2024-02-07 - [BEC] - Business Email Compromise - james.garcia@smithscogwheels.com
Incident Summary
The Taegis XDR Business Email Compromise detector has generated an alert for the user james.garcia@smithscogwheels.com due to creation of a suspicious inbox rule that forwards emails to "RSS Feeds" folder.
Background
Business Email Compromise (BEC) is a type of scam targeting companies who conduct wire transfers and have suppliers abroad. Corporate or publicly available email accounts of executives or high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised through keyloggers or phishing attacks to do fraudulent transfers, resulting in hundreds of thousands of dollars in losses. Often, an attacker will create an account with an email address almost identical to one on the corporate network, relying on the assumed trust between the victim and their email account.
Incident Description
Analysis of available Taegis telemetry revealed the IP address 2a06:e80:3000:1:bad:babe:ca11:911 (Seychelles) was able to access the james.garcia@smithscogwheels.com. The user did have MFA in place; however, the threat actor was able to gain access due a to a MFA fatigue attack, in which the threat actor continued to send MFA requests until access was granted by the user. The Threat Actor was able to view email (based on MailItemsAccessed operations) and created a malicious inbox rule that moved all emails where the subject or body contained the following strings 'password;reset;payment;invoice;compromise;hack'. The rule includes common BEC keywoards.
Actions Taken by Secureworks
- Disabled AAD user accounts 'james.garcia@smithscogwheels.com'
- Reset AAD user account password 'james.garcia@smithscogwheels.com'
- Threat Hunt for other impacted user accounts using IOCs
Remediation Recommendations/ Customer Actions
- Engage in Emergency Response for the following:
- Utilize the InternetMessageIds to identify emails read by threat actor if the need for reporting is required.
- Analysis of mailbox for potential phishing email
Future Mitigations
- Use number matching and geo reveal in MFA to show where MFA requests originate
- https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match
- https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-additional-context
Technical Details
There are a total of 1 alert generated for the user james.garcia@smithscogwheels.com related to Business Email Compromise. Details for which can be found below:
| event_data.event_time_usec | metadata.title | event_data.event_name | event_data.user_name | event_data.source_address | count | |
|---|---|---|---|---|---|---|
| 0 | 02-07-24 | Suspicious Email Forwarding Rule to RSS Folder | New-InboxRule | james.garcia@smithscogwheels.com | 2a06:e80:3000:1:bad:babe:ca11:911 | 1 |
The details of the rule can be found below:
| key | value | |
|---|---|---|
| 0 | AlwaysDeleteOutlookRulesBlob | False |
| 1 | Force | False |
| 2 | MoveToFolder | RSS Feeds |
| 3 | Name | RSS Feeds (Default) |
| 4 | SubjectOrBodyContainsWords | password;reset;payment;invoice;compromise;hack |
| 5 | StopProcessingRules | True |
The reputation of the IP address involved with the alert as per APIVoid:
| source_address | Risk Score | Malicious Count | Total Count | Reverse DNS | City | Country | |
|---|---|---|---|---|---|---|---|
| 0 | 2a06:e80:3000:1:bad:babe:ca11:911 | 0 | 0 | 85 | N/A | Mahe | Seychelles |
| 1 | 2a0b:f4c2::27 | 0 | 0 | 85 | N/A | Hambury | Germany |
#### Investigating activity from IP addresses involved with the alerts:
The following CloudAudit events were observed for the user sourcing from the IPs involved with the alert in the last 7 days:
| event_time_usec | source_address | event_name | status | Occurrences | |
|---|---|---|---|---|---|
| 0 | 02-07-24 | 2a06:e80:3000:1:bad:babe:ca11:911 | AzureActiveDirectoryStsLogon | Succeeded | 149 |
| 1 | 02-07-24 | 2a06:e80:3000:1:bad:babe:ca11:911 | Signin | Succeeded | 3 |
| 2 | 02-07-24 | 2a06:e80:3000:1:bad:babe:ca11:911 | anonymizedIPAddress | Succeeded | 3 |
| 3 | 02-07-24 | 2a06:e80:3000:1:bad:babe:ca11:911 | AnonymousLogin | Succeeded | 3 |
| 4 | 02-07-24 | 2a06:e80:3000:1:bad:babe:ca11:911 | ExchangeAdmin | Succeeded | 2 |
| 5 | 02-07-24 | 2a06:e80:3000:1:bad:babe:ca11:911 | ExchangeItemAggregated | Succeeded | 1 |
| 6 | 02-07-24 | 2a06:e80:3000:1:bad:babe:ca11:911 | SharePointFileOperation | Succeeded | 1 |
Related Alerts
There are 11 alerts observed for the user in the last 24 hours with 3 unique alert titles as seen below:
| metadata.title | Alert_Severity | count | |
|---|---|---|---|
| 1 | Anonymous IP address | Medium | 5 |
| 2 | Suspicious inbox forwarding rule | Critical | 1 |
| 3 | Microsoft Risk Detection:Anonymous IP address | Low | 5 |
Recommendation
T1114.003
Audit (M1047)
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
Disable or Remove Feature or Program (M1042)
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
Encrypt Sensitive Information (M1041)
Protect sensitive information with strong encryption.
T1070
Encrypt Sensitive Information (M1041)
Protect sensitive information with strong encryption.
Indicator Removal on Host Mitigation (T1070)
Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
Restrict File and Directory Permissions (M1022)
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
Remote Data Storage (M1029)
Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.
Reference
Azure AD User Detail
| Display Name | Job Title | Department | User Principal Name | User Groups | Account Created | Password Changed | Since Password Changed | Auth Methods | Last Logon | Office Location | Business Phones | Mobile Phone |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| James Garcia | Exec Assistant | ExecTeam | Chat via Teams: james.garcia@smithscogwheels.com | 2023-07-04T07:30:42Z | 2023-08-24T19:14:40Z | 171 days | passwordAuthenticationMethod, microsoftAuthenticatorAuthenticationMethod | 2024-02-07T12:05:17Z | Mexico City | +52 888 555 3823 | +52 888 555 2716 | |
| 846f4b1c-6bb2-4600-ae37-f5d47874dbb0 | NON-Azure AD User Detected | |||||||||||
| james.garcia | NON-Azure AD User Detected |