We have observed a recent increase in a specific type of Business Email Compromise (BEC) attack over the past few weeks. Details about this attack are provided further down in this email for those interested.
To enhance your organization’s security, we propose enabling a feature in your Microsoft 365 tenancy called Token Protection. This upgrade requires applying a single Entra ID P2 license, costing $16.20 ex GST per month.
For Managed Services Clients: We will adopt an opt-out approach. If we do not hear from you, we will proceed with applying the license and performing the necessary work as part of your Managed Services agreement at no additional cost. If you already have this license and feature enabled (as part of our higher security package), no action or additional cost is required.
For Ad Hoc Clients: We will adopt an opt-in approach. If we do not hear from you, no action will be taken. The labor to implement this new feature is estimated at 2 hours, billed at $145 ex GST per hour.
If you are unsure about your current arrangement or would like more information about the risks, please feel free to reach out.
Detail of the BEC attack:
- The attacker gains access to someone’s mailbox that you know, a legit client or supplier of yours that you regularly deal with
- Email filtering will not block this, as it’s a legit sender
- The attacker replies to an existing email thread that you had with your client or supplier, making reference to a file that they have attached as a link, which of course you’re inclined to open
- Imagine you and I have an email thread going about what we’re doing in terms of cyber-security for the next financial year, and I reply back with some info about a recent BEC attack that I’m concerned about, where I’ve attached a file that claims to be a “2 minute preview on what this attack looks like”
- 99% of people won’t think this email is malicious, as they know the person, it’s off the back of an existing email chain, and there’s some context to the attachment
- Email filtering is unlikely to block the link, as it’s a legit SharePoint link
- If you’re switched on enough to hover over the link before clicking it, you’ll also see it’s a legit SharePoint link
- When you click on the link, it takes you to your Microsoft 365 sign-in page, which after you sign in it steals a file from your PC (cookie / token), which then allows the attacker to logon to your Microsoft 365 account, without your username, password or MFA prompt
- When someone share’s a file with you via SharePoint, it should prompt you for sign-in, so this is expected behaviour
- The Microsoft 365 sign-in page that it takes you to is actually your organisation’s Microsoft 365 sign-in page, so if you have branding or custom disclaimers setup it will show it
- It’s only after the sign-in happens that the file is executed and the cookie / token is stolen, but you won’t actually see anything happen, it will just be a non-event
- Your account is then used to compromise all your clients / suppliers in the same way it was done to you, so we essentially loop back to point 1
- When they feel they have gained access to enough compromised accounts, they will then move onto one of the following:
- Encrypt your organisation’s data and hold you to ransom
- Export your organisation’s data and hold you to ransom or they will release it to the public
- Email your clients / suppliers with ransomware attachments (instead of the cookie / token theft attachment) resulting in them being held to ransom
- Etc
All of these have huge financial penalties, downtime, and reputational damage associated with them.
