Microsoft 365 accounts are being targeted by new email scams

A hand typing on a laptop with email illustrations covering the keyboard

(Image credit: Shutterstock/Billion Photos)

Cybersecurity experts are warning of a new, widespread business email compromise (BEC) campaign, which seeks to reroute large money transactions to bank accounts belonging to the attackers.

The idea is simple in theory: the attackers would first compromise a business email account through the use of phishing. Then, they’ll land into the inbox and lurk there, monitoring various email chains and threads, until they identify one where a wire transfer is being planned. Then, when the planning is done, and just before the victim sends the funds, the attacker will reply to the email chain asking for the funds to be sent elsewhere, saying the original bank account was frozen due to a financial audit.

The attackers are reportedly stealing “several million dollars” per incident, and also use typosquatting domains to further trick the victims.

Abusing DocuSign

The campaign was spotted by researchers from Mitiga who were investigating an incident response case.

It all starts with a phishing attack on the victim’s business email. Mitiga has found that this email is designed to look as if it’s coming from DocuSign, and that it usually carries a button saying “Review Document”. Targets that press the button will be redirected to a phishing page built to mimic a Windows domain login page. Then, with the assistance of a tool called evilginx2, the attackers are able to steal session cookies and thus bypass multi-factor authentication (MFA).

> Business email attacks are now a multi-billion dollar industry

> Protecting your business from email compromise attacks

> Here are the best ID theft protection services out there

Stealing session cookies to bypass MFA is not a novel practice, and businesses have started countering it by having the sessions last shorter. It’s safer, but not as convenient, as users are required to re-authenticate more often on their endpoints. To solve this challenge, threat actors have started registering additional MFA devices to the compromised accounts, as this move doesn’t trigger any notifications.

However, MFA changes on user accounts can be tracked through the Azure Active Directory Audit Logs, the researchers concluded.

Here's our list of the best firewalls today

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.