RC
RA
DN
Status:
Assignee:
Priority:
Type:
Close Reason:
N/A
ID:
INV00850
Created By:
Valorieh Hopkins
Created:
2024/02/07 12:07:51 UTC
Updated By:
Updated:
2024/02/27 12:11:39 UTC
Archived:
N/A
Ticket:
No associated ticket
Tags:
No tags

KEY FINDINGS

Incident Summary


The Taegis XDR Business Email Compromise detector has generated an alert for the user james.garcia@smithscogwheels.com due to creation of a suspicious inbox rule that forwards emails to "RSS Feeds" folder.

 

Background


Business Email Compromise (BEC) is a type of scam targeting companies who conduct wire transfers and have suppliers abroad. Corporate or publicly available email accounts of executives or high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised through keyloggers or phishing attacks to do fraudulent transfers, resulting in hundreds of thousands of dollars in losses. Often, an attacker will create an account with an email address almost identical to one on the corporate network, relying on the assumed trust between the victim and their email account.

 

Incident Description


Analysis of available Taegis telemetry revealed the IP address 2a06:e80:3000:1:bad:babe:ca11:911 (Seychelles) was able to access the james.garcia@smithscogwheels.com. The user did have MFA in place; however, the threat actor was able to gain access due a to a MFA fatigue attack, in which the threat actor continued to send MFA requests until access was granted by the user. The Threat Actor was able to view email (based on MailItemsAccessed operations) and created a malicious inbox rule that moved all emails where the subject or body contained the following strings 'password;reset;payment;invoice;compromise;hack'. The rule includes common BEC keywoards.

 

Actions Taken by Secureworks


 

Remediation Recommendations/ Customer Actions


  • Engage in Emergency Response for the following:
  • Utilize the InternetMessageIds to identify emails read by threat actor if the need for reporting is required.
  • Analysis of mailbox for potential phishing email

Future Mitigations


 

Technical Details



There are a total of 1 alert generated for the user james.garcia@smithscogwheels.com related to Business Email Compromise. Details for which can be found below:

event_data.event_time_usec metadata.title event_data.event_name event_data.user_name event_data.source_address count
0 02-07-24 Suspicious Email Forwarding Rule to RSS Folder New-InboxRule james.garcia@smithscogwheels.com 2a06:e80:3000:1:bad:babe:ca11:911 1

The details of the rule can be found below:
key value
0 AlwaysDeleteOutlookRulesBlob False
1 Force False
2 MoveToFolder RSS Feeds
3 Name RSS Feeds (Default)
4 SubjectOrBodyContainsWords password;reset;payment;invoice;compromise;hack
5 StopProcessingRules True

The reputation of the IP address involved with the alert as per APIVoid:
source_address Risk Score Malicious Count Total Count Reverse DNS City Country
0 2a06:e80:3000:1:bad:babe:ca11:911 0 0 85 N/A Mahe Seychelles
1 2a0b:f4c2::27 0 0 85 N/A Hambury Germany

#### Investigating activity from IP addresses involved with the alerts:

The following CloudAudit events were observed for the user sourcing from the IPs involved with the alert in the last 7 days:

event_time_usec source_address event_name status Occurrences
0 02-07-24 2a06:e80:3000:1:bad:babe:ca11:911 AzureActiveDirectoryStsLogon Succeeded 149
1 02-07-24 2a06:e80:3000:1:bad:babe:ca11:911 Signin Succeeded 3
2 02-07-24 2a06:e80:3000:1:bad:babe:ca11:911 anonymizedIPAddress Succeeded 3
3 02-07-24 2a06:e80:3000:1:bad:babe:ca11:911 AnonymousLogin Succeeded 3
4 02-07-24 2a06:e80:3000:1:bad:babe:ca11:911 ExchangeAdmin Succeeded 2
5 02-07-24 2a06:e80:3000:1:bad:babe:ca11:911 ExchangeItemAggregated Succeeded 1
6 02-07-24 2a06:e80:3000:1:bad:babe:ca11:911 SharePointFileOperation Succeeded 1

 

Related Alerts


There are 11 alerts observed for the user in the last 24 hours with 3 unique alert titles as seen below:

metadata.title Alert_Severity count
1 Anonymous IP address Medium 5
2 Suspicious inbox forwarding rule Critical 1
3 Microsoft Risk Detection:Anonymous IP address Low 5


 

Recommendation



T1114.003

Audit (M1047)
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Disable or Remove Feature or Program (M1042)
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Encrypt Sensitive Information (M1041)
Protect sensitive information with strong encryption.

T1070

Encrypt Sensitive Information (M1041)
Protect sensitive information with strong encryption.

Indicator Removal on Host Mitigation (T1070)
Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.

Restrict File and Directory Permissions (M1022)
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Remote Data Storage (M1029)
Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.

 

Reference



SCWX-TIPS 4791


Azure AD User Detail

Display NameJob TitleDepartmentUser Principal NameUser GroupsAccount CreatedPassword ChangedSince Password ChangedAuth MethodsLast LogonOffice LocationBusiness PhonesMobile Phone
James GarciaExec AssistantExecTeamChat via Teams: james.garcia@smithscogwheels.com2023-07-04T07:30:42Z2023-08-24T19:14:40Z171 dayspasswordAuthenticationMethod, microsoftAuthenticatorAuthenticationMethod2024-02-07T12:05:17ZMexico City+52 888 555 3823+52 888 555 2716
846f4b1c-6bb2-4600-ae37-f5d47874dbb0NON-Azure AD User Detected
james.garciaNON-Azure AD User Detected