Cybercriminals Exploit Compromised Email Servers for Fraudulent Campaigns

Trend Micro’s Managed XDR team has recently investigated a sophisticated Business Email Compromise (BEC) attack that targeted multiple business partners.

The incident, which occurred over several days, involved the exploitation of a compromised email server to orchestrate a complex fraud scheme.

Intricate Web of Deception

The attack involved three business partners (Partner A, Partner B, and Partner C) engaged in regular email communications.

The threat actor gained control of a third-party email server, which was then used to send fraudulent emails.

This compromised server allowed the attacker to maintain full visibility of all email conversations between the three business partners.

The incident unfolded in two phases. In the first phase, the attacker inserted themselves into existing email chains, carefully timing their interventions to avoid raising suspicion.

They waited approximately 4.5 hours before positioning themselves in the conversation, mimicking legitimate communication patterns.

During the second phase, the threat actor took complete control of the conversation, gradually swapping out recipients with email accounts under their control.

To maintain the illusion of legitimacy, the “From” field contained the intended recipient’s address, while the “Reply-To” field was set to the attacker’s email address.

The compromised third-party email server appeared to have an insecure configuration, allowing the fraudulent emails to pass Sender Policy Framework (SPF) authentication.

According to Trend Micro Report, this misconfiguration, whether pre-existing or deliberately altered by the attacker, played a crucial role in the success of the scheme.

Sophisticated Tactics and Techniques

The attackers employed several advanced techniques, including:

1. Email collection (MITRE ATT&CK T1114) to gather intelligence on ongoing business transactions.
2. Account takeover (T1078) and email forwarding rules (T1114.003) to maintain access and monitor communications.
3. Exploitation of a compromised third-party email server (T1584.004) with minimal outbound restrictions.
4. Creation of lookalike email accounts (T1585.002) to impersonate legitimate users.
5. Leveraging trusted relationships between parties (T1199) to execute the fraud.

The ultimate goal of the attack was financial theft (T1657), with the added consequence of resource hijacking (T1496) for the owner of the compromised email server.

This incident highlights the evolving sophistication of BEC attacks and underscores the importance of implementing robust email security measures, including DMARC, DKIM, and SPF.

Organizations are advised to consider digital signatures for financial transactions, implement extended auditing for high-profile individuals, and establish out-of-band validation protocols with business partners to mitigate the risks of such advanced fraud schemes.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free