Introduction
Fortra recently released a report indicating that business email compromise (BEC) attacks are at their zenith. Why not? As ENISA mentions in its 2022 Threat Landscape Report, financially motivated threat actors find it far more easier to perform a Man-in-The-Middle (MiTM) through an account take over rather than preparing and conducting sophisticated malware attacks and then going into extortion and negotiations.
Microsoft has been following BEC attacks and reported in its May 2023 Cyber Signals, that they investigate 156.000 BEC attempts daily, while they have taken down 417,678 throughout May 2022 to April 2023.
Having said that, it is crucial to comprehend the importance of being able to detect and respond in these kinds of attacks. A good overview for incident response about BEC attacks, can be found here by PwC.
Within this blog, we will discuss how can someone investigate initial access, given that a mailbox has been compromised through a phishing attack. Some good reads to help understand detections, incident response and mitigations:
Detection opportunities
Microsoft 365 Defender and Microsoft Defender for Office 365 through Advanced Hunting provide some insightful tables that could help detect the initial access especially for phishing emails. Following, four queries are provided to help towards investigating this attack path.
Review recent attachments
The following query will list all emails received on the Timeframe specified that haven’t been blocked and have an attachment. This will help analysts get an overview of the email attachments recently received that might rise suspicions.
let CompromizedEmailAddress = ""; // Insert the email address of the compromised email address
let Timeframe = 2d; // Choose the best timeframe for your investigation
let EmailInformation = EmailEvents
| where RecipientEmailAddress == CompromizedEmailAddress
| where Timestamp > ago(Timeframe)
| where DeliveryAction != "Blocked"
| where AttachmentCount != "0"
| project Timestamp, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderDisplayName, ThreatNames;
EmailInformation
| join (EmailAttachmentInfo
| project NetworkMessageId, FileName, FileType, FileSize
) on NetworkMessageId
| sort by Timestamp descReview recent UrlClickEvents
The following query will help identify emails with URLs inline, where the user took action and clicked any of them and the URL wasn’t blocked.
let CompromizedEmailAddress = ""; // Insert the email address of the compromised email address
let Timeframe = 2d; // Choose the best timeframe for your investigation
let EmailInformation = EmailEvents
| where RecipientEmailAddress == CompromizedEmailAddress
| where Timestamp > ago(Timeframe)
| where UrlCount != "0"
| project Timestamp, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderDisplayName, ThreatNames;
EmailInformation
| join (UrlClickEvents
| where ActionType != "ClickBlocked"
| where Workload == "Email"
| project Timestamp, Url, IPAddress, NetworkMessageId
) on NetworkMessageId
| sort by Timestamp desc Suspicious email detected after delivery
The following query will present email details that have been identified as suspicious after delivery.
let CompromizedEmailAddress = ""; // Insert the email address of the compromised email address
let Timeframe = 2d; // Choose the best timeframe for your investigation
let EmailInformation = EmailEvents
| where RecipientEmailAddress == CompromizedEmailAddress
| where DeliveryAction != "Blocked"
| project Timestamp, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderDisplayName, ThreatNames;
EmailInformation
| join (EmailPostDeliveryEvents
| where ThreatTypes != ""
| project Timestamp, NetworkMessageId, Action, ActionType, ActionTrigger, ActionResult, DeliveryLocation, ThreatTypes, DetectionMethods
) on NetworkMessageId
| sort by Timestamp desc Suspicious subject keywords
Having gone through PwC BEC incident response playbook, there is a set of keywords included that could be found in email’s subject, that could potentially be correlated to phishing emails. This query will most probably return a lot of false/positives, however it could potentially return results significant enough to go through.
let CompromizedEmailAddress = ""; // Insert the email address of the compromised email address
let Timeframe = 2d; // Choose the best timeframe for your investigation
let SuspiciousKeywords = dynamic([ // as provided by PwC BEC Playbook
@"Request",
@"Reconfirm Password",
@"Account Alert",
@"Confirmation",
@"Account Reset",
@"Payments",
@"Reminder",
@"Confidential",
@"You Recieved",
@"Voice Messages",
@"Hello",
@"Voicemail from",
@"Immediate Response",
@"Voic(e)Message",
@"Urgent",
@"VM from",
@"Action Required",
@"Audio Message",
@"Account Suspended",
@"Voice Recording Available",
@"Password Reset",
@"Received Fax Document",
@"Sign-in attempt",
@"Bill Invoice"]);
EmailEvents
| where RecipientEmailAddress == CompromizedEmailAddress
| where Timestamp > ago(Timeframe)
| where Subject has_any (SuspiciousKeywords)
| where DeliveryAction == "Delivered"
| project Timestamp, SenderMailFromAddress, SenderFromAddress, SenderDisplayName, SenderMailFromDomain, SenderFromDomain, SenderIPv4, AttachmentCount, UrlCount, LatestDeliveryAction
| sort by Timestamp desc Summary
The queries above could cover a significant effort to investigate initial access for BEC attacks after an account has been compromised. Having said that, the investigation queries focus mainly on phishing attacks as the preliminary attack. Of course -as with all queries- they should be tested and fine tuned upon your environment to meet your needs and expectations.
You can check my GitHub to find further KQL queries that might be of your interest, also, drop me a line on X if you have any comments.
Leave a Reply