Deceptive Signatures: Advanced Techniques in BEC Attacks

KEY TAKEAWAYS

• Sophistication of BEC Attacks: Business Email Compromise (BEC) attacks are becoming increasingly sophisticated, leveraging advanced social engineering, AI-driven personalization, and phishing kits in order to overcome MFA protections.
• Exploitation of Trust: Some threat actor groups have been discovered levering a technique that involves embedding phishing lures within email signature blocks on user accounts. This deceptive tactic exploits recipients’ trust and attention to the benign nature of signature sections by replacing it with a formatted email. It can also remain undetected during certain investigative steps as it's not considered an inbox rule change which could be associated with specific audit logging and alerting.
• Cascading Impact: Once initial credentials are compromised, attackers often use these accounts to launch secondary phishing campaigns, expanding their reach and escalating financial and reputational damage to organizations. Additionally, even after a password change and a threat actor has lost access to a previously compromised account, if the signature block alteration is not caught and remediated quickly, then normal sending of emails by the user may unknowingly perpetuate the attack forward.

Business email compromise attacks have become increasingly common in recent years, driven by sophisticated social engineering tactics that make it easier to dupe victims. This is in part to the believability that the threat actors are able to achieve by collecting sensitive information from publicly available sources, including corporate websites and social media. Criminals leverage this information to pose as trusted colleagues or business partners, using stolen or spoofed email accounts to deliver convincing messages that prompt recipients to transfer funds or disclose confidential information. The evolving nature of these schemes is characterized by their high success rate, low technological barriers to entry for threat actors, and the substantial financial losses incurred by victim organizations. Advancements in automation, AI-driven personalization, and ready-to-use phishing kits have further accelerated the proliferation of BEC attacks, creating a lucrative marketplace for cybercriminals.

One particularly deceptive technique that the Cybereason DFIR team has recently observed involves a HTML formatted phishing email being inserted directly into an email signature block of a victim’s account. Our experts observed well crafted messages by threat actors that appear authentic by mimicking corporate branding, fonts, and color schemes, all while embedding malicious links or prompts in place of an email footer. By doing this, the threat actor is able to disguise the phishing lure so it blends in as a continuation of the legitimate email sent by the user. This technique allows threat actors to be able to increase the spread of their phishing campaign, with victims unknowingly sending phishing emails embedded in their signature every time they send a new message. By default, both Microsoft M365 and Google Workspace do not track email signature changes of individual users, but there are ways to identify these changes through manual inspection.

In recent investigations, our team observed threat actors launch various phishing campaigns within numerous compromised user email signatures. If clicked, the malicious links led to various Google Forms, prompting email recipients to enter their email and banking credentials. With those credentials, the threat actor could then compromise numerous user’s email and bank accounts. Once successful, the threat actor would compromise other organizations by using the newly compromised accounts to create new Google Forms and phishing campaigns. Below are representative screenshots demonstrating the identified tactic.

Example of an email signature alteration by a threat actor which inserted an HTML formatted email into the signature block of a user’s account.

Result of an email signature alteration by a threat actor which inserted an HTML formatted email into the signature block of a user’s account so that when any email was sent out by the user, this phishing email was appended to the sender’s email in place of where their normal signature block would appear.

The signature contained a link which redirected the user to a Google Form that collected personal information to include credentials allowing for the Threat Actor to gain additional access in furtherance of repeating their scheme and forcibly multiplying their reach and access.

Key Recommendations

Our experts compiled a list of recommendations to help protect your organization against these type of threats:

• Enhance Email Security: Deploy email filtering and anti-phishing solutions capable of detecting malicious content, including embedded links in email signatures, and enable advanced threat protection in platforms like Microsoft M365 and Google Workspace.
• Train Employees: Conduct regular phishing and hands-on training to help employees recognize and report suspicious emails, including unusual signature or rule changes or unexpected clickable links.
• Monitor for Email Signature Changes: Implement mechanisms to monitor email signature alterations within corporate email platforms and investigate suspicious modifications.
• Enforce Multi-Factor Authentication (MFA): Require MFA for all email and financial systems to add an extra layer of security, even if user credentials are compromised.
  
  
• Establish Incident Response Protocols:Prepare and test an incident response plan specifically for BEC incidents to quickly identify, contain, and remediate compromised accounts.