How Threat Actors Use Enterprise Applications in Microsoft 365 to Exfiltrate Data
by Josh MacMonagle, Krystina Lacey, Jamie Vendel
Our experts have honed every step of the investigative process and created unique tools for multiple platforms to deliver timely and defensible answers for BEC challenges—from misdirected payments to the compromise of sensitive data or unauthorized access to the greater network environment.
Business email compromise is the unauthorized access to one or more mailboxes by a threat actor. Threat actors have historically performed BEC attacks in order to commit financial fraud, such as misdirecting payments or wire transfers to an actor-controlled bank account. While financial fraud is still a primary goal, actors are increasingly evolving BEC attacks to gain greater access—from exploring connected SharePoint, OneDrive and Teams areas to pivoting to network environments where they can exfiltrate and sometimes encrypt (ransom) sensitive data.
BEC attacks most commonly begin with a phishing email message that contains a malicious attachment or layered redirect links to credential harvesting websites. In recent years, Kroll has observed threat actors evolving their tactics to include:
Recently, Kroll experts demonstrated an evolution in threat actor tactics by using the data transfer program Rclone via a compromised M365 account to download a massive number of files from SharePoint—all without remote access to a host. This new tactic, M365 Theft/Extortion, follows a similar threat actor pattern commonly seen in more traditional incident response type matters.
Kroll offers a number of solutions in order to protect your organization from falling victim to a business email compromise attack:
Our forensic investigators and analysts can do a full tenant review, including full log analysis where Kroll reviews for suspicious activity related to previously identified indicators of compromise (IOC), as well as foreign logins or access to mailboxes within an email environment, Enterprise mail rule review and a detailed forensic report.
Our experts have created an efficient, budget-friendly automated tool that provides a simplified report of the investigative findings. This tool will answer key questions to help determine the extent of the compromise on an effected account/tenant.
Fixed Fee BEC | Full Service BEC | |
---|---|---|
Covering the Affected M365 Accounts(s) | ||
Full tenant review for IOCs | ||
Tenant wide (all accounts) log analysis | Optional add-on | |
Triage for initial compromise vector (phishing email, impersonation, etc.) | Optional add-on | |
Identification and preservation of unauthorized emails | Optional add-on | |
Client deliverable | Factual report (spreadsheet) | Narrative report |
Pricing structure | Fixed fee | Custom |
Suspicious behaviors pattern analysis (impossible travel, etc.) | ||
Unauthorized access evidence | ||
Unauthorized access duration | ||
Access method (IMAP, POP, Web, Mail Client, etc.) | ||
Mailbox sync activity evidence | ||
Search results export | ||
Covering the M365 Enterprise/Tenant(s) | ||
Mailbox rules review |
Our experts are well-equipped to help you during every step of a BEC investigation. Kroll forensic investigators possess industry-leading forensic training and certifications, including GCFE, CFCE and GCFA, and extensive knowledge of email systems, including Microsoft Azure, Microsoft 365, Exchange and many APIs that can greatly expedite the investigation and uncover hard-to-spot activity. Kroll’s team consists of hundreds of examiners based in more than 16 countries across five continents and can meet varying needs for geographical-based legal requirements for client data storage, as well as residency requirements for examiners handling sensitive data.
Our team also has litigation support expertise, including several Relativity certifications and global forensic labs, so we can more efficiently and quickly perform managed mailbox review. Additionally, we work closely with 60+ cyber insurance carriers and hundreds of law firms so investigations are protected and move seamlessly.
Read more business email compromise case studies from our library to see our experts in action.
In order to best prepare your organization against a BEC attack, Kroll experts can perform email and cloud security assessments to help harden mailboxes, assist with cloud system configuration and monitoring, and conduct simulated phishing attacks to help educate your staff. Additionally, Kroll Responder provides managed detection and response (MDR) monitoring for Office 365 to flag any suspicious behavior as well as ingest mail logs and survey for malicious activity.
BEC can often be one aspect of a deeper compromise and may require deeper incident response, litigation support and even data breach notification support. Kroll clients can package full service or fixed fee BEC solutions with Kroll’s Cyber Risk Retainer, which gives you prioritized access to elite investigators and flexibility to allocate incident response resources as well as all other cybersecurity solutions offered by Kroll.
Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.
Cyber incident remediation and recovery services are part of Kroll’s Complete Response capabilities, expediting system recovery and minimizing business disruption.
by Josh MacMonagle, Krystina Lacey, Jamie Vendel
by Eric Zimmerman
by Jamie Vendel, Krystina Lacey
by Eric Zimmerman