The Challenge

To try and understand how an attacker had managed to infiltrate the organisation and prevent it happening again.

The names have been changed to protect the business and reputations of all those concerned, however, the events are true to narrative. This article attempts to shed some light on how an attacker may gain a foothold in your business, without any real hacking skills.

Marta is the Chief Exec at Smart Insolvency Services: a mid-sized insolvency practice based in Wolverhampton, she needed help to try and understand how she’d been the victim of a recent security breach. and Cognisys was recommended to her by one of our existing clients.

Smart Insolvency moves around large amounts of money and unfortunately, the company had just handed over £50K to a fake bank account. The bank was trying to recover the money, but they were experiencing no such luck and Marta was at a loss to understand exactly what had happened.

Cognisys conducted a review of the organisations Office 365 Tenant. Alarm bells sounded immediately when we discovered there was no MFA (Multi-Factor Authentication) in place. Moreover, their existing IT Support company had failed to put even the most basic security rules in place to protect his business.

Very quickly we discovered forwarding rules, newly added by an attacker, which was forwarding email traffic outside the organisation to a fake Gmail account. There was an attempt to hide the rule, however, since this is one of the primary attack vectors, our security consultants knew exactly where to look.

Strangely, almost all the employees’ user accounts had been compromised, which was striking, even for an organisation without MFA.

Forensic analysis of email accounts led us to discover that one of the directors had previously requested everyone’s password details for a migration from Google to Office365 to ‘helpfully’ speed up the process earlier in the year.

The same director was coincidentally phished by a rogue email, which requested that he input his Microsoft credentials. Once compromised, the lack of secondary authentication allowed the attacker full access to his inbox through Office365.

Typically, one of the first things the attacker will do in this case is search for the term ‘password’ – imagine the delight when he/she came across the list of passwords for all the users in the organisation. (This explains the scale of email infiltration).

The attacker inserted himself into email conversations, waiting for the right time to substitute his own bank details for the legitimate ones in relation to a small finance transfer. This was subsequently repeated with a much larger sum.

Unfortunately, due to the high number of transactions and the amounts of money transferred on a daily basis, it took a while for the faulty exchange to emerge.

Cognisys turned on event logging and observed a log-in that was geo-tagged as Lagos in Nigeria on the same morning we were called. It could be that the attacker was controlling a compromised machine from somewhere else, or they could have actually been in Nigeria. One thing is for sure though, it was unlikely to be coming from Wolverhampton.

Cognisys provided the name of a reputable IT service provider and a list of remediation steps. These increased the security tremendously, locking the attacker(s) out and providing monitoring to ensure any unusual activity was flagged immediately.

The cost of securing the tenant would have been a minor labour cost from Marta’s IT support company. The issue was a lack of awareness which, unfortunately, is one that we see repeated on an all too frequent basis. The title of the post is a little unfair- since Smart I.S. didn’t make it easy, it relied on advice from an “expert” unfortunately the advice was incorrect.

At the time of writing Marta had sadly not recovered the money due to the length of time elapsed between the loss and the notification. Since then, Marta has invested in Cyber-Awareness training for her staff, but she knows she’s locking the door after the horse has bolted.

Ensure that your Microsoft Cloud services are properly secured, and your staff know how to identify bogus emails. Explore our O365 tenant review and cyber-attack simulation service today.