October 9, 2024 at 09:11AM
Threat actors are enhancing business email compromise (BEC) campaigns by using legitimate cloud file-sharing services like Dropbox and OneDrive, combined with social engineering tactics. This approach bypasses traditional security measures, allowing attackers to phish credentials and conduct further malicious activities. Microsoft advises enterprises to implement extended detection and response (XDR) systems for better detection.
### Meeting Takeaways on Business Email Compromise (BEC) Campaigns
1. **Increased Threat Level**: Threat actors are intensifying BEC campaigns by combining social engineering with legitimate cloud-based file-hosting services (e.g., Dropbox, OneDrive, SharePoint), which bypass traditional security measures.
2. **Exploiting Trust**: Attackers exploit the trust in familiar file-sharing services to deliver malicious links and files, leading to credential phishing and subsequent malicious activities like financial fraud and data exfiltration.
3. **Typical Attack Scenario**:
– Attackers compromise a user’s credentials within an enterprise.
– They utilize these credentials to host files on the compromised user’s organization’s file-sharing service, sharing them with targets in external organizations.
– Files may be restricted in access or downloading capabilities to avoid detection.
4. **Phishing Techniques**:
– Notifications about shared files evade security blocks due to their legitimate appearance.
– Users are prompted to verify their identity and may be directed to adversary-in-the-middle phishing pages to harvest credentials.
5. **Common Tactics Used**:
– Attackers employ urgency in file names (e.g., “Urgent: Attention Required,” “Compromised Password Reset”).
– Familiar context and topics from previous conversations are used to make the malicious files appear legitimate.
6. **Detection Recommendations**:
– Enterprises should utilize Extended Detection and Response (XDR) systems to monitor for suspicious activities related to file-sharing and BEC campaigns.
– Queries should include monitoring shared files, identifying patterns of shared file names, and investigating anomalous sign-in attempts to detect potential compromises.
7. **Vulnerabilities in Trusted Services**: The increasing use of trusted cloud services presents a weak link in enterprise security, warranting urgent attention and proactive measures.
8. **Action Items for Enterprises**:
– Enhance security protocols and user awareness regarding file-sharing practices.
– Implement systematic monitoring and alerting for unusual file-sharing activities or sign-in attempts from undefined devices or networks.
By focusing on these key points, organizations can better understand the evolving landscape of BEC threats and take proactive measures to strengthen their defenses.