Investigating a Sophisticated Email Business Compromise Attack on an Insurance Provider

• Cybersecurity & Privacy - Identity & Authentication Management
• Cybersecurity & Privacy - Intrusion Detection

• Buildings
• Finance & Insurance

• Quality Assurance

• Tamper Detection
• Usage-Based Insurance

• Training

A leading independent insurance broker, specializing in providing insurance advice for high-value business mergers and acquisitions, was compromised by a cybercriminal. The firm was used as a platform to launch a Business Email Compromise (BEC) attack, designed to trick one of its clients into paying two open invoices, with a total value close to £300k, into an alternate bank account. The attack was detected before any payment was made, thanks to a vigilant member of staff from the client company who insisted on verbal verification of the financial details supplied. However, the firm was keen to understand the extent of the compromise and how to safeguard against similar threats in the future. They needed support from an expert cybersecurity company to help shed light on events surrounding the attack.

The customer is a leading independent insurance broker based in the UK. They specialize in providing insurance advice for high-value business mergers and acquisitions. As such, they process a wealth of sensitive data. Despite maintaining a high level of security, they were compromised by a cybercriminal and used as a platform to launch a Business Email Compromise (BEC) attack. The firm was keen to understand the extent of the compromise and how to safeguard against similar threats in the future. They needed support from an expert cybersecurity company to help shed light on events surrounding the attack.

The firm turned to Redscan, a leading provider of threat detection and response services, to conduct a full forensic investigation. The initial focus of Redscan’s assessment was the analysis of email logs relating to the Office 365 accounts suspected of being used to instigate the fraud. The team identified that a phishing email had been received by a senior-level employee's account six weeks prior to the BEC attack. The phishing email, purporting to be from Microsoft®, claimed that the user’s account may have been accessed and requested that the user sign in to review activity for security reasons. Redscan's analysis revealed that the attackers had used the information gathered in reconnaissance to create a chain of spoof email communications designed to imitate the compromised user and request payment of the outstanding invoices to a substitute bank account. The Redscan team produced a formal incident report outlining a full timeline of events and included recommendations to help the firm prevent and detect future attacks.

• The firm was able to gain a comprehensive understanding of the extent of the compromise and the methods used by the attackers. This knowledge was invaluable in helping them to safeguard against similar threats in the future. The firm was also able to implement the recommendations provided by Redscan, including the use of Office 365 Secure Score, full mailbox audit logging, enabling multi-factor authentication, proactive network and endpoint monitoring, blocking malicious IPs, and reviewing staff training needs. These measures significantly improved the firm's security posture and reduced the risk of staff falling victim to BEC attacks.

• The attack was detected before any payment was made, preventing a potential loss of nearly £300k.

• The firm was able to lock down the compromised account and enforce multi-factor authentication for all Office 365 users, effectively preventing subsequent malicious login attempts.

• The Redscan team identified and disabled email forwarding, safely containing the attack.