CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



Microsoft Disrupts Large-Scale BEC Campaign

Microsoft today announced it disrupted a large-scale business email compromise (BEC) campaign in which the attackers used forwarding rules to access messages related to financial transactions.

Microsoft today announced it disrupted a large-scale business email compromise (BEC) campaign in which the attackers used forwarding rules to access messages related to financial transactions.

The campaign, which had its infrastructure hosted on multiple web services, involved the use of phishing emails with voice message lures. The emails carried an HTML attachment with JavaScript code designed to imitate the Microsoft sign-in page, to steal victims’ login credentials.

Once access to the mailbox was obtained, the attackers added email forwarding rules that would send messages containing information related to financial transactions (keywords such as invoice, payment, and statement) to attacker-controlled email addresses. Additionally, the forwarded emails were deleted from the sent box, to avoid detection.

The attackers used a large cloud-based infrastructure for the campaign, to automate operations at scale, including the monitoring of compromised mailboxes, the creation of forwarding rules, identifying valuable victims, and processing the forwarded emails.

Microsoft reported its findings to the security teams at multiple cloud companies whose services were abused by the cybercriminals. They suspended the attackers’ accounts, which resulted in the takedown of the infrastructure.

According to Microsoft, the attackers attempted to hide the scale of their operation by making it look as if the attacks were not connected to one another. They performed distinct activities from different IP addresses, but used only specific IP ranges for the attacks.

“The use of attacker infrastructure hosted in multiple web services allowed the attackers to operate stealthily, characteristic of BEC campaigns. The attackers performed discrete activities for different IPs and timeframes, making it harder for researchers to correlate seemingly disparate activities as a single operation,” Microsoft notes.

Multiple virtual machines were used, each to execute a specific operation, along with DNS records similar to those of existing company domains, to blend into existing conversations or launch more tailored phishing attacks.

Advertisement. Scroll to continue reading.

Various tools were used to manipulate the compromised mailboxes, including for extracting specific emails. The stolen credentials were stored in a local MySQL database.

“Business email compromise is a constant threat to enterprises. […] BEC attacks are very stealthy, with attackers hiding in plain sight by blending into legitimate traffic using IP ranges with high reputation and by conducting discrete activities at specific times and connections,” Microsoft says.

Although the campaign generated very low signals to make it difficult to identify within the usual noise of corporate network traffic, these attacks could have been prevented through the use of multi-factor authentication, which would have prevented the attackers from logging into the compromised mailboxes, the tech giant says.

Related: Report: Supplier Impersonation Attacks a Major Risk

Related: Introducing DAIC: A Suggested System for Preventing BEC Fraud

Related: Microsoft Sees Spike in BEC Attacks Targeting Schools

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...