Microsoft 365 Automated Reply System hit by Phishing Tactics

Two fresh business email compromise techniques have been found in the phishing attacks. In order to trick email security filters the manipulated Microsoft 365 automated email responses.

Attackers are targeting employees and redirecting their legitimate replies. In the other case they manipulated read receipts. In December when auto-responders were doing more work, both styles were being used in the wild.

Researcher with Abnormal Security said in a posting that in the hope of a successful BEC attempt, attackers are using every available tool and loophole to their advantage. 

Read Receipts Attack:- 

In the read receipts attack, a scammer creates an extortion and to generate a read-receipt notification from Microsoft 365 to the recipient, they manipulate the “Dispostion-Notification-To” email header. 

In this attack, the malicious email itself is trapped by email security solutions and the read receipt is reached to his target. It is able to bypass all security solutions and be visited in the employee’s inbox. It is generated from the internal system, therefore it will have the text of the original email. 

According to Austin Merritt, cyber-threat intelligence analyst at Digital Shadows, in order to elicit an urgent response from recipients to click on a malicious link, the attacker has designed these fear-based attacks and by manipulating the email header with fear-based language they are double down on this tactic. When a user clicks on a link, it will allow an attacker to gain access to an organization’s network through the victim’s device. 

Out-of-Office or OOO attack:-

For this attack, an attacker creates a BEC email. This email impersonates someone inside the organization. The attacker manipulates the “Reply to” email header and when the target turns on OOO message, that OOO notification redirects to another individual within the organization. 

Researcher at Bitdefender, Graham Cluley explained this by giving an example. He said, let’s consider an email may be sent to one employee(let’s call him Nick), but the “Reply-to” header contains another employee’s email address(let’s call her Tina). Now, Nick has enabled his out-of-office reply and when he receives the tricky email an automatic reply is generated. However, the out-of-office reply, which should be sent to the true sender, is sent to Tina. The reply includes the extortion text. 

As it originates from the original target’s account, the message likely won’t be caught by email-security systems. In order to bypass security solutions and give email recipients the false impression that their account has been compromised, this campaign demonstrates BEC actors. 

The network defenders that already have traditional security solutions implemented because the phishing emails either trigger read receipt notifications or redirect to a separate recipient’s inbox, grabbing the attention of the intended victim. 

BEC Email Threat:-

To scam companies out of money, the attacker designed BEC emails. Scammers usually impersonate an employee, supplier or customer in an email, to carry out this. In this tactic, usually they ask for a bogus invoice to be paid, or wire transfer. They send this transfer to a new, attacker-controlled destination. 

According to Abnormal Security’s Quarterly BEC report, in 2020, the volume of BEC attacks has continued to grow, rising by 15 percent quarter-over-quarter. With the biggest rise observed in the energy/infrastructure sector, the average weekly volume of BEC attacks in the time period increased in six out of eight industries. Retail/consumer goods and manufacturing and technology industries, had the highest number of weekly BEC attacks. 

In a study it is found that, with a 155 percent QoQ, those campaigns geared towards invoice and payment fraud were particularly virulent. 

Researchers noted that user awareness and training to independently verify that a request is legitimate, which are traditional defenses for those kinds of attacks. 

“In order to execute BEC and other phishing attacks, remote work has created more opportunity” said by Hank Schless, senior manager of security solutions at Lookout. Employees will have a much harder time validating unknown texts or emails, when due to remote work, they are not able to walk over to another person’s desk in the office. Attackers note these issues and to execute bigger BEC attacks, they are using remote work to their advantage. 

As email-security systems get smarter, cybercriminals are also growing their smartness. To prompt an outgoing dialogue between the email recipient and the attacker, earlier in January a campaign was spotted that leverages Google’s Forms survey tool. 

Computer giant’s cloud-based Office suite, Microsoft’s Office 365 in particular, is an especially attractive avenue for BEC efforts, analysts have observed.