A recent investigation by Trend Micro’s Managed XDR team has uncovered a complex Business Email Compromise (BEC) attack targeting multiple organizations.
The incident involved threat actors exploiting a compromised email server to orchestrate a fraudulent scheme spanning several days.
Sophisticated B2B BEC Scheme Unveiled
The attackers demonstrated a high level of sophistication, leveraging the implicit trust between three business partners to execute their plan.
By gaining access to various email accounts and utilizing a compromised third-party email server, the threat actors were able to insert themselves into ongoing email conversations, manipulating communication between the targeted organizations.
Intricate Web of Deception
The compromise unfolded in two phases. In the first phase, the attackers inserted themselves into existing email chains, carefully timing their interventions to appear legitimate.
They waited approximately 4.5 hours before positioning themselves in the conversation, sending fraudulent banking information to redirect funds.
The second phase saw the threat actors taking full control of the conversation.
They gradually swapped out legitimate recipients with email accounts under their control, while maintaining the appearance of authenticity by mimicking writing styles and keeping messages concise.
The attackers exploited an insecurely configured third-party email server, allowing their fraudulent emails to pass Sender Policy Framework (SPF) authentication.
This level of access and manipulation ultimately led to one partner depositing funds into the threat actor’s bank account.
Trend Micro analysis of the incident revealed several MITRE ATT&CK techniques employed by the attackers, including email collection (T1114), account takeover (T1078), email forwarding rules (T1114.003), and the compromise of third-party infrastructure (T1584.004).
To combat such sophisticated attacks, organizations are advised to implement stricter email security controls, including DMARC, DKIM, and SPF.
Additionally, the use of digital signatures for financial transactions, extended auditing for high-profile individuals, and establishment of out-of-band validation protocols between partners are recommended.
The incident serves as a stark reminder of the evolving nature of BEC attacks and the need for organizations to remain vigilant, even in trusted business relationships.
By implementing robust security measures and fostering a culture of awareness, companies can better protect themselves against these increasingly sophisticated threats.
%20attack%20targeting%20multiple%20organizations.){kind=link}