Cloud Security, Cloud Security

Microsoft helps take down BEC cloud infrastructure

Microsoft 365 Defender researchers reported their discovery of a varied cloud infrastructure used to support a large-scale business business email compromise campaign, according to Threatpost.

According to the researchers, the threat actors used credential-phishing efforts against mailboxes that did not deploy multifactor authentication security measures, followed by implementing forwarding rules on the compromised accounts for specific types of emails, such as those concerning financial transactions, to be sent to their own email accounts and so have another way to steal funds from victims.

Regarding their ability to remain hidden for a length of time, the attackers hosted the infrastructure on multiple platforms and “performed discrete activities for different IPs and timeframes, making it harder for researchers to correlate seemingly disparate activities as a single operation,” the researchers said.

The cloud infrastructure was designed for full automation of tasks including inserting the forwarding rules, identifying the most lucrative targets, monitoring the compromised mailboxes and processing the forwarded emails.

With help from the Microsoft Threat Intelligence Center, the researchers reported the activity to cloud the relevant cloud security teams, which then suspended the accounts.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.