attempt will be casual, such as including in the invoice email “Please note we’ve changed banks. Please update your ACH payment information for us.” The invoice will usually have the new information printed on it as well. When the payment date comes up, the attackers will usually email the victim organization to make sure they noticed the new information, or if the victim usually pays by check or some other method, they’ll try to convince them to change to an electronic transfer.

If the compromised organization discovers the compromise, or the compromised user changes their password for any other reason, the attackers will lose access to the account. The RSS feed will allow them to continue to see incoming email, and they can reply from their fake account, which should be trusted by the destination mailserver at this point, since it has now seen that domain repeatedly on “legitimate” emails. Worse, there’s no technical means to block the email from the fake domain going to your customers without having the receiving customer block them, and you may not know who all the receiving customers were.

Hopefully by this stage the compromised company has detected the attack and alerted their customers, but it may be too late. A customer may pay an invoice, believing it was legitimate, for thousands of dollars to the attackers. Once that money is gone, it’s gone…

So what can you do to protect yourself and your customers?

1. Turn on Multi-Factor Authentication for all employees. MFA alone stops the vast majority of these attacks, as getting past it is much more technically challenging than simply stealing a username and password.
2. Regularly scan Exchange Online for rules that redirect email to RSS feeds. RSS feeds are a rarely used feature of Outlook for most organizations, so they’re usually a good indicator that an account has been compromised.
3. Make sure your customers know if you have an ACH or Wire reception policy, and how you issue information about it. This is one case where good old-fashioned paper checks thwart the criminals almost every time.
   Finally, if you do have a vendor suddenly change their ACH or Wire information, it’s really worth a phone call to them to confirm before you pay outa quarter of a million dollars. Most of these scams rely on the fact that the payer sees what they expect to see and pays the invoice because it’s their job to pay invoices. Confirming payment change information by a different method than you received it, such as making a phone call to confirm a change you received by email, will also ruin the plans of these attackers.
   It’s hard to tell how successful these attackers are, but based on the attacks we’ve seen in 2020, this method has a roughly 15-20% change of getting a payment out of any given victim customer. The scam works by abusing an existing trust relationship, which makes it terribly effective. Take your security seriously. It really is worth the investment.

If you have questions or would like a review of your Office 365 instance for signs you’ve been compromised, call 1-844-567-3100 or email us at sales@deepcoredata.com.