Researches have disrupted the cloud-based infrastructure used by scammers behind a recent large-scale BEC campaign compromising mailboxes and exfiltrated email data matching forwarding rules.

Initial access gained via phishing The use of attacker infrastructure hosted in multiple web services allowed the attackers to operate stealthily.The attackers performed discrete activities for different IPs and timeframes, making it harder for researchers to correlate seemingly disparate activities as a single operation.

The login info was stolen using phishing messages that redirected the targets to landing pages closely mimicking Microsoft sign-in pages asking them to enter their passwords under a pre-populated username field.
Legacy auth protocols used to bypass MFA
While the use of stolen credentials for compromising inboxes is blocked by enabling multi-factor authentication (MFA), Microsoft also found that the attackers used legacy protocols like IMAP/POP3 to exfil emails and circumvent MFA on Exchange Online accounts when the targets failed to toggle off legacy auth.

Once the user enters the password it gets stolen. The use of stolen credentials for compromising inboxes is blocked by enabling multi-factor authentication (MFA), Microsoft also found that the attackers used legacy protocols like IMAP/POP3 to exfil emails and circumvent MFA on Exchange Online accounts when the targets failed to toggle off legacy auth.

The attackers also used IP address of the several cloud-based infrastructure disrupted by Microsoft to automate operations at scale, including adding the rules, watching and monitoring compromised mailboxes, finding the most valuable victims, and dealing with the forwarded emails.

They also set up DNS records that almost matched those of their victims so that their malicious activity would blend into pre-existing email conversations and evade detection.