How We Uncovered the Bag of Tricks of a Real Attacker…

Every day, the Quorum Cyber team receives dozens of suspicious emails forwarded to us by our customers as part of our Big Red Button Phishing Protection service. Most of these are traditional phishing attacks, usually looking to steal customer credentials or launch a similar social engineering attack.

During a recent investigation, the team was analysing one such email for one of our customers. Upon initial inspection, we quickly determined that the email was malicious, with a payload aimed at stealing our customer’s Microsoft credentials, including their username and password. A very typical attack vector, this is commonly referred to as Business Email Compromise (BEC).

The account of the original sender had become compromised and the threat actor was now sending emails from that account, with the objective of spreading to other targets. The attack works by trying to convince the target user that they have been sent a file via a secure Office 365 mechanism. They are sent a phishing email that convincingly imitates a standard Office 365 alert.

Given the genuine appearance of the correspondence, there is a strong chance that the recipient would believe it to be genuine and click on the link. If that is the case, they are redirected to a fake login page, which itself also looks quite authentic and adds to the plausibility of the scheme. (However, users who have been trained in phishing techniques will quickly notice the URL is highly suspicious.)

So far, so good – just another day in the world of cyber security. However, this is where this attack starts to get interesting.

Follow the white rabbit…

During the course of the investigation, one of our analysts decided to interact with the malicious site in more detail, following the rabbit hole as far as they could, with the hopes of getting a clearer picture of the motivations behind the attack.

In their exploration, our analyst discovered that the threat actor had left part of their site insecure. This oversight ultimately granted the investigating team access to the phishing kit being used in the attack, as well as part of the malicious infrastructure employed to coordinate the whole process. We now had our hands on the threat actor’s tools of the trade and a look at how these cyber criminals engineered their attack.

By analysing the tools the attacker was using, the team was able to identify a partial list of other victims who had already been phished, as well as the original email address from which the threat actor had initially launched the operation. This information was instrumental in mitigating the damage that the phishing campaign could cause and ensuring any further data breaches were kept to a minimum.

Scottish focus

Once we had collected all the evidence we could, the team proceeded with the analysis stage, trying to find a common thread that would enable us to understand the attackers’ motivations and objectives.

This analysis proved successful and the team was able to determine the attacker was specifically targeting Scottish organisations, with most of the other victims identified as employees of Scottish companies.

Quorum Cyber has since notified the authorities and the malicious site has been taken down. We are also actively working with the Scottish Business Resilience Centre (SBRC) and police to help alert the users who have been a victim of this attack so that they can take adequate steps to ensure their personal information is kept as safe as possible.

In this manner, we are committed to seeking out, nullifying and bringing to justice those working on the wrong side of the law online, whether that threat is located at home or abroad.