Fraudulent Invoice Attacks Continue To Evade Detection in Microsoft 365

For the past several years, emails with fake invoices have been a popular method of attack against Microsoft 365 users. Malicious emails are disguised and typically sent to employees responsible for handling a bill for a service.

These kinds of attacks manage to slip past security scans daily, begging the question: why isn't Microsoft 365 catching them? This article will discuss the different techniques attackers might use, why Microsoft 365 falls short in keeping them from infiltrating your inbox, and how to protect against all types of phishing attacks.

Attackers’ Techniques

With phishing emails, social engineering, and a network of fake call centers, cybercriminals are scamming victims out of large sums of money. First, attackers manipulate victims into allowing remote access to their PCs, then steal data and threaten to leak it if a ransom isn't paid. 

Social engineering phishing campaigns are growing increasingly successful, similar to previously identified campaigns that used phishing emails containing malicious documents to trick victims into installing BazarLoader backdoor malware. This results in a growth in the infrastructure behind attacks as cybercriminals try to make as much money as possible. 

This new phishing campaign, called Luna Moth, skips the malware infection, instead using social engineering to gain access to networks. The attack has claimed victims in multiple sectors, including legal and retail, costing hundreds of thousands of dollars. Luna Moth has also plagued customers of Microsoft 365 across hundreds of organizations. This attack is so popular because the hacker already likely knows who is approving invoices, what services the company is using, and what invoices for those services would look like. The threat actor crafts an email sent to the right person in the company that seems completely genuine. 

Invoice fraud is a prevalent problem for companies. Nearly 7 out of 10 companies, or 68%, are affected by Business Email Compromise (BEC) each year. This attack employs several techniques to bypass traditional email security phishing and spam filters, including:

Social Engineering

The email subject, design, and content are designed to create a sense of trust and urgency in the victims by impersonating a trusted vendor. The context of this attack also leverages curiosity, which encourages targets to overlook uncertainty.

Trusted Vendor Impersonation

Compromising one weak link in a supply chain can compromise the entire chain. After accessing trusted accounts, threat actors have full access to invoices, confidential business data and information, bank accounts, and routing numbers, all of which they can use to target financially damaging attacks.

Spoofing Known Workflows

Email was engineered to target a common business workflow of paying an invoice for a vendor doing business with an organization. It is not uncommon for vendors to send reminder emails about upcoming or missed payments. With the increased number of vendors in contact with organizations, it is hard for security teams and end users to keep track of all communications and invoice due dates. When common workflows experience email spoofing, end users have a higher chance of taking action versus exercising caution.

Email Spoofing

The scammer tricks recipients into believing the message is from a trusted vendor or work colleague. By creating a fake email header to display as if it's being sent from the person's address, the recipient would assume the message is actually from that person, even though it is a spoofed email.

Account Takeover

A scammer could also take over a legitimate email account with an organization or a trusted supplier by sending a phishing email that impersonates the email provider, stating they need to re-enter their credentials or complete another request. After opening the link, the victim is taken to a spoofed web page to enter their username and password, allowing the criminal to send fraudulent invoices from a trusted email account and evade traditional email security.

Why Does Microsoft 365 Email Security Fall Short?

Despite existing email protection from Microsoft Exchange Online Protection (EOP) in Microsoft 365, 83% of users have experienced email security breaches. Microsoft 365 email security falls short in safeguarding users and critical business assets against credential phishing, account takeovers, and other dangerous email threats that cloud email users face daily.

Cybercriminals have previously abused Microsoft Office 365 to target files in ransomware attacks. Files are stored via "auto-save" and backed up in the cloud, giving end users the impression data is protected from an attack. Files can be vulnerable to a ransomware attack as simple configuration errors can compromise their Microsoft 365 tenant, and even the experts can't recover from the damage.

Ongoing phishing campaigns can hack you even when you're protected with MFA. Microsoft stated that even when protected with MFA, there were attacks that couldn't be stopped on their own, and attackers are sitting on these compromised email addresses and accounts for extended periods and using them to trick users by pretending to be colleagues.

Expert Recommendations

Email security training and awareness are critical for protecting against phishing attacks, as these messages can be highly deceptive and difficult to detect. Fortunately, there are various best practices for email security: that you should implement to avoid taking the bait in a phishing attack, including:

• Check for spelling and grammatical errors, indicating that an email is fraudulent or malicious.
• Keep an eye out for suspicious subject lines and signatures.
• Don't trust the display name. Just because an email says it's from a known and trusted sender doesn't necessarily mean it is. The message could come from a compromised account, even if the email address is legitimate.
• Be cautious of nonspecific language. Phishers typically use vague language in their campaigns to evade spam filtering.
• If an email appears strange in any way, call the sender to confirm the email's legitimacy.
• If you receive an email from a source you know that seems suspicious, contact that source with a new email rather than just hitting reply.
• Beware of urgency. Phishing emails often convince recipients to act quickly without thinking things through.
• Use a malware URL scanner on all attachments for viruses or dangerous code.
• Verify shared links to ensure they do not lead to fraudulent websites or malicious code.
• Provide or take part in email security awareness training designed to educate employees on how to identify spear phishing emails and how to proceed if they feel that they have received a malicious email.
• Evaluate each email you receive before clicking on links or downloading attachments.

Human behavior is ultimately unpredictable, so a safeguarded environment is crucial to protect against phishing email attacks. This can be achieved through a comprehensive, intuitive email security software solution that can identify and block the most stealthy spear phishing attempts in real-time.

A fully integrated email security software that delivers total end-to-end control is critical to safeguard business email accounts. An effective solution must provide real-time protection against phishing and other advanced email threats while continuously adapting to a changing business and security environment. 

Fake Invoice Led To Ransomware Attack

A targeted ransomware attack took down the network of a food and drink manufacturer after hackers took advantage of common security vulnerabilities. Attackers used a type of phishing attack to take advantage of several exposures to deploy Emotet and Trickbot malware before delivering the Ryuk malware ransomware and attempting to extort a fee from the victim to restore the network.

The criminals gained control of over half the network before eventually delivering the Ryuk ransomware. The organization decided not to pay the ransom and instead had security experts examine the network and restore functionality. Within 48 hours, much of the business was back up and running again; however, two days of downtime could have been costly to the organization, and restoring the network isn't likely to have been cheap either, as well as the prospect of having to upgrade security in the aftermath.  AT&T investigated the attack and helped the unnamed manufacturer return online without paying the ransom, all while experiencing minimal disruption to production. The company likely would not have fallen victim if basic security vulnerabilities hadn't allowed the initial stages of the attack to happen.

Keep Learning About Microsoft 365 Phishing Protection 

Understanding how phishing works, recognizing a phishing email, and adopting best practices for email security can prevent attacks. Phishing accounts for over 90% of cyberattacks, so your staff must have the right tools for securing business email.

• Implementing a comprehensive email security services system can help with advanced threat protection, such as targeted spear phishing and ransomware.
• Learn more about protecting your business from malware ransomware.
• Follow email security best practices to protect your company against attacks.
• Keeping the integrity of your email safe requires securing the cloud with spam filtering and enterprise-grade anti-spam services.
• Get the latest updates on how to stay safe online.