Gatehouse Cyber Blog
Gatehouse Case Study: 123Victim Co
Gatehouse Cyber in Action
Business Email Compromise refers to the class of cybercrime in which the compromise of an organization’s email accounts is used to commit financial fraud, often through the impersonation of organization employees. Gatehouse Cyber's analysis platform automated the analysis that guides this case study.


Note: this case study is derived from an actual investigation performed by Gatehouse Cyber. All identifying features and many non-identifying features have been anonymized, altered, or removed. (The client requested that we not list an of the IP addresses implicated in this incident. Rather than give the impression that uninvolved IP Addresses are malicious we have redacted the final portion of all IP addresses)
Headline Image

Setting the Stage:

Following the discovery of a fraudulent wire transfer on August 30, 2023 and a series of malicious emails, 123Victimco contracted Gatehouse Cyber to investigate the incident. Specifically, Gatehouse was tasked to determine how the fraud was perpetrated, if there were any other attempted fraudulent wire requests, what data may have been accessed, and what steps need to be taken to recover.

Key Findings:

Gatehouse determined that:
  • The user sdavis@123Victimco[.]com became compromised after interacting with a phishing email sent on August 30, 2023. This employee worked in accounts payable, and their account was deceived into making fraudulent payments. No other 123Victimco accounts were compromised.
  • The Threat Actor committed financial fraud on two occasions, based on fraudlent requests for legal settlements that were sent on August 30, 2023, and September 6, 2023.
  • The Threat actor spoofed the sender address in malicious emails to deceive recipients into believing they originated from trusted sources.
  • The Threat Actor deleted emails and used Inbox Rules to hide emails that would have exposed the fraud from the legitimate user.
  • 23 files and 15 emails were accessed by the Threat Actor within the 123Victimco Microsoft ecosystem. No Mailbox syncing was identified.

Incident Timeline:

Timestamp (UTC)Narrative
2023-08-30 15:34:46Sdavis@123Victimco[.]com received a phishing email with the subject "VoiceNote Transcription Message on August 30,2023"
2023-08-30 15:44:28Login from Japanese IP Address 18.183.250.xxx associated with ISP Amazon to sdavis@123Victimco[.]com
2023-08-30 15:48:15Hard Deletion of phishing email from with subject "VoiceNote Transcription Message on August 30,2023" from IP Address 18.183.250.xxx
2023-08-30 16:48:36 Email with subject “TS” sent by Threat Actor from sdavis account to non-existent fuzzed CFO address “janderson@123Victimcos[.]com” from Japanese IP Address: 2406:da14:585:4200:c089:fb5f:xxxx:xxxx
2023-08-30 16:54:13Email with subject: "123Victimco Legal Settlement Fee" requesting fraudulent wire transfer sent to sdavis@123Victimco[.]com from spoofed 123Victimco CFO email address. Email sent from high-risk Malaysian IP address associated with ISP "Gigabit Hosting Sdn Bhd"
2023-08-30 18:34:51Sdavis account “Consent to Application” operation for OAuth App “ZoomInfo Login”
2023-08-30 19:04:27Legitimate Sdavis@123Victimco[.]com reply to fraudulent email: "123Victimco Legal Settlement Fee" seeking confirmation for payment. Reply sent to non-existent mailbox janderson@123Victimcos[.]com
2023-08-30 19:23:09Threat Actor forwards reply from Sdavis@123Victimco[.]com to threat actor owned email address "attacker@evil[.]com"
2023-08-30 19:46:02Fraudulent email from Threat Actor impersonating approval of company CFO and CEO for fraudulent payment. Legitimate reply from sdavis@123Victimco[.]com incorporated in this follow-up.
2023-08-30Fraudulent wire transfer made
2023-08-31 16:58:45 Creation of malicious Inbox Rule on sdavis@123Victimco[.]com account designed to hide autogenerated “undeliverable email” response emails triggered by emails sent to non-existent mailboxes.
2023-09-06 15:13:11Sdavis@123Victimco[.]com receives second fraudulent payment request. Confirmation and request follow similar playbook as prior fraud.
2023-09-09Second fraudulent wire transfer made
2023-09-13 14:31:09sdavis@123Victimco[.]com account “Consent to Application” operation for OAuth App “Cronofy”
2023-09-13 14:31:39Hard deletion of email “Cronofy Calendar Check” by sdavis@123Victimco[.]com from Amazon.com IP address 3.93.102.xxx and Cronofy User Agent

Investigation Details:

Point of Entry:

Initially, Gatehouse identified suspicious phishing emails sent to user sdavis@123Victimco[.]com as well as other employees of 123Victimco over the months leading up to the incident. These emails tended to have subject lines similar to "Voicemail Message Received on [Date]", were sent from Japan, Malaysia, or elsewhere in Southeast Asia, and also employed email spoofing, the practice of forging the visible sender address of an email to deceive the recipient. In this circumstance, the spoofed sender addresses ran the gamut: addresses that did not exist but looked legitimate like "voicemail@123victimco[.]com" addresses of leadership at the organization including the CEO and CFO, and the bizarre, email addresses filled with random characters, or emails whose visible sender address was also the recipient.
The implication, and what our automated software indicated, was that nearly every employee in a sensitive role at the company had received these emails and could be compromised, and they could have been compromised at any point over the past 3-6 months.
In its review of Microsoft logs and emails, Gatehouse determined that just a single user was compromised, sdavis@123victimco[.]com, and that this user was almost definitely compromised by an email received on August 30, 2023. The email had the subject line "VoiceNote Transcription Message on August 30,2023", was spoofed to appear as though it was sent by "sdavis@123Victimco[.]com" themself and was received at 15:34:46 (all timestamps will be in UTC).
Gatehouse alerted that this was the phish that compromised the user mostly due to the timing of the email and the malicious actions taken shortly after. At 15:44:28, ten minutes after the email was sent, Gatehouse detected the first malicious logon, which was from a known malicious and anonymized Japanese IP address, 18.185.250.xxx. Four minutes after the logon, at 15:48:15, this phishing email was Hard Deleted (i.e., deleted to be irrecoverable) from another anonymized malicious Japanese IP address. This activity was the earliest malicious activity identified, no other phishing emails were hard deleted, and no other phishing emails were interacted with by the Threat Actor.
Although this email itself was not recoverable, we can examine some of the tactics employed by the Threat Actor related to spoofing by reviewing the headers of a similar phishing email received on August 28.
The relevant fields in this case are From, Reply-To, and X-Authenticated-Sender. The "From" field determines which email address is printed to the recipient when they open their email with a client like outlook. This field can be modified by the sender to provide any email address regardless of sender address. "X-Authenticated-Sender" contains the actual email address used to send the email. "Reply-To" contains the email address used as the recipient when the user replies to the email. Reply-To is also susceptible to modification by the sender. We can see on this email that the from address is listed as sdavis@123victimco[.]com, the reply-to address is listed as sdavis@123victimcos[.]com (a non-existent mailbox and harbinger of things to come), and X-Authenticated-Sender reveals the address actually used to send the email.
Email Headers
Excerpt of the email headers taken from a phishing email sent to sdavis@123Victimco[.]com depicting email spoofing in From and reply to fields

Fraud:

About one hour following initial access, Gatehouse noted that the Threat Actor sent an email from sdavis@123Victimco[.]com mailbox with the subject line "TS" to the email address janderson@123Victimcos[.]com — an email that resembles that of the CFO of 123Victimco, with the domain fuzzed from 123Victimco to 123Victimcos. The purpose of this email is uncertain, but was likely an attempt to examine the impact of emailing a non-existent mailbox (an undeliverable response email was auto-generated by Microsoft). After discovering no action was taken, the Threat Actor used this fuzzed domain heavily when committing the fraud.
At 16:54:13 (80 minutes after the phishing email was sent), sdavis@123Victimco[.]com received the first email identified by Gatehouse as related to the fraud. This email purported to be from the CFO of 123Victimco requesting payment. This email spoofed the sender to appear as CFO janderson@123victimco[.]com, and modified the reply field to contain the same fuzzed and non-existent address as the previous malicious email, janderson@123Victimcos[.]com. The email was sent from a Malaysian IP address from a high-risk hosting provider and had no prior activity of any kind from this or any employee.
Replies to this email from the legitimate sdavis@123Victimco[.]com, for clarification and confirmation, were unwittingly sent to this non-existent mailbox. These replies were forwarded by the Threat Actor to the malicious email attacker@evil[.]com. These replies were incorporated into additional fraudulent emails impersonating the CFO and gave the impression that there was one single uninterrupted conversation between the sdavis@123Victimco[.]com and the CFO.
See a depiction of the correspondence involved in the fraud below:
Fraud Flow Chart
Chain of correspondence leading to fraud, Steps 2, 3, & 4 repeated several times

Persistence & Evasion:

The Threat Actor also took steps to hide evidence of the fraud from sdavi@123Victimco[.]com. The replies from sdavis@123Victimco[.]com to the non-existent mailbox caused Microsoft to send undeliverable "bounceback" notification emails. These emails could have exposed to sdavis@123Victimco[.]com that they had replied to a non-existent account.
The Threat Actor initially hard deleted bounceback emails from the sdavis@123Victimco[.]com mailbox, until creating an Inbox Rule at 2023-08-31 16:58:45, which automatically hid these emails from the user by marking them as read and moving them to the folder Conversation History. Inbox Rules like this one are incredibly common in Business Email Compromise incidents as means of hiding fraudulent communications from the legitimate user, in this case by moving them from the user's Inbox to an obscure folder and marking them as read.
Undeliverable Inbox Rule
Inbox Rule created by Threat Actor to hide undeliverable Bounceback emails
Undeliverable Emails affected by rule
Subset of emails affected by Inbox Rule
To ensure ongoing access, the Threat Actor also added two OAuth Apps to sdavis@123Victimco account. OAuth Apps are a tactic leveraged by Threat Actors in which they grant (often legitimate) Office 365 Applications access to their compromised accounts. These apps enabled the Threat Actor to continue to access the sdavis account through these apps with limited oversight/detection. At 2023-08-30 18:34:51, the sdavis account performed a “Consent to Application” operation for the app "Zoominfo Login." At 2023-09-13 14:31:09, the Threat Actor performed a "Consent to Application" for the OAuth App "Cronofy."

Remediation:

At the time that the investigation began, 123Victimco had identified sdavis as compromised, reset that user’s password and had begun resetting passwords of all users in sensitive roles (Leadership, Finance, IT).
Gatehouse advised that the inbox rule enacted by the Threat Actor and both OAuth Apps be removed from the sdavis account as well.
Gatehouse also determined that email spoofing was the most relevant vulnerability that led to this incident and posed a meaningful risk moving forward. A review of the 123Victimco email tenant revealed that spoofing was made possible due to a misconfiguration in 123Victimco implementation of Microsoft 365 security settings.
123Victimco set up an overly permissive approach to marking emails as "safe." This meant that through the incident incoming malicious emails had not been subject to Microsoft Spam filtering. 123Victimco was able to remediate the misconfiguration to prevent additional spoofing attacks.
Experiencing an Active Incident?
Want to be prepared before an incident can occur?
See what Gatehouse can do for you: hello@gatehousecyber.com








Contact

+1 (240) 994-0568
2024 Gatehouse Cyber LLC. All rights reserved.