Microsoft 365 Defender researchers reported their discovery of a varied cloud infrastructure used to support a large-scale business business email compromise campaign, according to Threatpost
According to the researchers, the threat actors used credential-phishing efforts against mailboxes that did not deploy multifactor authentication security measures, followed by implementing forwarding rules on the compromised accounts for specific types of emails, such as those concerning financial transactions, to be sent to their own email accounts and so have another way to steal funds from victims.
Regarding their ability to remain hidden for a length of time, the attackers hosted the infrastructure on multiple platforms and “performed discrete activities for different IPs and timeframes, making it harder for researchers to correlate seemingly disparate activities as a single operation,” the researchers said.
The cloud infrastructure was designed for full automation of tasks including inserting the forwarding rules, identifying the most lucrative targets, monitoring the compromised mailboxes and processing the forwarded emails.
With help from the Microsoft Threat Intelligence Center, the researchers reported the activity to cloud the relevant cloud security teams, which then suspended the accounts.