This is a dissection of a successful phishing attack that I worked on quite recently. I have seen numerous runs of this exact attack over the last year, each one identical to the last. They run like clockwork, with very little variation in the execution.
At the first step, the user (John Soap) received the following email from a supplier (Joe Bloggs) who he regularly does business with.
The user was actually expecting an invoice from this sender. And as it happened, in this particular case, our user John had planned on calling Joe that afternoon as the invoice should have been sent a few days previous.
So there are no major red flags at this point that the user could be expected to pick up on. Or in other words- no reason not to be mistrustful of any links/downloads etc
The only gripe I would have is if you notice the invoice (the .pdf attachment). That’s not actually an attachment. That’s just an image in the body of email which links back to a spurious OneDrive landing page.
Once you click the link you are redirected to this page and the user is now prompted to insert credentials.
If the user doesn’t enter any credentials the story ends here. Otherwise the story continues.
John entered his credentials and an error page is returned. He then calls Joe to ask about this strange invoice/error message and Joe downplays it.
Joe knows exactly whats happened but is trying to save face. He tells our user there was some technical error, his IT department are already working on it, there is nothing to worry about and the real invoice will be out first thing tomorrow. Not cool Joe!
Our user now walks away thinking everything is fine.
4 Days Later…..
Johns in the office and suddenly his phone starts ringing off the hook, he’s getting calls from colleagues/associates/friends wondering about this strange email he has just sent them. John of course has no idea what they are talking about and calls us immediately in a panic.
When his call comes through to us we know instantly that John has a compromised mailbox. That’s the only fact we know at this point. We could take an educated guess here (based on previous experiences) that John was a victim of a mass phishing attack and only his mailbox is compromised.
However in my paranoid-take-no-prisoners attitude I work on the assumption that everything is compromised and work backwards.
See malware clean up guide (link) for a more in-depth explanation of steps below. Although its written specifically for malware it works well here too.
First Step in any potential security breach is to confirm something has actually happened. John is saying he’s getting call after call about an email he didn’t send… that’s enough confirmation for any man.
Second Step is to contain the attack. I immediately reset Johns O365 password this will kill the attackers active session and prevent further emails going out (If Microsoft haven’t already blocked it).
I need to find out if any other mailboxes have been compromised. Its likely that John wasn’t the only person that got that email from Joe. My own quick and dirty trick for checking this is to run a check against all your mailboxes and see if any have an external forward set up on them. There are lots of free powershell scripts online you can download for this task. (Or if you want to be really cool and respected and all hackery you could write your own!)
Its common, that after the initial compromise, the attacker will forward all incoming email to an external address. To be clear though, just because a mailbox doesn’t have an external forward is not a guarantee of its integrity- but if it does have a forward then you know its compromised.
In this case, only John has a forward setup. That’s a good sign.
This is forwarding all incoming email to the attackers yahoo account. Be careful here, this forward wont show up under ‘Mail Flow’ in the Exchange Admin centre. It only shows up in the main page.
In addition to the forwarder, another change the attacker will often make is to apply rule to Johns mailbox deleting all his incoming email. While the forward could be in place for days, the rule(s) will typically only be implemented right in front of the spam emails been sent.
The reason for this is that when the attackers start sending spam they know people will reply to John asking him about this odd email, alerting him that something is up. So if all incoming email is deleted it means the attacker has more time in the mailbox.
Third step is to revoke all Johns access. I’ve already reset his O365 as part of the containment process. But now I need to reset everything else.
Because this is a small company with all users in the same office I was able to reset everyones AD/O365 which saves some headaches in the next few steps.
Fourth step is investigate. I’m happy that the situation is contained enough that there is no other immediate actions needed. The environment is secured and we can take some time to start investigating.
I called John back and asked him if he had entered his credentials into any websites recently or did he disclose them to anyone, use them on a personal device etc. His mind is in panic mode and he either doesn’t remember if he did, or perhaps he’s denying it for fear of consequences, either way though, he doesn’t have anything useful.
I run a check on the O365 audit logs and get an IP from the UK that is logging into Johns account and as you can see the attacker is having all kinds of fun in there!
The first login from that IP was 2 days ago. I started checking all the emails received by John in the 5 days predating that first login.
I spot the email from Joe Bloggs and it immediately grabbed my attention the moment I saw it. The subject line in Joes email was ‘1/1’ this was the date it was sent, and the subject line in Johns email was ‘5/1’ which is also the date it was sent.
Here’s a side-by-side comparison:
Subject lines match. Both emails allude to an invoice. Both embed an image in the email. But the real nail in the coffin is that both emails use the same link back to the same spurious OneDrive landing page.
I think we found our culprit.
I checked to see if John replied to this email. If he replied that could be another confirmation point- ‘Hey Joe, I put my credentials into that page but keep getting an error back’. No email found.
I run a quick check to find that the most everyone else in Johns company also got that email from Joe. Of the course the rest of the users knew it was spam as Joe would have no reason to email them an invoice- John on the other hand was eagerly awaiting an invoice.
When I suggested to John that I suspect this was the cause of the compromise it jogged his memory and he confirmed that he did in fact insert credentials and that he had called Joe afterwards who downplayed it.
Fifth step is clean up. Whilst I was doing all the previous investigation work I was simultaneously running checks on Johns computer and laptop for malware but everything came back clean. I give John his machines back and he can continue working.
Its possible the mailbox has been blocked by Microsoft for spam. If it has you need to unblock it otherwise John wont be able to send any emails externally.
Then as a final, and crucial part of the clean up, to stop any further compromises we send out an email to all the recipients of Johns spam. It doesn’t have to be anything elaborate:
We had an incident this morning, that saw spam been sent from one of our users mailboxes. We are currently investigating this as a priority issue. In the meantime, as a precautionary, if you received this spam or had any interaction with it please consult with your IT support.
Reports. I won’t go into detail here. But now that the user is back up and running. The next step is to start the report on what happened/how it happened/lessons learned/failings/how it could be mitigated in future.