Ankura has seen an increase in threat actors utilizing Amazon AWS, Google Cloud, and Microsoft Azure to obfuscate their malicious activities and make the traffic appear legitimate. So, what does this look like?
It’s Friday afternoon (as usual), and you have just been notified that one of your co-workers has experienced a business email compromise (BEC). You have located the victim account, had the user change their password, and hopefully turned on Multi-Factor Authentication (MFA) if not already enabled. You have instructed your Information Technology (IT) department to blacklist the obviously suspicious IP addresses, but what about those IP addresses that show an Internet Service Provider (ISP) of “MICROSOFT-CORP-MSN-AS-BLOCK”? It’s Microsoft, and Microsoft should be a safe IP address, right?
It may seem like normal practice, or natural instinct to not be overly concerned about those “MICROSOFT-CORP-MSN-AS-BLOCK” ISPs, but with the constant changes in technology, and the security tools that we use, threat actors are adapting to come up with new ways to bypass security protocols. Detection methods like blacklisting foreign IP addresses or alerting on impossible travel have resulted in threat actors utilizing proxy VPN IP providers and sometimes even paying for cloud services.
During a recent BEC investigation, it did not appear as though the victim account had any patent unauthorized connections to the account. All IP addresses were local to the user except there were some connections from “MICROSOFT-CORP-ASN-BLOCK,” but it is not unusual to see these connections. Microsoft has been known to connect to accounts for “housekeeping” purposes, meaning these types of connections are not always the result of user interaction. However, upon further inspection of the timeline of activities, it was discovered that there were several connections from a Microsoft IP address at the same time a mass number of phishing emails were sent out from the victim account. Now, why in the world would “MICROSOFT-CORP-MSN-AS-BLOCK” be sending out a mass number of phishing emails?
We began testing with a Virtual Machine (VM) in our own Microsoft Azure Cloud account and discovered that the assigned Microsoft IP address will show the same ISP, MICROSOFT-CORP-ASN-BLOCK, as when Microsoft services are connecting to the account. This is definitely something to watch for in a BEC, as more and more threat actors will look for ways to obfuscate their activities and identities, we will certainly see increased threat actor activity associated with IPs from cloud service providers such as Microsoft Azure, Amazon AWS, and Google Cloud.
Key Takeaways:
- If an ISP has a name we recognize, it does not mean we can assume it is good.
- If something does not seem right keep looking at the artifacts to get more detail.
- Threat actors are constantly evolving, and we can not assume that they are not willing to change their tactics and procedures to become more successful in their nefarious activities.
The Ankura Global Incident Response Team has experience investigating all sizes of business email compromises on any email platform. They can be engaged 24-7 by emailing incident@ankura.com.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
