Cyber War Story: How A SOC Team Intercepted Email Fraud

Interested in a SOC Analyst career? Check out this real-life war story of email interception fraud!

Cyber War Story: How A SOC Team Intercepted Email Fraud

You might recognise Isaiah from our recent Day in the Life of a SOC Analyst when we sat down with him to uncover more of his day-to-day responsibilities working in a SOC team. This time, we interviewed Isaiah to hear some extraordinary war stories during his time in a previous Security Operations role.

Continue reading to discover a real-world example of email interception fraud and how a SOC team resolved the issue.

Intercepted emails

During his time working in a previous Security Operations role, Isaiah investigated and examined logs/events, identified false positives, fine-tuned them, and created reports.

On one occasion, their finance department forwarded a concern about an unusual exchange with a client.

Typically, the finance department would send invoices to clients, which would then be paid to their company's bank account. Often, these email chains were used to negotiate the transfer of vast sums of money (in seven-figure digits), so the finance employees were always vigilant for unusual occurrences.

This time, however, a client forwarded an email they had received to the finance department. Although the client was expecting to go through the usual process of receiving the invoice and arranging payment, there was something odd with this email.

The forwarded email showed a correctly billed invoice, with the email thread's history having everything expected in place. It had the same name as their point of contact from the finance department. However, along with the invoice was a message asking the client to "Please temporarily send payment to the following alternate bank account due to settlement issues with our regular bank account".

With a typographical error found in the email's domain portion, the client raised suspicions. This misspelt part in the sender's address was a telltale sign of a classic typo-squatting domain.

The finance department promptly responded to the client, informing them that while the invoice details were correct, their team did not send the email. This unusual event began occurring across multiple clients, prompting the finance department to escalate it to the SecOps team for investigation.

The SecOps team immediately analysed the chain of emails and discovered that the accounts of the finance employees involved in these email chains were not compromised. However, in all instances of this unusual event, where a client received an invoice, the name of the finance employee would remain the same, but the domain would be slightly different.

Although it was later discovered that a bad actor had intercepted these email chains, leading to clients receiving a spear phishing email with the attached invoice, none of the involved finance employees in these exchanges had their emails compromised.

"If the emails of our finance employees were not compromised, but they are being intercepted, could there be malware on their machines?" Isaiah continued to investigate, conducted threat hunting, and gathered logs of emails, although he could not locate malware.

Falling victim to a phishing campaign

Two weeks before these events, the organisation Isaiah worked for had encountered a DHL phishing campaign. Upon further investigation and log correlation activities, the web proxy logs showed that the Head of Finance submitted their credentials to a phishing site.

Isaiah then requested for the user's credentials to be reset and called for further investigations into their emails before noticing that some of the emails in the inbox of the Head of Finance matched the phishing emails received by their clients.

A mail forwarding rule was later found to be configured in the Head of Finance's email account, where all emails were configured to be forwarded to the bad actor's email address.

This confirmed that the Head of Finance's account had been compromised, and the emails containing the entire thread in the invoice received by the clients were intercepted by a bad actor.

After analysing logs from various data sources such as the mail server, web proxies and specifically, IIS logs for the Exchange server, correlating each event based on all available data such as connection details, User-Agent, IP addresses, hostnames, emails of the affected employees, while being mindful of the timezone and time frame of each event, Isaiah said: "I noticed a trend where IP addresses from a specific country kept showing up at the same time as each client received the emails.

“After reviewing each phishing email the clients received, I noticed they all contained a screenshot of the email signature of the finance employee they were interfacing with at the time. Based on the metadata of each email signature and the logs containing details such as the User-Agent, and IP addresses connected to our mail server at the time the phishing emails were sent to the clients, it became clear that the screenshots were snippets taken from a MacBook located in Nigeria."

Fortunately, the clients never released the funds. They closely coordinated with the finance department during the investigation, which led to the discovery of the bad actor before further damage was inflicted.

The Head of Finance's email credentials were reset, Isaiah and his team swiftly resolved the issue, and clients no longer received phishing emails. The aftermath left the organisation rethinking its cyber awareness strategy and how the rise in remote working among its workforce may have played a role.

Remote working has paved the way for cyber criminals to target a new wave of home workers, with 20% of organisations experiencing a breach because of a remote worker. Paired with a lack of security awareness of phishing, we have seen a heightened risk of remote workers neglecting basic security measures.

Want to become a SOC Analyst?

Working in a SOC team is full of surprises, with countless rewards and benefits, and a working lifestyle where no two days are the same. If you have a keen eye for detail and a love of problem-solving, then a career as a SOC Analyst could be a fantastic opportunity for you!

Get started with our Introduction to Cyber Security and Pre-Security learning paths before upskilling with our Level 1 SOC Analyst learning path, covering the many tools and real-life analysis scenarios needed in the role.

We have also compiled a helpful guide explaining How to Become a Level 1 SOC Analyst!