“Use once” dynamic phishing forensic investigation.

Security researchers: I have a catalogue of over 580 unique urls used. If you think that having this catalogue would lead to a breakthrough in working out the URL scheme or database please comment below and I may get in touch.

Over on this post I discuss and document all the indicators of compromise attempts (IoCA?) of a use once phishing campaign.

In the post on this page I will now discuss how the scammers are running the hack. Sadly after just under a month one of my organisations has become a victim. This does, however, give me a good insight into how the scam is run.

First obvious indication you’ve been compromised:

*Bouncebacks for messages the sender does not recall sending

*Inability to send more genuine messages “Delivery has failed to these recipients or groups:” with the content of “Your message couldn’t be delivered because you weren’t recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it’s no longer allowed to send messages outside of your organisation. Contact your email admin for assistance.”

Damn, user compromised. You start your investigation.. in my case I found:

*No inbound message containing the expected strings (“.host/5c”) so possibly compromised while reading another of their accounts and then filled in the account for the account that got compromised when they clicked the link?

*The first login that can’t be attributed to a genuine user: The interesting one here is the IP they have logged in from is a Three mobile broadband IP:

{
    "CreationTime": "2019-01-31T17:04:26",
    "Id": "04237a01-15ed-4626-91bb-bacdc8d8f83a",
    "Operation": "UserLoggedIn",
    "OrganizationId": "REDACTED",
    "RecordType": 15,
    "ResultStatus": "Succeeded",
    "UserKey": "REDACTED@REDACTED.uk",
    "UserType": 0,
    "Version": 1,
    "Workload": "AzureActiveDirectory",
    "ClientIP": "92.40.249.225",
    "ObjectId": "Unknown",
    "UserId": "REDACTED@REDACTED.uk",
    "AzureActiveDirectoryEventType": 1,
    "ExtendedProperties": [{
        "Name": "UserAgent",
        "Value": "CBAInPROD"
    }, {
        "Name": "UserAuthenticationMethod",
        "Value": "1"
    }, {
        "Name": "RequestType",
        "Value": "OrgIdWsTrust2:process"
    }, {
        "Name": "ResultStatusDetail",
        "Value": "Success"
    }],
    "Actor": [{
        "ID": "ddcbc121-b658-4db1-b711-6cde555fd465",
        "Type": 0
    }, {
        "ID": "REDACTED@REDACTED.uk",
        "Type": 5
    }, {
        "ID": "10033FFF83B5D12D",
        "Type": 3
    }],
    "ActorContextId": "6c912758-958b-4f32-b33f-37e96a79d1db",
    "ActorIpAddress": "92.40.249.225",
    "InterSystemsId": "892f2e77-14ec-4ede-874b-fb3ee4f4e7c4",
    "IntraSystemId": "121ce9a9-8121-4e9a-a722-76a953d10200",
    "Target": [{
        "ID": "Unknown",
        "Type": 0
    }],
    "TargetContextId": "6c912758-958b-4f32-b33f-37e96a79d1db",
    "ApplicationId": "00000002-0000-0ff1-ce00-000000000000"
}

*30 seconds before the spam emails were sent the account there was an IMAP login too:

{
    "CreationTime": "2019-01-31T17:04:26",
    "Id": "8d1e8efc-3c90-469c-3631-08d6879e2811",
    "Operation": "MailboxLogin",
    "OrganizationId": "REDACTED",
    "RecordType": 2,
    "ResultStatus": "Succeeded",
    "UserKey": "REDACTED",
    "UserType": 0,
    "Version": 1,
    "Workload": "Exchange",
    "UserId": "REDACTED@REDACTED.uk",
    "ClientIPAddress": "92.40.249.225",
    "ClientInfoString": "Client=POP3\/IMAP4;Protocol=IMAP4",
    "ExternalAccess": false,
    "InternalLogonType": 0,
    "LogonType": 0,
    "LogonUserSid": "REDACTED",
    "MailboxGuid": "REDACTED",
    "MailboxOwnerSid": "REDACTED",
    "MailboxOwnerUPN": "REDACTED@REDACTED.uk",
    "OrganizationName": "REDACTED.uk",
    "OriginatingServer": "",
    "SessionId": ""
}

*They then performed an “Update” operation (term used by Microsoft’s Security and Compliance portal) on several Contacts…:

{
    "CreationTime": "2019-01-31T17:04:51",
    "Id": "20faa4a0-c779-49a2-fbec-08d6879e36fe",
    "Operation": "Update",
    "OrganizationId": "REDACTED",
    "RecordType": 2,
    "ResultStatus": "Succeeded",
    "UserKey": "REDACTED",
    "UserType": 0,
    "Version": 1,
    "Workload": "Exchange",
    "UserId": "REDACTED@REDACTED.uk",
    "ClientIPAddress": "92.40.249.225",
    "ClientInfoString": "Client=POP3\/IMAP4;Protocol=IMAP4",
    "ExternalAccess": false,
    "InternalLogonType": 0,
    "LogonType": 0,
    "LogonUserSid": "REDACTED",
    "MailboxGuid": "REDACTED",
    "MailboxOwnerSid": "REDACTED",
    "MailboxOwnerUPN": "REDACTED@REDACTED.uk",
    "OrganizationName": "REDACTED.onmicrosoft.com",
    "OriginatingServer": "DB7PR03MB4585 (15.20.1580.012)\u000d\u000a",
    "Item": {
        "Id": "RgAAAACQqd02liqYSZz7oCE546pOBwB\/cThOvsVDS6kqrCMsuFxIAAAAmxnqAADWWGPjp1aJRaCKSaJETO2pAGQZ4AgfAAAR",
        "ParentFolder": {
            "Id": "LgAAAACQqd02liqYSZz7oCE546pOAQB\/cThOvsVDS6kqrCMsuFxIAAAAmxnqAAAB",
            "Path": "\\Contacts"
        },
        "Subject": "REDACTED Fencing"
    },
    "ModifiedProperties": ["AbchEmailAddresses", "AccountName", "LegacyWebPage", "ObjectId", "Urls"]
}

*The spam emails started to get sent.

*They logged back into IMAP from a different Three mobile broadband IP address.

{
    "CreationTime": "2019-01-31T17:13:34",
    "Id": "1f014aca-8cae-4c34-8fa8-61d34432c134",
    "Operation": "UserLoggedIn",
    "OrganizationId": "REDACTED",
    "RecordType": 15,
    "ResultStatus": "Succeeded",
    "UserKey": "REDACTED@REDACTED.uk",
    "UserType": 0,
    "Version": 1,
    "Workload": "AzureActiveDirectory",
    "ClientIP": "92.40.249.218",
    "ObjectId": "Unknown",
    "UserId": "REDACTED@REDACTED.uk",
    "AzureActiveDirectoryEventType": 1,
    "ExtendedProperties": [{
        "Name": "UserAgent",
        "Value": "CBAInPROD"
    }, {
        "Name": "UserAuthenticationMethod",
        "Value": "1"
    }, {
        "Name": "RequestType",
        "Value": "OrgIdWsTrust2:process"
    }, {
        "Name": "ResultStatusDetail",
        "Value": "Success"
    }],
    "Actor": [{
        "ID": "ddcbc121-b658-4db1-b711-6cde555fd465",
        "Type": 0
    }, {
        "ID": "REDACTED@REDACTED.uk",
        "Type": 5
    }, {
        "ID": "10033FFF83B5D12D",
        "Type": 3
    }],
    "ActorContextId": "6c912758-958b-4f32-b33f-37e96a79d1db",
    "ActorIpAddress": "92.40.249.218",
    "InterSystemsId": "d2c72069-ca65-45c6-bfab-7a5926231849",
    "IntraSystemId": "879cc08e-a199-4068-b0d9-1c2580371d00",
    "Target": [{
        "ID": "Unknown",
        "Type": 0
    }],
    "TargetContextId": "6c912758-958b-4f32-b33f-37e96a79d1db",
    "ApplicationId": "00000002-0000-0ff1-ce00-000000000000"
}

And that is it.. the deed is done.. ~531 phishing messages were attempted to be sent and ~124 messages were successfully delivered before Microsoft prevented the account delivering any more. (~There are some genuine sent messages within the report but due to the spam messages using legitimate previously used subject lines, I can’t easily identify the few genuine ones).

This entry was posted in Uncategorized. Bookmark the permalink.

12 Responses to “Use once” dynamic phishing forensic investigation.

  1. Pingback: “Use once” spear phishing “mail.portalinbox-read.host” | thecomputerperson

  2. Colin Nicol says:

    Hi Computer person. You are obviously wired differently from me. I am a lecturer in Construction, probably totally alien to you. But and this is a big but. You are a man with massive principals. A man who believes in the right to carry out ones business without interference from individuals. You defend against people who carry a gene that interferes with the right to go about ones everyday rights. Thank you for looking out for my rights and everyone’s else. Keep up the great work you do. You certainly do not get the thanks you deserve.

    Sent from my iPad

    >

  3. Crimsonfox says:

    Hi ComputerPerson!

    We’ve had another come through today with the following URL

    http://read.gdncdn.com/5c5cb172b83a884374f4c0ff

    No more “.host” but the “/5c” is still there so that’s something

  4. frontline says:

    We have a case open with Three.co.uk CERT. Can you get in touch do you use Twitter?
    @frontline_ops would love to hear from you, have genuine CSIRT email address also.
    Did you see SVG images taken from institutions? This phishing spread from initial outside spammer to large scale spread within sites. Affectes dozens and dozens of sites with IMAP downloads and objective yet unknown.

  5. Message sent on twitter but as account is pretty much unused – probably has gone into a spambox ?

  6. PhishingAI says:

    Hey, I’m currently tracking this campaign. Have 7 active IP’s and 1000’s of domains. Would like to chat about what you’ve seen.

  7. I’ve emailed you – might have gone into junk?

  8. Pingback: “Use once” dynamic phishing Part 2 | thecomputerperson

  9. JimJam says:

    Dealing with a case very similar to this. Would you have any idea why the attackers may HardDelete on the mailbox as well for “Path”:”\Inbox”},”Subject”:”Outlook Rules Organizer”

  10. Check the mailbox for rules to autodelete and maybe forward email.

    Out of interest what keyword did you use to link your attack to this page? (It’s been months since I’ve seen this attack after it being incredibly prevalent).

  11. JimJam says:

    I’m new to BECs and searched for a few of the “ModifiedProperties”, to get a grasp on what they were.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s