Client’s banking institution flagged a funds transfer to a suspicious account for $130,000 USD and notified the client. The authorization originated from an internal email account, so the client presumed it to be an insider threat. Seeking legal recourse, the client contacted ProCircular for investigative assistance.
ProCircular’s Investigative Findings
ProCircular immediately analyzed the client’s network and Microsoft Office 365 logs for Indicators of Compromise (IOCs) and discovered the threat was not internal, but that an external attacker had infiltrated one user’s account due to a weak password.
From that account, we discovered the attacker had accessed the client’s SharePoint site and downloaded the organizational structure. They then sent thousands of internal emails requesting login credentials from targeted employees, eventually gaining unauthorized access to both the CFO’s and the Controller’s email accounts.
Cunningly, the attacker then established mailbox forward and flow rules to delete all direct emails between the CFO and Controller, thereby monitoring and manipulating communication between two key financial stakeholders.
Further analysis revealed that the attacker had created a fraudulent invoice for $130,000 USD and sent it from the CFO’s account to the Controller. The Controller requested EFT authorization from the CFO via email; it was intercepted and approved by the attacker. The Controller then sent the EFT request to their bank.
Fortunately, the bank noticed that the name of the account holder was different from the name on the invoice, and quickly flagged the transaction as suspicious. They contacted the client directly to confirm the transaction, thereby preventing substantial loss to the client.
ProCircular analyzed the client’s Office365 access logs, identified the IP addresses of the attackers, and instantly blocked them from the network entirely.
We then identified all the attacker’s Office 365 mailbox rules and suspended them. Then, using reverse logic and the eDiscovery rulesets configured, we found all the messages wrongfully deleted by the attacker’s rules. From those messages, ProCircular identified additional compromised users.
We then notified all phished users of their compromised accounts, instructing them to immediately change their login credentials to conform with a more rigid password policy, disable legacy configurations, and enable Multi-Factor Authentication (MFA).
These timely actions mitigated further damage to the client and eradicated the vulnerabilities responsible for the breach.
Fortunately, the bank’s due diligence prevented any direct financial loss from the incident. ProCircular’s Incident Response rate cost approximately $14,000. Combining the installed monitoring system, upgraded endpoint solutions and security controls, and the investigation costs, the client saw roughly $100,000 USD in unplanned expense over the first year alone.
After the recent proactive engagement with ProCircular, the client already had ProCircular’s preventative recommendations in hand. However, the attack occurred so soon after the Penetration Test, there had not been adequate time to implement the recommendations, particularly, a more stringent user password policy and multi-factor authorization.
Since vulnerabilities and weak configurations can result in a breach at any time, this case study underlines the importance of proactive, professional cybersecurity analysis and the rapid implementation of any high priority security recommendations that result.