ANY.RUN documents a phishing incident where an internal employee’s account was compromised and used in a post-breach business email compromise (BEC), leading to mailbox access and data exfiltration attempts, with a detailed timeline, response actions, and indicators of Compromise. The post outlines how MFA manipulation enabled persistence, the use of PerfectData software to access mailbox contents, and ongoing efforts to bolster security. #ANYRUN #AiTMPhishing #PerfectData #OutlookRules #BEC #MFA
Keypoints
-
- The incident involved phishing that compromised an employee account and enabled a post-breach BEC campaign.
- An AiTM phishing campaign and compromised client email led to initial access on May 23–May 27, 2024.
- The attacker gained persistence by adding their own device to the MFA service for the account.
<liThe attacker installed PerfectData Software to steal mailbox contents.
<liA phishing email was later sent to the entire contact list, leveraging stolen credentials and the compromised account.
<liIndicators of compromise include multiple IP addresses and several malicious URLs used to access the account.
<liThe organization revoked access quickly, implemented containment, and began eradication steps (including Outlook Rules and MFA controls) to prevent reoccurrence.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – The initial compromise happened through an AiTM phishing and BEC campaign. Quote: ‘The initial compromise happened through an AiTM phishing and BEC campaign.’
- [T1098.005] Adversary Controlled MFA Devices – The attacker was able to add their own mobile device to the MFA service for the compromised account, allowing them to maintain access. Quote: ‘The attacker was able to add their own mobile device to the MFA service for the compromised account, allowing them to maintain access.’
- [T1078] Valid Accounts – The threat actor gained access to the employee’s account for the first time. Quote: ‘At this point, the threat actor gained access to the employee’s account for the first time.’
- [T1137.005] Office 365: Outlook Rules – Outlook Rules were used as a persistence mechanism. Quote: ‘Outlook Rules (T1137.005)’
- [T1567.002] Exfiltration to Cloud Storage – The PerfectData Software application was installed and used to steal the contents of the compromised email account. Quote: ‘The attacker installed the PerfectData Software application (Azure App ID: ff8d92dc-3d82-41d6-bcbd-b9174d163620) and used it to steal the contents of the compromised email account.’
Indicators of Compromise
- [IP Address] 45.61[.]169[.]4 — initial access from Sheridan, Wyoming, US (early activity)
- [IP Address] 40.83[.]133[.]199 — US-based access
- [IP Address] 172.210[.]145[.]129 — Virginia, US
- [IP Address] 162.244[.]210[.]90 — Dallas, TX (main VPS)
- [IP Address] 52.162[.]121[.]170 — Chicago, IL
- [IP Address] 68.154[.]52[.]201 — Virginia, US
- [IP Address] 140.228[.]29[.]111 — Ohio, US
- [IP Address] 52.170[.]144[.]110 — Virginia, US
- [URL] https://www.dropbox[.]com/scl/fi/vimfxi3mq0fch1u232uvp/Here-is-your-incoming-voice-mail-information_.paper?rlkey=69qgqvpkxn3mdvydkr8cgcd83&dl=0
- [URL] https://batimnmlp[.]click/m/?cmFuZDE9Yldwa2IyRmFZa3dDVWc9PSZzdj1vMzY1XzNfbm9tJnJhbmQyPVJsQjJXbWRPZFZsTE1BPT0mdWlkPVVTRVIyMDA1MjAyNFVOSVFVRTA2MjQwNTIwMjQyMDI0MjAyNDA1MjAyNDA2MjQmcmFuZDM9UlRGWGFUSlNkVFJ0ZWc9PQ==N0123N[EMail]
- [URL] https://www.reytorogroup[.]com/r/?cmFuZDE9YXpkcVJIbHpZa0kwVVE9PSZzdj1vMzY1XzNfbm9tJnJhbmQyPVVIb3libFEyWjA5NFNBPT0mdWlkPVVTRVIyMDA1MjAyNFVOSVFVRTA2MjQwNTIwMjQyMDI0MjAyNDA1MjAyNDA2MjQmcmFuZDM9VEdscFdFSTNVVzlzZFE9PQ==N0123N%5bEMail%5d
- [URL] https://threemanshop[.]com/jsnom.js
Read more: https://any.run/cybersecurity-blog/phishing-incident-report/