New BEC Campaign Targets Executives

By Richard Anderson

Business email compromise attacks involve the impersonation of a high-level executive, often the CEO or CFO. The attacks often start with a spear phishing email to obtain the credentials of the CEO/CFO. If the credentials are obtained, the email account is used to send requests to employees. During tax season, W-2 Form data for all employees is often requested or requests are sent to the finance department to make wire transfers to accounts controlled by the attacker. Most employees are eager to respond quickly to requests from the CEO or CFO, even if the requested actions are somewhat atypical.

In the past few days a new BEC campaign has been detected which targets other members of the C-Suite to gain access to office 365 account credentials. The emails appear to have been sent from the CEO’s email account and claim to require a response to reschedule a cancelled board meeting via a Doodle poll.

The emails contain a “participate now” button which, if clicked, will direct the user to a web page containing with an Office 365 login box. The user is required to enter their password to continue.

If the password is entered, it is captured by the attacker and allows full access to the user’s Office 365 account.

The emails have the subject line “New message: [Company Name] February in-person Board Mtg scheduling” and appear to have been sent from the user’s email account. The sender name and to field are the same. If the message is opened on a mobile device, the sender’s name is altered to “Note to Self.” The link directs the user to a web.core.windows.net domain. The emails appear to have no problem bypassing Office 365 anti-spam controls.

These attacks show just how important it is for everyone in the organization to receive regular security awareness training, including members C-Suite. In addition, all employees should be kept abreast of the latest phishing scams through regular cybersecurity bulletins.

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news