Cybercriminals Exploit Compromised Email Servers for Fraudulent Campaigns

Trend Micro’s Managed XDR team has recently investigated a sophisticated Business Email Compromise (BEC) attack that targeted multiple business partners.

The incident, which occurred over several days, involved the exploitation of a compromised email server to orchestrate a complex fraud scheme.

Intricate Web of Deception

The attack involved three business partners (Partner A, Partner B, and Partner C) engaged in regular email communications.

The threat actor gained control of a third-party email server, which was then used to send fraudulent emails.

This compromised server allowed the attacker to maintain full visibility of all email conversations between the three business partners.

The incident unfolded in two phases. In the first phase, the attacker inserted themselves into existing email chains, carefully timing their interventions to avoid raising suspicion.

They waited approximately 4.5 hours before positioning themselves in the conversation, mimicking legitimate communication patterns.

During the second phase, the threat actor took complete control of the conversation, gradually swapping out recipients with email accounts under their control.

To maintain the illusion of legitimacy, the “From” field contained the intended recipient’s address, while the “Reply-To” field was set to the attacker’s email address.

The compromised third-party email server appeared to have an insecure configuration, allowing the fraudulent emails to pass Sender Policy Framework (SPF) authentication.

According to Trend Micro Report, this misconfiguration, whether pre-existing or deliberately altered by the attacker, played a crucial role in the success of the scheme.

Sophisticated Tactics and Techniques

The attackers employed several advanced techniques, including:

1. Email collection (MITRE ATT&CK T1114) to gather intelligence on ongoing business transactions.
2. Account takeover (T1078) and email forwarding rules (T1114.003) to maintain access and monitor communications.
3. Exploitation of a compromised third-party email server (T1584.004) with minimal outbound restrictions.
4. Creation of lookalike email accounts (T1585.002) to impersonate legitimate users.
5. Leveraging trusted relationships between parties (T1199) to execute the fraud.

The ultimate goal of the attack was financial theft (T1657), with the added consequence of resource hijacking (T1496) for the owner of the compromised email server.

This incident highlights the evolving sophistication of BEC attacks and underscores the importance of implementing robust email security measures, including DMARC, DKIM, and SPF.

Organizations are advised to consider digital signatures for financial transactions, implement extended auditing for high-profile individuals, and establish out-of-band validation protocols with business partners to mitigate the risks of such advanced fraud schemes.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!