Cyber-attacks are an ever-present threat in the digital age, with Business Email Compromise (BEC) being one of the most common forms of attack. Case ‘Gemstone’ was an organisation targeted by a sophisticated phishing campaign. The company faced significant challenges when a compromised Office365 account put their data and operations at risk. Here’s how CYFORSecure tackled the situation, resolved the issue, and provided long-term solutions.

The Situation: A Phishing Campaign Leads to Account Hijack

The incident began when a threat actor sent out a series of phishing emails using a compromised account. These emails reached the companies employees, including one who fell victim to the attack. Upon investigation, we discovered that the victim had clicked a malicious link, which led to an Evilginx fake Office365 login page. Unaware of the threat, the victim entered their credentials, granting the attacker unauthorised access to their Office365 account.

This wasn’t the only action taken by the attacker. They also exploited the companies Office365 environment to install an unauthorised app, which allowed continued access to the account even after direct access was revoked.

The Challenge: Identifying and Containing the Full Scope of the Breach

The first challenge was determining the full extent of the attack. This involved:

  • Identifying the moment the threat actor gained access through Office365 authentication logs.
  • Analysing the victim’s mailbox and laptop to pinpoint the phishing email and subsequent credential compromise.
  • Conducting a broader audit of the Office365 environment to uncover the malicious app installation.

The attacker’s ability to read and send emails through the compromised account, even after initial access was revoked, added complexity. Additionally, ensuring compliance with regulatory requirements by assessing potential exfiltration of Personally Identifiable Information (PII) was essential.

The Solution: Forensic Analysis and Strategic Countermeasures

CYFORSecure implemented a step-by-step approach to mitigate the threat and restore security:

1. Incident Analysis:

  • Authentication logs helped pinpoint the timeline of the breach.
  • Forensic examination of the victim’s laptop confirmed the source and impact of the phishing email.

2. Threat Containment

  • The unauthorised app installed by the attacker was removed.
  • Access to the compromised account was permanently revoked.

3. Regulatory Compliance

    • A detailed audit of the threat actor’s activities, including any potential PII exfiltration, enabled the company to meet their incident reporting obligations.

4. Long-Term Security Enhancements:

  • User Training Programs were introduced to raise awareness of phishing tactics.
  • Conditional Access Policies were applied to strengthen Office365 authentication.
  • Restrictions on App Installations ensured that only admin accounts could authorise app downloads.

The Results: Restored Security and Improved Resilience

Through our efforts, the company regained control of their Office365 environment, eliminating the attacker’s access and mitigating the risk of further data breaches. The organisation successfully met its regulatory reporting obligations, thanks to the comprehensive audit of the incident.

In the long term, the recommendations provided—such as employee training and improved access controls—significantly reduced the likelihood of future compromises. By implementing these measures, the company enhanced its overall cyber security posture, ensuring better protection against evolving threats.

Conclusion

The Gemstone case highlights the importance of swift action and expert guidance when facing a cyber threat like BEC. Through detailed analysis, containment, and proactive security measures, CYFORSecure not only neutralised the attack but also equipped the organisation with tools to prevent future incidents.

If your business faces similar challenges, CYFORSecure is here to help. Contact us today to secure your organisation against advanced cyber threats.