Skip to main content

A UK-based multinational professional services group narrowly avoided a £1M business email compromise after a patient adversary manipulated an existing email thread to redirect funds. The fraud came to light when the finance provider flagged a missed quarterly payment. Initial investigations revealed a series of fraudulent emails altering bank details, but uncertainty remained about the scope of the compromise—until suspicious Microsoft Teams activity from the Finance Controller confirmed an account breach. 

Thomas Murray stepped in, leveraging Microsoft 365 platform logs and targeted analysis of affected accounts and devices to uncover the adversary’s sophisticated tactics and methods, restoring security and confidence. 

Alistair Purdy
Alistair Purdy

Senior Analyst, DFIR | Cyber Risk

apurdy@thomasmurray.com

Stephen Green
Stephen Green

Threat Intelligence Lead | Cyber Risk

sgreen@thomasmurray.com

Initial Compromise 

This invoice redirection fraud began with a classic phishing attack (T1566 – Phishing), granting the adversary 84 days of undetected access before being locked out. The phishing email used a familiar ruse, claiming the user had a ‘Missed Voicemail’ and including a second email with a malicious .HTML attachment (T1566.001 – Spearphishing Attachment), a well-worn but effective tactic. 

A screenshot of a chat
Description automatically generated 

The phishing email originated from a legitimate domain linked to an Asian Cloud, VPS, and email hosting provider (T1583.003 – Acquire Infrastructure: Virtual Private Server). While the email address itself wasn’t related to the client, the adversary customised the displayed sender name to ‘[Client] Call_Service,’ showcasing deliberate preparation and targeting (T1589 – Gather Victim Identity Information). 

The attached .HTML file, titled ‘Audio_Msg [Client].html,’ also reflected this preparation. It featured heavily obfuscated code leveraging the EvilProxy framework, further underscoring the adversary’s sophisticated approach. 

EvilProxy 

The EvilProxy framework is a powerful adversary-in-the-middle (AiTM) attack framework which adversaries use to create targeted phishing emails that include links to customised phishing websites.  

The phishing websites are designed to look like legitimate sign-in pages for services such as Microsoft 365 and Google Workspace but are hosted on the adversary’s infrastructure. Adversaries often go as far as recreating the branded sign-in pages for their targets to provide that additional appearance of authenticity.  

This method works by ‘proxying’ the connection between the user and the legitimate service via the adversary’s infrastructure – acting as a ‘middleman’. This infrastructure captures information like login credentials and authentication tokens and simultaneously sends the login request to the legitimate service. All of this means the user sees and experiences what looks like a normal login process. They are completely unaware that their credentials and session tokens have been captured and can now be used by the adversary to access that account.  

Now most of the functionality sits within the adversary’s infrastructure but they need to be able to direct the user to their convincing (but illegitimate site) while also ensuring their emails and attachments don’t get blocked or quarantined. To achieve this, they heavily obfuscate the code used on the client side to navigate the user to the correct malicious URL.  

Below is a redacted screenshot showing the HTML included within the malicious attachment (T1027 – Obfuscated Files or Information).