Critical Insight SOC Catches Attacker Inside One Internal Account

At Critical Insight, we tell customers that no matter how hard you work to prevent an attack, a determined criminal will break in. On October 11, 2022, a criminal compromised a CI employee’s O365 account. Due to rapid detection and response, the attacker did not gain access to regulated or sensitive data, nor were they able to compromise other parts of our network.

What Happened

As it starts for so many victims, one of our employees fell for a phishing attempt that was a falsified Microsoft email and clicked a link. The attacker both hijacked the employee’s sign-in session and redirected the employee to an actual Microsoft diagnostics page, tricking them into approving an MFA notice. A recent Microsoft blog detailed some of the attacker’s tactics.

Later that morning, the attacker’s malicious activity began. The attacker reviewed a number of emails in the employee’s account and downloaded two invoice attachments. They also previewed (but did not download) several other emails that included attachments, including a document that contained sales information for customers. The attacker then sent a doctored invoice to Critical Insight’s accounting department, which an employee immediately identified as fake. The criminal also set an auto-forwarding rule on the email account, which triggered a SOC alert and investigation, also identifying the activity as malicious.

Our Security and Operations team moved rapidly to terminate all existing sessions and connections for that user. The team reset all passwords and multi-factor authenticators.

The Security Operations team then made sure that the compromise was halted and did not recur. They ensured there was no active compromise by reviewing detailed log information. They reviewed all activity during the compromise, identifying access to files or data and discussing any resulting risks. The security team reviewed email records for any additional outbound messages with fake invoices; none were found. The criminal in this case appears to have been attempting to create a fraudulent email and invoice that was delivered to the Critical Insight accounting team, with the end goal of stealing money.

Telling Our Customers and Partners

The Critical Insight IR team escalated the incident to the management level, forming an Incident Response Team (IRT) using the procedures outlined in our Incident Response Plan. After assessing the situation, the IRT established that while the attacker’s activities appeared to be focused on the creation and delivery of the fake invoice to the Critical Insight accounting team, the access logs showed that the attacker briefly previewed, but did not download, an email with sales information and summary contract data. Due to this potential access to the sales data, the IRT established a communication plan to customers and partners, and detailed and transparent communications were delivered.

As we warn our customers, every organization should be suspicious of any incoming invoice, especially if it asks for a change of banking information. Business Email Compromise (BEC) is a scam in which an attacker takes over an account, then uses that account to scam others. It usually targets accounting departments and company managers.

This security incident is exactly why organizations need to do more than protect against an attack. They should be prepared for an attack, be enabled to detect an attack quickly, and be ready to respond rapidly.

The risk that every organization carries: As we tell our customers, preventive controls that include security training can lower the likelihood of an event. However, no amount of preventive controls will reduce the likelihood to zero. Such was the case here. Despite rigorous security training, the victim employee clicked a malicious link in a phishing email and was tricked into authenticating a second factor through their phone.

Here’s what worked: A second employee, who had been through the same training, spotted the fake invoice and reported it immediately. The victim employee took immediate action as soon as they knew something went wrong.

In parallel, the Security Operations Center investigated an alert of suspicious activity on the account, also identifying the incident.

The Security Team took immediate action. The attacker’s access was revoked and their actions contained to the events described above. The entire attack was limited to roughly two hours.

As part of our Incident Response Plan, our IRT will conduct a root cause analysis before we close this event and identify and execute corrective actions.

Summary

When preventive controls fail, detection and response serve to lower the impact of an incident. Indeed, security risk is measured as the product of the likelihood of an incident and the impact of the incident. In this case, the swift and effective response substantially reduced the incident’s resulting security risk.

While the Critical Insight team is not pleased this event occurred, we are pleased that our detection and response identified the event and responded quickly with minimal impacts.

Even as we train our clients to adopt the “not if, but when” approach to a full, robust security program, we apply the same thinking to our own programs, and we believe our team exercised their core duties expeditiously during this incident.