Request a Demo
Request a Demo

SAAS-based Software Solution provider

Customer is a low-cost, SAAS-based Software Solution provider that is easy to use and powerful in its features and adapts to your needs.

Case Details

Clients: SAAS-based Software Solution

Start Day: 15/09/2023

Tags: IT Company

Project Duration: 2.5 years

Download Case Details

Download a detailed report on this case

File Download. PDF

Let’s Talk

Get in touch with a AiCyberWatch representative to see a demo or simply learn more about our products.

Address Business
606, SSR Corporate Park Mathura Road, Faridabad-121003 Haryana, India.
Contact With Us
Call us: +91-8010101070 [email protected]
Working Time
Mon - Sat: 8.00am - 18.00pm Holiday : Closed
Get in Touch With Us

Project Scope:

Our customer discovered a Business Email Compromise (BEC) attack to trick one of its clients into paying invoices totalling nearly USD 60,000 to an alternative Bank account. The company detected the attack before any payment was made by the client – an alert employee of the client company insisted on verbally verifying the financial details provided, which triggered the alarm.

However, our customer wanted to understand the extent of compromise and how to protect itself from similar threats and conduct a full forensic investigation.

Solution Approach

AiCyberWatch's initial assessment was an analysis of Office 365 Email logs and discovered that six weeks before the BEC attack, one of the Office accounts had received a phishing email.
The email, purported to be from Microsoft, claimed that the user's account may have been accessed from a different location and required to log in and review activity for security reasons.
Since the phishing attempt was successful, AiCyberWatch proceeded to review the account's audit logs and soon became apparent that the attacker had successfully accessed the account from an unidentified IP address.
Immediately, mailbox rules were implemented to check all incoming emails for keywords, move them to the user's RSS subscriptions folder in Outlook, and mark them as unread.
This procedure would help an attacker quickly identify emails of interest and prevent the compromised user from viewing and replying to them.

Technical Analysis continued with Innovation

One email thread that caught the attention of the attacker involved the billing of two high-value invoices issued by an SAAS vendor to one of its clients.
An analysis of email logs reveals that attackers used information gathered during the survey to create a chain of fake email communications to impersonate compromised users and request payment of outstanding invoices to an alternate bank account.
Further attempts by the attacker to conceal the fraud were revealed by later analysis, which showed that all incoming emails from the firm's client to the compromised Office account were immediately deleted.
Further log analysis revealed that an email rule was set in the compromised account to automatically forward all incoming/outgoing emails to an external Gmail address.
In the week after the attack was discovered, the email forwarder delivered more than 280 emails to a fraudulent account, resulting in the continued disclosure of highly confidential client data and payment information to the attacker.
While tracing the attack sources, these attempts originated from IPs in Nigeria, China, and later the United Arab Emirates, from where a few successful logins were eventually made.

Outcomes and Deliverables

After discovering the BEC attack, a compromised Email account was blocked for Sign-in.
Enforced multi-factor authentication for all O365 users to prevent malicious login attempts
The attack was safely contained only after the AiCyberWatch team identified and disabled the forwarding emails, and was able to trace and stop further disclosure of confidential data that getting leaked by forwarding emails to Gmail ID.
Able to trace the Attack surface and safeguarded from any future Email Phishing attacks.
PREVIOUS PROJECT
NEXT PROJECT

Get in Touch