Fraudulent Invoice Attacks Continue To Evade Detection in Microsoft 365

For the past several years, emails with fake invoices have been a popular method of attack against Microsoft 365 users. Malicious emails are disguised and typically sent to employees who are responsible for handling a bill for a service.

These kinds of attacks manage to slip past security scans daily, begging the question why isn’t Microsoft 365 catching them? This article will discuss the different techniques attackers might use, why Microsoft 365 falls short in keeping them from infiltrating your inbox, and how to protect against attacks.

Attackers’ Techniques

With a combination of phishing emails, social engineering, and a network of fake call centers, cybercriminals are scamming victims out of large sums of money. First, attackers are manipulating victims into allowing remote access to their PC, then stealing data and threatening to leak it if a ransom isn't paid. 

The social-engineering campaign, which is similar to previously identified campaigns that used phishing emails containing malicious documents to trick victims into installing BazarLoader backdoor malware, is growing increasingly successful. This is in turn resulting in a growth in the infrastructure behind attacks, as the cybercriminals try to make as much money as possible. 

This new campaign called Luna Moth skips the malware infection, instead using social engineering to gain access to networks. The attack has claimed victims in multiple sectors including legal and retail, costing some hundreds of thousands of dollars. 

Customers of Microsoft 365 have also been plagued by this attack across hundreds of organizations. This attack is so popular because the hacker already likely knows who is approving invoices, what services the company is using, and what invoices for those services would look like. The threat actor crafts an email that is sent to the right person in the company and looks completely genuine. 

Invoice fraud is a prevalent problem for companies. Nearly 7 out of 10 of companies or 68% are affected by business email compromise  (BEC) each year. This attack employs several techniques to bypass traditional email security filters and evade unsuspecting victims including:

Social Engineering

The email subject, design, and content is designed to create a sense of trust and urgency in the victims by impersonating a trusted vendor. The context of this attack also leverages curiosity, which encourages targets to resolve uncertainty.

Trusted Vendor Impersonation

Compromising one weak link in a supply chain can result in compromising the entire chain. After compromising trusted accounts, threat actors have full access including access to invoices, confidential business data and information, bank accounts, and routing numbers, to target financially damaging attacks.

Spoofing Known Workflows

The email was engineered to target a common business workflow of paying an invoice for a vendor doing business with an organization. It is not uncommon for vendors to send reminder emails about upcoming or missed payments, and with the increased number of vendors in contact with organizations it is hard for both security teams and end users to keep track of all communications and invoice due dates. When common workflows are spoofed, end users have a higher chance of taking action versus exercising caution.

Email Spoofing

The scammer tricks a recipient into believing the message is from a trusted vendor or work colleague. By creating a fake email header to display as if it’s being sent from the person's actual address, the recipient would assume the message is actually from that person.

Account Takeover

A scammer could also take over a legitimate email account with an organization or a trusted supplier by sending a phishing email that impersonates the email provider, stating they need to re-enter their credentials or complete another request. After opening the link, the victim is taken to a spoofed web page to enter their username and password allowing the criminal to send fraudulent invoices from a trusted email account and evade traditional email security.

Why Microsoft 365 Falls Short

Despite existing email protection from Microsoft Exchange Online Protection (EOP) in Microsoft 365, 85% of users have experienced an email data breach. Microsoft 365 email security falls short in safeguarding users and key business assets against credential phishing, account takeovers, and the other dangerous threats that cloud email users face daily.

In the past, attackers have abused Microsoft 365 to target files in ransomware attacks. Files are stored via “auto-save” and backed-up in the cloud, giving end users the impression data is protected from an attack. Files can be vulnerable to a ransomware attack as simple configuration errors can lead to their Microsoft 365 tenant being compromised, and even the experts can’t recover from the damage.

Ongoing phishing campaigns can hack you even when you’re protected with MFA. Microsoft stated that even when protected with MFA, there were attacks that couldn’t be stopped on their own, and attackers are sitting on these compromised accounts for extended periods and using them to trick users by pretending to be colleagues.

Expert Recommendations

Education and awareness are critical for protecting against phishing attacks as these messages can be highly deceptive and difficult to detect. Fortunately, there are various best practices that you should implement to avoid taking the bait in a phishing attack, including:

• Check for spelling and grammatical errors which can indicate that an email is fraudulent or malicious.
• Keep an eye out for suspicious subject lines and signatures.
• Don’t trust the display name. Just because an email says it’s from a known and trusted sender doesn’t necessarily mean it really is. Even if the email address is legitimate, the message could be coming from a compromised account.
• Be cautious of nonspecific language. Phishers typically use vague language in their campaigns to evade spam filters.
• If an email appears strange in any way, make a phone call to the sender to confirm the legitimacy of the email.
• If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than just hitting reply.
• Beware of urgency. Phishing emails often try to convince recipients to act quickly, without thinking things through.
• Scan all attachments for viruses or dangerous code.
• Verify shared links to ensure that they do not lead to fraudulent websites or malicious code.
• Provide or take part in security awareness training designed to educate employees on how to identify spear phishing emails and how to proceed if they feel that they have received a malicious email.
• Take time to evaluate each email you receive before clicking on links or downloading attachments.

Human behavior is ultimately unpredictable, so in order to effectively protect against phishing, a safeguarded environment is crucial. This can be achieved through a comprehensive, intuitive email security solution that is capable of identifying and blocking the most stealthy spear phishing attempts in real-time.

To effectively safeguard business email accounts, a fully integrated email security solution that delivers total end-to-end control is critical. An effective solution must provide real-time protection against phishing and other advanced email threats, while continuously adapting to a changing business and security environment. 

Fake Invoice Led To Ransomware Attack

A targeted ransomware attack took down the network of a food and drink manufacturer after hackers took advantage of common security vulnerabilities. Attackers used a phishing attack and took advantage of a number of vulnerabilities to deploy Emotet and Trickbot malware before delivering the Ryuk ransomware and attempting to extort a fee from the victim to restore the network.

The organization decided not to pay the ransom and instead had security experts come in to examine the network and restore functionality within 48 hours. AT&T investigated the attack and helped the unnamed manufacturer return online without paying the ransom all while experiencing minimal disruption to production. The company likely would not have fallen victim if basic security vulnerabilities hadn't allowed the initial stages of the attack to happen.

The criminals were able to gain control of over half the network, before eventually delivering the Ryuk ransomware. Within 48 hours, much of the business was back up and running again, however, two days of downtime would have been costly to the organization and restoring the network isn't likely to have been cheap either, as well as the prospect of having to upgrade security in the aftermath.

Keep Learning

Understanding how phishing works, how to recognize a phishing email, and adopting best practices can prevent attacks. Phishing accounts for over 90% of cyber attacks, so it is critical that your staff has the right tools for securing business email.

• Implementing a comprehensive email security system can help prevent advanced threats, such as targeted spear phishing, and ransomware.
• Learn more about effectively protecting your business from ransomware.
• Improve your email security posture to protect against attacks by following best practices.
• Keeping the integrity of your email safe requires securing the cloud with spam filtering and enterprise-grade anti-spam services.
• Get the latest updates on how to stay safe online.