The ever-growing volume of advanced cybersecurity attacks challenges even the most advanced Security Operations (SOC) teams. To help SOC teams address these challenges, Microsoft 365 Defender can now automatically disrupt advanced attacks like ransomware and BEC campaigns. It uses high-confidence eXtended Detection and Response (XDR) signals across endpoints, identities, email, and SaaS apps to stop attack progression and limit the impact to organizations.
While in Private Preview, Microsoft 365 Defender disrupted a total of 38 BEC attacks across 27 organizations – clearly showcasing the efficacy and impact the new capability will have to support SOC teams. To help you better understand how automatic attack disruption works, this blog outlines the replay of a BEC attack attempting financial fraud, that was recently discovered by the Microsoft 365 Defender security research team in the environment of a customer in Microsoft’s Private Preview program. The threat was mitigated by Microsoft XDR-automated attack disruption capability.
So let’s take a look:
Initial Access and Credential Access via Phishing
To gain initial access, a user was compromised via a phishing email that used an adversary-in-the-middle (AiTM) phishing kit. The user signed into the phishing page with their username and password and completed the subsequent multi-factor authentication (MFA) prompt. This enabled the attacker to obtain the username, password, and session cookie with an established MFA claim.
The phishing kit proxied an authentication request to the actual website, which in this case was the organization’s Azure AD sign-in page. Azure AD Identity Protection recognized the unusual sign in request and raised a high severity “unfamiliar sign-in properties” alert, but the affected organization did not act on the alert.
Collection and Impact
One month later, what was most likely another cybercriminal who purchased the stolen cookie on the dark web, signed into the user account by replaying the session cookie via web browser, raising another “Unfamiliar sign-in properties” alert, which was not addressed by the organization. The fraudster then read emails in the user’s mailbox, looking for a mail conversation chain to hijack.
Once the attacker found a relevant conversation chain, they registered two homoglyph domains, for the affected organization and an insurance company the organization worked with.
Explanation: What is a homoglyph domain?
Next, the attacker created an inbox rule that moved all emails received by the user from the target organization to a “Conversation History” folder, in preparation for sending a fraud email with wire instructions changes.
To establish legitimacy, the attacker used homoglyphs in the email address with a domain resembling the user’s organization and an email address with a domain resembling the insurance company. Once the mail with new wire instructions was sent, the attacker immediately deleted it from Sent Items.
Microsoft 365 Defender XDR automatic disruption of the attack
Microsoft 365 Defender used a combination of signals from identity and email security solutions such as unfamiliar sign-in, inbox rule creation, and sending and deletion of emails, to identify the BEC attack and detect the fraud attempt. Having established a high level of confidence through the combination of signals and alerts, Microsoft XDR-automated actions then disabled the user account and disrupted the attack - preventing follow-up conversations, and the wire instructions were not acted upon.
Automatic attack disruption is a powerful, out-of-the-box capability that can automatically stop the progression of some of the most sophisticated attacks, thanks to Microsoft 365 Defender’s breadth of signal that allows us to see more attack vectors beyond just endpoints and identities.
In our testing and evaluation of BEC detections and actions in customer environments faced with real-world attack scenarios, dozens of organizations were better protected when accounts were automatically disabled by Microsoft 365 Defender. At the same time, the new automatic disruption capabilities leave the SOC team in full control to investigate all actions taken by Microsoft 365 Defender and where needed, heal any remaining, affected assets. For more information check out our documentation.
How to get started
- Make sure your organization fulfills the Microsoft 365 Defender pre-requisites
- Connect Microsoft Defender for Cloud Apps to Microsoft 365.
- Deploy Microsoft Defender for Identity. You can start a free trial here.
- Ensure you have a leading email security solution in place with Microsoft Defender for Office 365.