Basic goals of email compromise attacks

Last month, a developer received a suspicious email about a Chrome extension they owned and flagged it on a public forum. What seemed like a small issue soon revealed something much bigger: An unknown hacker used that email to compromise 35 popular chrome extensions impacting 2.5 million people! The surprising part: The hacked extensions were entirely unrelated, each owned by a different developer account. How then did the attacker manage to breach all these accounts at once? 𝗔𝘁𝘁𝗮𝗰𝗸 𝗙𝗹𝗼𝘄: 1) Attacker initially collects email addresses tied to popular Chrome extensions from public info > Sends a phishing email. 2) The email alleged a violation of Chrome Web Store policies, warning that their extension will be removed > Baits the developer to click on a link to see the "violated rules". 3) Developer clicks on it > Gets redirected to an actual Google login page. 4) Post login, this flow now asks the victim to "grant permission" to manage Chrome extensions in their account (this is the typical Oauth authorization flow. The attacker hosted a malicious Oauth app that requested these permissions). 5) Believing it to be routine, some victims click on 'continue' > The malicious app now gets access to developer’s Google accounts > Attacker now uploads malicious JS files to the Chrome extensions. 6) Automatic updates push the malicious files to users > The malicious code steals sensitive info (Facebook tokens etc.) and sends it to attacker server > 35 such chrome extensions compromised. 𝗔 𝗙𝗲𝘄 𝗧𝗵𝗼𝘂𝗴𝗵𝘁𝘀: 1) Fear Breeds Urgency. Urgency Breeds Mistakes. The phishing email here exploits exactly this human instinct. This led to a high victim count of 35+ different accounts. 2) Think about this: You download a photos app. Instead of creating a new account, you click on "Log in with Facebook". The app asks your consent to access your Facebook name and profile pic. You approve, and voila, you’re logged in instantly. Oauth powers this convenience. 3) But this convenience comes at the cost of new attack surface: An attacker can register a malicious SaaS app and seek 'permission' to get sensitive access just by making the victim click on a single button! (Aka "Consent Phishing"). 4) In Oauth World, Permissions Are Like Passwords. Attacker no longer needs to steal passwords or go through the adventures of bypassing MFA. Just 1 click allowing that permission is all that's needed to get in! 5) The best way to defend: Restrict access to high-risk Oauth scopes. i.e. Configure enterprise settings so users CANNOT consent to high-risk permissions—only tenant admins can grant them after review. When you do this, only apps that are verified by tenant admins can request such permissions. Identify providers such as Microsoft, Google offer this in their cloud settings. If you enjoyed this or learned something, follow me at Rohit Tamma for more in future! #applicationsecurity #cybersecurity #malware #infosec #informationsecurity #phishing

🔍 Anatomy of an Modern B2B Business Email Compromise (BEC) Attack A recent Trend Micro™ Managed XDR investigation uncovered a sophisticated B2B Business Email Compromise (BEC) attack, where a threat actor manipulated an ongoing email conversation between three business partners over several days. By compromising an email server and strategically replacing recipients, the attacker successfully redirected funds to their account—all while the victims believed they were communicating with their trusted partners. 🚨 Timeline of the Attack: 📅 Day 1: • T+0:00 – Partner A sends an invoice reminder to Partner B, copying Partner C. • T+4:30 – Threat actor intercepts and sends an email with fraudulent banking details from a compromised third-party email server. • T+11:00 – The attacker resends the email, this time using a compromised Partner C account to reinforce legitimacy. 📅 Days 2-5: • T+15:00 – Partner B, unaware of the compromise, acknowledges the invoice and requests additional details—unknowingly communicating with the attacker instead of the real Partner A. • T+5.02 days – Partner A (still unaware) provides business details, but the email is received by the attacker, not Partner B. • T+5.17 days – Attacker confirms details and reissues fraudulent banking instructions. • T+5.64 days – Partner B deposits the funds into the attacker’s account. • T+5.66 days – Partner B informs ‘Partner A’ (the attacker) that the transfer is complete. By the time Partner A and Partner B realized the fraud (12+ days later), the funds had already been moved. 🔑 Key Insights from the Incident: ✔️ Sophisticated Manipulation: The attacker gradually replaced real recipients in email threads, ensuring the conversation seemed normal. ✔️ Social Engineering & Trust Exploitation: By mimicking writing styles and leveraging auto-complete features, they maintained credibility. ✔️ Weak Email Security Enabled the Attack: A misconfigured third-party email server allowed fraudulent emails to bypass security checks. ✔️ Strategic Patience: The attacker waited 4.5 hours before injecting fraudulent banking details, ensuring it appeared as a legitimate correction. 🛡️ How to Defend Against BEC Attacks: ✅ Strengthen Email Authentication – Implement DMARC, SPF, and DKIM to verify sender legitimacy. ✅ Enable Multi-Factor Authentication (MFA) – Prevent unauthorized access to email accounts. ✅ Monitor for Anomalous Activity – Look for suspicious email forwarding rules and unauthorized logins. ✅ Educate High-Risk Employees – Train finance teams to verify banking details via secure channels before transferring funds. ✅ Establish Out-of-Band Validation – Require phone/video call confirmation for financial transactions to verify sender identity. 💡 BEC attacks are getting more sophisticated, but proactive security measures can significantly reduce the risk. 🔬 Full Research in Comments Section #DeepDive #CyberSecurity #BEC #ThreatIntelligence #EmailSecurity #TrendMicro #SOC

As Incident Responders, we’re seeing an increase in attacks using classic smokescreen tactics, so I thought I’d share a few snippets that hopefully help you stay safe! The initial point of compromise is a phishing email. Nothing particularly sophisticated, just well-timed and well-crafted enough to have a target team member enter their login credentials into a spoofed site and prompt them for their MFA token. If all runs smoothly, for the bad eggs, the attackers are able to successfully proxy the MFA response, intercept the session token, and then bypass the victim’s “super secure” two-factor authentication. They use a real-time phishing kit like Evilginx2, which allows them to ride in on the back of a legitimate login session. So no brute force, no malware dropper, no obvious indicators until it’s too late. Once inside, the attackers monitor for an opportune time to strike, typically when a large payment is to be sent or due. They modify the payment instructions of one of the parties to make payment to a mule account they control. But they didn’t stop there! In order to mask their activity, because multiple users within the authorisation chain are on CC to the payment instruction, they launch a classic smokescreen campaign by flooding every inbox at the firm with hundreds of spam messages at the exact same time the crime is being committed. And this is ongoing and relentless.  The goal is simple: bury the wire transfer confirmation email in noise so it won’t get seen or detected, delaying any potential mitigation action. Effectively, the bad eggs are throwing a digital smokescreen. It worked. And is working across a multitude of cases we’ve seen. The transfer goes through, unnoticed, and the funds are gone before a team even has a chance to react.  Urgently add active monitoring for behavioural anomalies post-authentication, such as impossible travel, sudden privilege escalation, or new device profiles making high-value changes. Otherwise, you’re flying blind. For payment authorisation, MFA is not a panacea, especially for email accounts handling payment instructions. Implement manual processes to double and cross-check payments. Or reach it if you want to hear more about an automated payment protection solution we’ve built that fixes this. Not in full release but we’d love to hear your thoughts as we build it out. Stay sharp out there.

Stop training your employees to look for “hackers”. Start training them to verify their vendors. We picture business email compromise as a shadowy figure typing furiously in a dark room. A technical mastermind breaching firewalls. Cracking code. Breaking in. But that’s not the threat draining millions from businesses every year, and it’s not the threat sitting quietly in your inbox right now. BECs are not a computer hacking problem. They're a human hacking problem. The attack doesn’t start with a spoofed domain. It starts long before that. Attackers compromise an employee or vendor account and then do something far more dangerous than “send phishing emails”. They observe. They study. They wait. They learn who moves the money. They learn the tone your team uses. They learn when invoices are due. They wait for the perfect moment. Then they strike. Not with malware. With context. A reply to an existing thread. A perfectly timed request. A simple line: “Please update our banking information for this payment.” No red flags. No typos. No urgency. Just familiarity with your operations that feels legitimate because it is legitimate until the money is gone. If your training focuses on bad grammar, fake logos, or hovering over links, you are preparing for scams from 2014. Not 2025. You cannot “spot” a social engineer who knows your invoice workflow better than your AP team. The Fix. Process over perception Stop relying on instinct. Build systems that force verification. 1️⃣ Out-of-band authentication. If bank details change, call the vendor using the number you already have on file. 2️⃣ Zero trust for payment updates. Treat every change request as a breach until verified. 3️⃣ Scrutinize timing. Criminals strike at peak workload, when your team is most likely to comply automatically. The goal is not to stop the email from landing in the inbox. The goal is to stop the money from leaving the bank. Is your organization still teaching employees to “spot phishing”, or are you actually preparing them for compromised vendor attacks? If you want to shift from generic “security awareness” to a true human-defense strategy, send me a DM. Let’s secure your payment processes before criminals do. #Stopthescam before it starts! Fraud Hero #businessemailcompromise #socialengineering #phishing #scam #fraud #PauseThinkVerify

AI-powered phishing targets 340+ organizations, bypassing MFA through Microsoft's own login page. A Telegram-sold toolkit called EvilTokens automates the entire chain: AI-generated lures, real-time device code generation, clipboard hijacking, and automated post-compromise email mining. The victim authenticates on real Microsoft infrastructure. The only clue is a standard warning most users dismiss. Microsoft, Huntress, Sekoia, and Mnemonic all published independent analyses of the same campaign within two weeks. Highlights: 🔹 The attack exploits the OAuth device authorization flow designed for TVs and IoT devices. The victim authenticates on real microsoft.com/devicelogin, MFA completes against the real IdP, and tokens land in the attacker's session. No credentials intercepted. 🔹 AI generates role-matched lures with no two identical. Microsoft measured 450% higher click-through rates for AI-generated lures. Device codes are generated on-demand to beat the 15-minute expiry window. 🔹 Post-compromise: device registration within 10 minutes for token persistence, malicious inbox rules, and an AI-powered keyword scanner surfacing finance-related conversations for BEC. 🔹 340+ organizations across US, Canada, Australia, New Zealand, Germany. Sectors: construction, non-profits, real estate, manufacturing, finance, healthcare, legal, government. My take: 1️⃣ No MFA method helps, including FIDO2. The device code flow issues tokens to whichever device initiated the request, not where the user signed in. FIDO2 is not failing, it is irrelevant. The fix is a Conditional Access policy blocking the device code grant type. 2️⃣ Twelve months separated Storm-2372's manual campaign from EvilTokens, a fully automated platform sold on Telegram. AI lowers the expertise bar until sophisticated attacks become commodity. This is what it looks like at scale. 3️⃣ The LLM is not just writing phishing emails. Post-compromise, EvilTokens' AI scanner mines mailboxes for wire transfer threads and payment approvals. The attacker does not need to know what to look for. This is LLM-as-operator, not LLM-as-author.