16 December 2024 | Prepared by: Caleb Boyd, DFIR Analyst
A typical Business Email Compromise (BEC) incident begins when a Threat Actor gains access to an email account, most commonly observed through successfully phishing their victim. Being financially motivated, not all attacks are successful. The Threat Actor will access newly compromised accounts and perform reconnaissance in order to understand target accounts that would allow for fraudulent activity to occur. In this role, an attacker masquerading as a trusted individual, supplier or even the business has the potential to cause devastating consequences, often culminating in payment redirection fraud or data theft.
Figure 1: Typical BEC Attack Flow
One of the major challenges affecting BEC incident response is assessing the full scope of the compromise, particularly in determining the amount of data that was subject to unauthorised access. Regardless of whether financial redirection occurs, the act of performing reconnaissance across the account can lead to data being accessed or synchronised locally. Understanding the impact of the event is crucial to determine whether any sensitive information was accessed which invokes legal obligations under the Privacy Act 1988 and often leads to legal firms becoming involved to provide legal advice.
Digital Forensics and Incident Response (DFIR) investigations are conducted with extensive experience and knowledge of the investigative process. DFIR acts as an external, trusted party focused on delivering unbiased, fact-based insights critical to understanding cyber incidents. While IT Service Providers provide valuable support, often investigations do not capture the nuanced details and techniques that an investigation requires.
The objectives of a DFIR BEC investigation typically are to:
A critical part of a BEC investigation is determining if mailbox synchronisation has occurred, as this process creates a local offline copy of the mailbox. While mailbox synchronisation enhances productivity by allowing offline access to emails where internet connectivity is limited it also introduces a risk if exploited by a Threat Actor seeking to obtain a copy of a mailbox. Another key consideration is delegate access which is commonplace within organisations for managing shared mailboxes or accessing other employees’ mailboxes. When a compromised account has delegate access, the impact of the incident can quickly expand from one (1) mailbox to multiple.
Microsoft is the most common provider of email services for businesses within Australia, with Microsoft Outlook included as part Microsoft’s suite of productivity tools. This is reflected in the volume of phishing incidents responded to by Triskele Labs, with BECs most commonly being reported by organisations utilising Microsoft 365. This blog will focus on triaging Microsoft 365 events and logs.
Within Microsoft Outlook 365, the below evidence sources are available for organisations to store and review:
Unified audit logs are by far the most critical evidence source available. Every organisation should ensure unified audit logs are enabled within their environment. Without unified audit logs, investigations become significantly restricted and critical information may not be available for analysis.
Captured as part of the unified audit log, Mail Items Accessed operations are useful in determining how many emails were accessed by a Threat Actor, as each operation records messages being accessed. By filtering events on IP addresses attributed to a Threat Actor, investigators can accurately identify the emails which were subject to unauthorised access.
Email clients such as Microsoft Outlook offer the convenience of native synchronisation, allowing users to access their emails offline. While this feature enhances productivity, it also presents an opportunity if exploited by attackers. Understanding how native synchronisation works and its potential risks is crucial for understanding potential further compromise.
When a user signs into the Outlook desktop application an Offline Outlook Data File (OST) is automatically created on the local machine to store copies of a user’s mailbox items including emails, calendar events and contacts. This capability ensures users can access their information even when their device is offline. Threat Actors can exploit this capability by signing into a compromised mailbox with the Outlook desktop application, resulting in a full copy of the mailbox on the Threat Actor’s local machine.
Figure 2: OST File Information
An indication that a mailbox was synchronised can be observed if a Threat Actor signs in to the Outlook desktop application. To confirm synchronisation, investigators can use the Mail Items Accessed operation within the unified audit logs. Where a mailbox is synchronised with the Outlook desktop application the mail access type within the log entry will be recorded as a sync. Instead of the Mail Items Accessed operation recording every email that was synchronised a single entry is created for each folder targeted by the synchronisation activity. All items within the folder where synchronisation occurred should be considered in the accessed and therefore in the possession of the Threat Actor.
eM Client is an email desktop application which provides a similar experience to the Outlook desktop application. Threat Actors can leverage eM Client for its mail functionality to send and receive emails from the compromised mailbox. eM Client supports full mailbox synchronisation, enabling users to download all emails, attachments, and other related data in their mailbox to their local devices. By default, synchronisation is enabled with the download scope set to all messages without attachments. eM Client can be used to obtain a full local copy of the mailbox. This means that a Threat Actor will have access to the contents of the mailbox even when containment measures have been applied.
Figure 3: eM Client download scopes
Figure 4: eM Client user interface
eM Client does not automatically add delegate mailboxes and does not provide a list of the available delegate mailboxes within the user interface. To add a delegate mailbox the user must know the mailbox email address. As a result, a Threat Actor would require prior knowledge of any delegate mailboxes and have an intent to access the mailbox through eM Client. The configuration process is straightforward, requiring only the entry and confirmation of the email address as captured in Figure 5: eM Client Delegate Accounts User Interface.
Figure 5: eM Client delegate accounts user interface
A quick way to identify if a Threat Actor has added an enterprise application is by reviewing Microsoft Entra ID. Within the enterprise application view you can check for any suspicious applications that may require further investigation. By navigating to an enterprise application the relevant audit log and sign-in activity can be obtained as captured in Figure 7: eM Client Audit Logs and Figure 8: eM Client Sign-in Logs.
Figure 6: eM Client Mail Items Accessed by Application ID
Figure 7: eM Client Mail Items Accessed by Application ID
Figure 8: eM Client Sign-in Logs
Investigators can determine whether mailbox synchronisation occurred using the Mail Items Accessed operation within the unified audit log by filtering on the eM Client application ID. This will reveal all the emails that were accessed by eM Client and therefore should be considered in scope as items subject to unauthorised access as captured in Figure 6: eM Client Mail Items Accessed by Application ID. It is important to note that the Mail Items Accessed operation groups messages accessed within a two (2) minute period into a single record, this means the unique message IDs need to be extracted to determine the correct number of messaged accessed by eM Client.
The act of collecting a local copy of the mailbox generates a high number of log entries, which triggers a Microsoft 365 feature known as “Throttling”. This feature will limit the recording of Mail Items Accessed during periods of high email access. As such, it is possible that additional email items were accessed or synchronised within the target mailbox. Investigators should therefore confirm whether the IsThrottled value was set to True.
PerfectData Software is a legitimate cloud backup solution which allows for a complete backup of a cloud mailbox. Threat Actors will often leverage legitimate cloud backup solutions such as PerfectData Software to perform data exfiltration in the form of a mailbox backup. PerfectData Software offers the ability to perform a mailbox backup from a large number of providers all the way from an IMAP server to M365.
From testing, PerfectData Software does not support the ability to obtain a mailbox backup of delegate mailboxes assigned to standard access accounts. However, as an administrative utility, it does support some functionality for administrators (I.E. Global Administrators) to obtain backups of other mailboxes within the environment. An investigator can determine whether a Threat Actor performed this operation if the following role changes are present:
These role changes would be present within the unified audit log. Where the unified audit log is not enabled manual review of the impacted accounts assigned roles may provide an indication. As of September 2024, Microsoft has commencing retiring the Application Impersonation permission. This change means the permission can no longer be assigned and in February 2025 the permission will be completely removed. Therefore, the administrative backup functionality in PerfectData Software will no longer operate in its current form.
Figure 9: PerfectData Software User Interface
Similar to eM Client, investigators can determine whether a mailbox backup was performed by filtering on the PerfectData Software application ID within the Mail Items Accessed operation. This will reveal all the emails that were accessed by PerfectData software and therefore should be considered in scope as captured in Figure 10: Perfect Data Software Mail Items Accessed by Application ID. The unique message IDs can be extracted for an accurate figure and confirmation whether throttling occurred.
Figure 10: Perfect Data Software Mail Items Accessed by Application ID
Triskele Labs assess that the Threat Actors who perform BEC attacks are typically financially motivated. Their priority goal is to perform Payment Redirection Fraud, this is facilitated through intercepting and altering invoices or documents containing banking details, so that funds are redirected away from the legitimate organisation and into a bank account under the control of the Threat Actor. Where a Threat Actor is unable to identify a suitable opportunity to attempt payment redirection fraud, they will typically conduct an outbound phishing campaign from the compromised mailbox to propagate access to other mailboxes and repeat the process.
With email a key tool used by staff to plan and deliver work, communicate with customers or manage staff, over time they will begin to aggregate large amounts of data associated with the inner working of the organisation. Mailboxes and their contents are not typically considered valuable to organisations; however Threat Actors may perceive this differently. With the proliferation of tools capable of mailbox synchronisation, a mailbox that contains large amounts of PII, PHI or commercially sensitive information could support secondary objectives of the Threat Actor, such as collecting information to impersonate individuals to facilitate payment redirection fraud or extract contacts list for targeted phishing campaigns.
Reflecting on how ransomware has transformed over the last 10 years from basic encryption to multiple layers of extortion. The technical capability is already available that could allow for a similar maturing of Threat Actor Tactics, Techniques and Procedures as part of BECs. While payment redirection fraud is likely to continue, there would be limited obstacles in performing data theft or extortion upon conclusion of the attack in order to introduce other methods of financially motived crime.
To protect against BEC attacks and data exfiltration via mailbox synchronisation, organisations should implement a multi-layered defence strategy. The following strategies should be considered:
1. Restrict Consent to Applications
Limit the ability of users to grant consent to third-party applications that request access to email data. Implement policies that require administrative approval for any such requests.
2. Conditional Access for M365 Cloud Apps
Use conditional access policies in Microsoft 365 to enforce strict access controls. This includes requiring multi-factor authentication (MFA), restricting access based on location and device compliance, and blocking access from unauthorized applications. Check out our blog post on Enhancing Security with Essential Microsoft Entra Conditional Access Policies.
3. SIEM + Monitoring
Deploy Security Information and Event Management (SIEM) systems to monitor for unusual activities, such as large-scale mailbox synchronisation or the use of non-standard email clients. Regularly review logs and alerts to identify potential compromises.
4. Payment Processes and Procedures
A common method used to verify payment details is to phone the recipient organisation to verify banking details are correct. This check will help prevent payment redirection fraud. Adding a statement in the accounts department's email signatures that states we will never change our bank details via email can be beneficial.
5. Session Token Protection
Token protection is intended to restrict token use to the intended device. This reduces the likelihood of an attacker being able to use a stolen session token.
6. Sensitive Data Minimisation
Limiting the storage of sensitive information in emails will reduce the risk of exposure in the event of a compromise.
