A Stolen Phone Led to Phishing Attempts, an Email Investigation, and Improved Cyber Hygiene
Incident: Office 365 Phishing Attack
After an executive’s lost an Apple iPhone X was stolen during a trip, vendors began to report sophisticated phishing emails. Insider information indicated someone was impersonating the Managing Director. Pragma was brought in to investigate and cut off the unauthorised access.
- The Managing Director’s phone was lost stolen during a business trip to China in 2019.
- The client took great initial containment steps that are available to most consumers.
- Attackers targeted the client first and may have gained footholds in vendor systems.
- Each fraud attempt was made using an edited version of a PDF requesting payment of an invoice.
The client is a large automotive and consumer electronics manufacturer, whom we refer to as ACE. They contacted Pragma after the Managing Director’s phone was stolen. Since its conception in 1998, ACE has become one of the leading names in automotive electronics manufacturing. ACE has its main headquarters in Korea and additional offices in Australia, Japan, Hong Kong and New Zealand.
ACE has been able to partner with high-profile international entities and imports products to Asia as well as the EU and the Gulf. Email phishing and phoney payments are a serious threat to the company’s reputation and integrity.
The Managing Director visited China during a business trip in June 2019. His phone was lost stolen on June 6th. Afterwards, the first fraudulent email was sent to a vendor on June 7th. Three further fraudulent emails were sent during the following eleven months, with the final message delivered in May 2020.
Each message was a phishing attempt using an amended PDF. The threat actors edited a PDF invoice and sent a message to Vendor 1 asking for payment. Subsequent emails were sent to three other vendors. Every message used some form of payment request based on a fraudulent PDF.
Pragma was contacted following the fourth fraudulent email and engaged to perform the following:
1) Determine whether an attacker has ongoing access to company email systems.
2) Contain and eradicate unauthorised access.
3) Review the MD’s email box for Personal Identifiable Information and advise whether a breach notification may be required.
4) Recommend security improvements to halt the ongoing attack and prevent future attacks.
- Pragma determined the stolen phone was probably not the vector of infiltration.
- Containment measures were taken such as remote sign-out from Office 365 accounts, password changes,and remote data deletion.
- Pragma analysed the fraudulent email messages to compare attack profiles.
Pragma investigated each email incident separately to determine the attacker’s course of action. The four email messages had some things in common but also had key differences. The common points and differences revealed the attacker’s progress as well as the client’s continued exposure to attack.
All messages had ACE in common as a contact or reference and used some form of phishing with a PDF invoice. The first attack was the only one that originated from the Managing Director’s compromised email account. Subsequent attacks were launched from other email addresses, indicating the attackers may have gained a foothold in the vendor’s systems.
The Managing Director took several successful containment steps. The CIRT helped ACE strengthen their security further by identifying high-risk O365 users. These users were signed out of their accounts and required to create new passwords. Multi-Factor Authentication (MFA) was implemented for all users.
After completing the analysis and finishing these steps,Pragma assured the client their email was secure. No ongoing unauthorised access could be detected.
Passwords and Access
Updated Firewall Rules
Mailbox Rule Review
Active Directory Lockout
Activation of Active Directory Smart Lockout for Office 365 protects against brute force attacks.
The potential loss to ACE from this email compromise was $62,140. This is the amount paid to the attackers. Pragma’s investigation and actions were concluded within 1 day. Because our CIRT secured the accounts and eliminated further fraud, the client was able to contact their bank and have the transaction reversed.