Full Report
Recently, Varonis investigated a phishing campaign in which a malicious email enabled a threat actor to access the organization. This blog post will reveal the tactics used to avoid detection and share what was discovered during the investigation. [...]
Analysis Summary
# Incident Report: Sophisticated AI-Assisted Phishing Leading to M365 Credential Theft
## Executive Summary
A U.K.-based insurance customer was targeted by a sophisticated, AI-enhanced phishing campaign originating from a compromised email account of a known CEO from a shipping company. The attack leveraged a malicious link pointing to an AWS-hosted document, leading victims to a fake Microsoft login page to harvest credentials. The immediate response successfully contained the breach by disabling the compromised account and resetting credentials within 30 minutes, limiting the executed damage primarily to the creation of an email deletion rule.
## Incident Details
- Discovery Date: After the customer was alerted to the attack (specific date not stated)
- Incident Date: When phishing emails were sent (specific date not stated)
- Affected Organization: A U.K.-based insurance customer
- Sector: Insurance
- Geography: United Kingdom (Victim located), United States (Source IP of rule creation)
## Timeline of Events
### Initial Access
- Date/Time: Not specified, but shortly before rule creation.
- Vector: Spear-phishing email titled “ML Payment #05323” sent to 26 recipients.
- Details: The email appeared to be from a trusted sender (CEO of a major international shipping company, likely compromised). It contained a link to a malicious PDF hosted on an AWS server, masquerading as a OneDrive share notification.
### Lateral Movement
- Details: Once credentials were stolen on the fake login page (`login.siffinance[.]com`), an attacker successfully logged in from a U.S. IP address (138.199.52[.]3) two minutes later, confirming unauthorized access, evidenced by "impossible travel."
### Data Exfiltration/Impact
- Impact: The primary successful action by the attacker was creating a mailbox deletion rule (named "a") originating from a U.S. IP address, which was designed to permanently delete emails containing the compromised sender's domain name, covering tracks. The investigation suggests the attacker may have responded to the victim's email, but the content remains unknown.
### Detection & Response
- Detection: Customer was alerted to the attack path, leading the Varonis MDDR team to investigate. The impossible travel login event served as a confirmation trigger.
- Response Actions: Within 30 minutes of detection, the customer's security team disabled the compromised account, ended the active session, and reset the user’s credentials.
## Attack Methodology
- Initial Access: Sophisticated, high-quality phishing email leveraging a trusted sender (CEO impersonation) and linking to an AWS-hosted PDF document. The link embedded the phrase "atoantibot."
- Persistence: Not explicitly stated if persistence was maintained beyond the initial session, but the deletion rule was created immediately upon access.
- Privilege Escalation: Not explicitly stated, but credential theft via the fake login page achieved the required access level.
- Defense Evasion: Leveraging legitimate cloud platforms (AWS for PDF hosting, Render for part of the attack site) to blend malicious activity. The deletion rule was designed to erase forensic artifacts related to the sender's domain.
- Credential Access: Harvesting credentials via a convincing, fake Microsoft authentication page hosted at `login.siffinance[.]com`.
- Discovery: The investigation mapped recipients and communications related to the attacker’s domain.
- Lateral Movement: Successful authentication using stolen credentials from an unexpected geographic location (U.S. IP logging into a U.K. account).
- Collection: Identified data targeted by the deletion rule (emails related to the attacker's domain).
- Exfiltration: Not explicitly detailed, but the intent was likely data exfiltration given the credential compromise.
- Impact: Creation of forensic-erasing email deletion rule.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Credentials for one M365 account were compromised. Emails containing a specific keyword (related to the sender's domain) were at risk of permanent deletion.
- Operational: Minimal operational impact reported, as the account was disabled by security teams within 30 minutes, limiting attacker actions to rule creation.
- Reputational: Potential reputational risk due to the use of a known CEO's compromised identity in the initial lure.
## Indicators of Compromise
- **Network Indicators (Defanged):**
- 138.199.52[.]3 (Source IP of successful login)
- siffinance[.]com
- login.siffinance[.]com
- www.siffinance[.]com
- ywnjb.siffinance[.]com
- atoantibot.onrender[.]com (Used for part of the attack infrastructure)
- **File Indicators:**
- file365-cloud.s3.eu-west-2.amazonaws[.]com (Host for the malicious PDF)
- **Behavioral Indicators:**
- Creation of the email deletion rule "a" originating from an external IP (U.S. IP).
- "Impossible travel" detection (login from U.S. shortly after victim activity in the UK).
## Response Actions
- **Containment Measures:** The compromised user account was immediately disabled, and the active session was terminated.
- **Eradication Steps:** User credentials were reset.
- **Recovery Actions:** Comprehensive mapping of all recipients, responders, and communications related to the threat actor's domain was performed to identify the full scope of email exposure.
## Lessons Learned
- The quality of phishing attacks has significantly improved, often powered by AI, making traditional detection methods based on subtle errors obsolete.
- Attackers are effectively leveraging legitimate, trusted platforms (AWS, Render) to host malicious components, making blocking difficult.
- The tactic of using a known, seemingly trusted sender (CEO impersonation) dramatically increases user susceptibility.
- Creating immediately destructive rules (like email deletion rules) is a primary post-compromise step for covering tracks.
## Recommendations
- **User Security Awareness:**
- Educate users to open shared documents/messages directly via the primary platform (e.g., SharePoint/OneDrive interface) rather than clicking email links.
- Enforce rigorous link verification, ensuring URLs logically match the email context.
- Mandate strict verification of authentication page URLs before entering credentials.
- **Technical Measures:**
- Implement Multifactor Authentication (MFA) for all users.
- Enforce a robust password policy (complexity and required changes).
- Adopt advanced email security solutions capable of detecting threats hosted on legitimate cloud services.
- Implement default warnings for all external emails.
- Establish an easy-to-use mechanism for users to swiftly report suspicious emails.