Business Email Compromise Attack Investigation and Remediation for Insurance Broker

Concerned about the impact of a business email compromise (BEC) attack, which resulted in an attempt to defraud one of its customers out of nearly £300K, a leading independent insurance broker approached Kroll to investigate the source and scope of the attack.

The Incident

As a specialist firm providing insurance advice for high-value business mergers and acquisitions, Kroll’s client processes a wealth of sensitive data.

Despite maintaining a high level of security, the firm discovered that it had been compromised by a cybercriminal and used as a platform to launch a BEC attack designed to trick one of its clients into paying two open invoices, with a total value close to £300K, into an alternate bank account.

Fortunately, on this occasion, the attack was detected by the firm before any payment was made by the client—a vigilant staff member from the client company had insisted on verbal verification of the financial details supplied, leading to an alarm being raised.

Nevertheless, the firm was keen to understand the extent of the compromise and how to safeguard against similar threats.

In need of support from an expert cyber security company to help shed light on events surrounding the attack, the firm turned to Kroll to conduct a full Office 365 forensic investigation.

The Investigation

The initial focus of Kroll’s assessment was analysis of email logs relating to the Microsoft Office 365 accounts suspected as being used to instigate the fraud.

The team quickly identified that six weeks prior to the BEC attack, one of the Office accounts belonging to a senior-level employee had received a phishing email.

Purporting to be from Microsoft, the email claimed that the user’s account may have been accessed and requested that the user sign in to review activity for security reasons.

Working on the basis that the phishing attempt had been successful, leading to the harvesting of the user’s Office credentials, Kroll set about reviewing audit logs relating to the account in question.

It soon became clear that an attacker had successfully accessed the account from an unidentified IP address.

The attacker promptly introduced mailbox rules designed to scan all incoming emails for keywords, move them to the user’s RSS Subscriptions folder within Outlook®, and mark them as unread. This course of action would help the attacker quickly identify emails of interest and prevent the compromised user from viewing and responding to them.

Important Client of Firm Targeted

One email thread to capture the attention of the attacker was related to the billing of two high-value invoices, which had been raised by the insurance firm for one of its clients.

Kroll’s analysis of the firm’s email logs reveals that the attackers had used the information gathered in reconnaissance to create a chain of spoof email communications designed to imitate the compromised user and request payment of the outstanding invoices to a substitute bank account.

The source of the spoofed emails was a domain set up to closely resemble that of the insurance firm, so that the difference would not be easily discernible.

Additional attempts by the attacker to conceal the fraud were uncovered by later analysis, which showed that any incoming emails from the firm’s client to the compromised Office account were promptly deleted.

The attacker also created additional fake email accounts pertaining to colleagues of the compromised user and suggested that one of these colleagues would call the client to provide verbal verification of the bank payment details supplied, increasing the likelihood of the BEC succeeding.

Even at the point where the attack was close to being foiled, the attacker did not relent. Further analysis of event logs revealed that an email rule had been set within the compromised account to auto-forward all incoming and outgoing emails to an external Gmail address.

Over the course of a week following detection of the attack, the email forward had delivered over 280 emails to this fraudulent account, resulting in the continued disclosure of highly confidential client details and payment information to the attacker.

Tracing the Source of the Attack

Having established the means of attack, Kroll’s cyber incident response team set about identifying how the compromise was able to occur. Analysis of audit logs reveals that, following the original phishing attack which led to Office 365 credentials being harvested, hundreds of account login attempts were initiated from a range of malicious IP addresses.

These attempts originated from IPs in Nigeria, China and, later, UAE, from which a number of successful logins were eventually made.

While it’s possible that the failed authentication attempts may be unrelated to the BEC attack, they are unlikely to be a coincidence. One theory is that the compromised user may have, in falling foul of the phishing attempt, entered incorrect account credentials. This led to brute force attempts to identify the genuine password.

Upon detection of the BEC attack, the insurance firm’s IT staff made the decision to lock down the compromised account and enforce multi-factor authentication for all Office 365 users. While this course of action was effective at preventing subsequent malicious login attempts, it was not until the Kroll team identified and disabled email forwarding that the attack was safely contained.

Having concluded its investigation, the Kroll team produced a formal incident report outlining a full timeline of events. The document also included recommendations to help the firm prevent and detect future attacks.

Learn more about Kroll’s Digital Forensics and Incident Response services.