Attackers have developed two new business email compromise (BEC) phishing techniques that evade email security filters by manipulating Microsoft 365’s automated email responses.
- First the read receipts is manipulated.
- Then the target victims out-of-office (OOO) replies are redirected.
Both were seen being used in the United States in December 2020 during the holidays.
Step 1 – “Disposition-Notification-To” Read-Receipt Notification
With the read-receipts attack, the attacker creates an email and changes the “Disposition-Notification-To” email header to create a read-receipt notification from Microsoft 365 to the recipient.
The email should get caught by email security filters, but since it is created from the internal system, the read receipt is sent to the target, bypassing traditional security filters and is sent to the employee’s inbox,
Step 2 – Out-of-Office (OOO) Attack
With the OOO attack, a the attacker creates a BEC email impersonating someone inside the company. The attacker changes the “Reply-To” email header so that if the target has an OOO message turned on, that OOO notification (that includes the original text) is directed to someone else within the organisation.
Again, the message most likely will not be caught by email security filters, because it originates from the original target’s account, not externally.
Business Email Compromise (BEC) is Still a Serious Email Threat
BEC emails are used to steal money from companies, often by impersonating an employee, vendor or customer in an email or mobile message. It often involves the attacker asking to pay a fake invoice, recurring payment or wire transfer.
The average BEC attack volume per week during that time increased in six out of eight industries. The largest increase in BEC attacks was 93 percent in the energy/infrastructure sector. The highest number of weekly BEC attacks were in retail/consumer goods and manufacturing and technology. The study found these BEC campaigns used mostly invoice and payment fraud, with a 155 percent Quarter on Quarter.
As email-security gets better, so do cybercriminals. For example, in early January a campaign was launched that leveraged Google’s Forms survey tool to create an ongoing conversation between the email recipient and the attacker which set up victims for future BEC attacks.
Microsoft and Office 365 are Big Targets
The Microsoft Office 365 cloud environment is a big target for BEC compromise as well.
Once hackers compromise an Office 365 environment, these BEC scammers can leverage trusted communications. For example, attackers can send an illegitimate email from the CEO’s official account to socially engineer employees, customers, or partners.
Attackers can also search through emails, chat histories and files to steal passwords or other important data. They can also set up forwarding rules to get access to emails without needing to sign in again. Furthermore, they could plant malware or malicious links into commonly used and trusted documents. The goal here is to manipulate something everyone trusts to bypass prevention controls that could trigger alerts to ultimately steal or hold files and data for ransom.
Protecting Against BEC Attacks
BEC attacks are hard to detect with typical tools and methods because they do not use malware or malicious URLs that can be detected by antivirus, so mitigating this threat can be difficult. Traditionally, the best defence for these kinds of attacks is end-user training and awareness so end-users can verify a request is indeed legitimate. It is also always a good idea to implement 2FA for email, configure your email to filter out suspicious looking phishing emails, and use updated end-point protection and antivirus.