Business Email Compromise and where to find evidence in Office 365

When leveraging tactics that constitute a Business Email Compromise attack, an attacker can inflict serious damage to an organization, even with the most sophisticated software and hardware defenses in place. That’s because most defenses can be bypassed by the attacker when utilizing social engineering, such as phishing emails, to gain access to an organization’s network. Even if the damage caused by the incident cannot be reversed, it is critical to understand how an incident occurred to prevent it from happening again.

What is a Business Email Compromise?

A Business Email Compromise attack (“BEC”) is a cybercrime that involves an attacker or “threat actor” impersonating one or both parties of an email communication in order to achieve some benefit. This benefit is case-by-case and can vary from acquiring confidential information to transfers of capital. In order to form their objective and begin the attack, the threat actor will gather enough intelligence on the parties involved to put on the façade of legitimate communications.[1]  The intelligence gathering is most often done by phishing credentials of one of the parties and infiltrating their mailbox.

The nature of a business email compromise is that a threat actor gains access to email communications of an involved party. The most common way for this to take place is through unauthorized access to one involved party’s email system. With the email system breached, the threat actor will start gathering intelligence on any would-be targets. Targets could include external parties, such as clients or vendors, but could also include internal entities, such as other departments or even C-Level executives. Threat actors also obfuscate their presence by implementing mail forwarding or inbox rules.  The goal would be to divert messages related to the conversation, messages from IT, or account login messages to the threat actor or just keeping them away from the victim. Once inserted into an email thread impersonating one party and targeting the other, the threat actor will then guide the victim into the trap that is their objective.

The well-known example of a business email compromise would involve “accounts-receivable@companyA.com” and “client@companyB.com.” The attacker will attempt to trick the “client” by inserting themselves into the email thread as “accounts-receivable@C0MPANYA.com,” replacing the letter “o” with the number “0.” These subtle alterations are a common social engineering tactic, as employees will blow past the change because they generally recognize the appearance of the falsified address.

The threat actor may also impersonate the victim in order to keep the other party at bay.  In our example, the threat actor would divert payments from “client” to an account owned by the threat actor.  At the same time, the threat actor would impersonate the client to tell “accounts-receivable” that the check is “in the mail.”  The threat actor does everything possible to present accounts-receivable from contacting client until the money paid by client can be funneled through enough channels to make it impossible to retrieve.

Office 365 Data and Logs

Because is it so widely used, accounts in Microsoft Office 365 (“O365”) are the most common victims in this scheme.  O365 is a cloud-based platform that incorporates user authentication (logins with a correct username ad password) and email services. These are the two biggest components to consider when dealing with a BEC incident. That is because during a business email compromise investigation to determine if one party’s network was breached, O365 can be used to determine when and how that breach occurred.

In the above paragraphs, there are a number of actions mentioned that a threat actor will need to perform to facilitate the BEC. Those actions are typically logging into an email environment, starting up or hijacking existing email communications, and obfuscating their presence. All of these actions can be detected in one way or another through data available within an O365 environment. The most common repositories of useful information for a BEC will reside within the “Unified Log,” the “Mailbox Audit Log,” and the mailbox for the account that was accessed by the threat actor.

The Unified Log will contain information regarding user account logins, mailbox permissions, and creation of inbox rule events[2]. Specifically, this log could identify when the business email compromise incident started, which account was leveraged by the threat actor, and if any obfuscation tactics were employed.[3] This log has environment-wide scope and will contain events for all users within the O365 environment. It should be noted that Unified Audit logs are affected by the O365 subscription status of the organization. Some subscriptions have Unified Logging disabled by default, and events that occur while Unified Logging is disabled will not be recorded for review.  Therefore, it is imperative that users of O365, trust, but verify that certain logging is in place.  That verification includes not only the enabling of the log but the retention time.

The Mailbox Audit Log contains information regarding email deletions, draft creations, inbox rule updates, and general interaction with email items within a mailbox.[4] This log is mailbox-specific, so if multiple mailboxes are involved in a BEC incident, a Mailbox Audit Log will exist for each of them. Mailbox Audit Logging is enabled by default, regardless of O365 subscription status.

The mailbox for an involved user will contain the emails themselves that are stored within the user’s account. The mailbox of an account leveraged by the threat actor can be reviewed for evidence of a phishing email, which could be the origin for a threat actor’s unauthorized access. Similarly, emails sent or received by the threat actor may be available to gain an understanding of the scope of the BEC incident. Was it a single email communication or were there multiple? O365 also has the capability to recover deleted emails, where applicable.

This is all not to say that other mail platforms, such as Google or on-premise Exchange servers, do not have methods of auditing various activity. However, the built-in logging of O365 allows forensic examiners an expedited path to uncover the details of a BEC incident.

Vestige’s Expertise in Business Email Compromise Incident Analysis

Over the years, Vestige Experts has been engaged in many matters dealing with a business email compromise incident in one form or another. We have performed analysis over Office 365 logs identifying a threat actor using our client’s email as a vector for further phishing email attacks. We have also worked with clients to determine how a threat actor inserted themselves into an email conversation, extracting millions of dollars as a result of redirecting wired funds. Vestige has the experience required to perform BEC incident analysis to determine what happened, when it happened, and what actions the threat actor took, as well as provide advise on what to do once the damage is done.

CONTACT Vestige today if your organization has concerns regarding possible Business Email Compromise (BEC).

________

SOURCES:

[1] For a resource on BEC incidents in general, here is a link to the US Governments explanation: https://www.fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/common-scams-and-crimes/business-email-compromise

[2] Various activities/operations logged by the O365 Unified Audit Log – https://learn.microsoft.com/en-us/purview/audit-log-activities

[3] Various properties included in the O365 Unified Audit Log – https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties

[4] Various activities/operations logged by the O365 Mailbox Audit Log – https://learn.microsoft.com/en-us/purview/audit-mailboxes