Threats tend to become more advanced over time. So is the case of business email compromise (BEC) scams, which according to a SlashNext post, cost companies billions of U.S. dollars in losses per year.

BEC scams are bound to continue affecting organizations worldwide, given the continued rise in the number of complaints the FBI IC3 receives with each passing year. But organizations can lessen their chances of ending up as victims by identifying potential threat vectors before they even get weaponized with the help of DNS tools. The following study by Mitiga on an advanced BEC scam targeting executives by exploiting a Microsoft 365 design flaw can demonstrate how.

Using the seven indicators of compromise (IoCs) identified in the report as expansion analysis jump-off points, we found an additional:

• Five IP addresses to which some of the IoCs resolved
• 761 domains that shared the IoCs’ IP hosts, one of which turned out to be malicious
• 1,272 domains that contained foobar, the company the BEC scammers spoofed in their campaign, eight of which turned out to be malware hosts
• 2,545 domains that contained docusign, which the threat actors abused to supposedly host the document the victim needed to sign, 43 of which have been categorized as malicious by various malware engines
• 10,000 domains that contained outlook, which the threat actors abused to send out their BEC scam emails, 30 of which have been tagged as malware hosts

All these artifacts could serve as potential BEC scam vehicles specific to the featured campaign.

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Uncovering Pertinent Details about the IoCs

The post about the recent BEC scam identified seven IoCs—four IP addresses and three domains, namely:

• 139[.]99[.]6[.]158
• 154[.]6[.]17[.]158
• 5[.]31[.]10[.]180
• 20[.]245[.]118[.]47
• awin1[.]com
• web[.]app
• lointree[.]com

WHOIS lookups for the three domains revealed that they were created between 2019 and 2022. Each domain registrant indicated a different country—the U.S. for web[.]app, the U.K. for awin1[.]com, and Iceland for lointree[.]com.

IP geolocation lookups, meanwhile, for the four IP addresses pointed to three countries—one (139[.]99[.]6[.]158) for Singapore, two (154[.]6[.]17[.]158 and 20[.]245[.]118[.]47) for the U.S., and one (5[.]31[.]10[.]180) for the U.A.E.

Identifying Other Potential Threat Vectors

We began our threat expansion by subjecting the three domains identified as IoCs to DNS lookups, which allowed us to identify five IP addresses that aren’t part of the original IoC list, making our total number of IP hosts nine. All five additional IP addresses were geolocated in the U.S. like two of the IoCs.

Reverse IP lookups for the nine IP addresses revealed that three did not have resolutions, one was a dedicated host, and the remaining five were shared hosts. Said lookups also led to the discovery of 761 domains, one of which—01lvnohlp0n[.]info—turned out to be malicious.

The Mitiga analysis of the BEC scam stated the threat actors spoofed a company named Foobar in their campaign. We sought to identify how many existing domains contained the string foobar, which may be weaponized for future use. Our Domains & Subdomains Discovery search uncovered 1,272 domains, eight of which turned out to be malware hosts. Three of them are currently parked and available for purchase while one has already been purchased and is undergoing website development.

The in-depth threat analysis also mentioned the threat actors’ use of DocuSign. A Domains & Subdomains Discovery search for domains containing the string docusign led to the discovery of 2,545 domains, 43 of which have been categorized as malicious. Only one—docusignbusiness[.]com—continued to host live content despite the appearance of an error message regarding a specific page.

In addition, only 100 of the docusign-containing domains could be publicly attributed to DocuSign, Inc. The remaining 2,445 domains could be cybersquatting and serve as potential hosts for supposed documents the victims need to sign that are actually malware.

The BEC scammers also reportedly abused Outlook 365 in their campaign. Another Domains & Subdomains Discovery search for domains containing the string outlook gave us a list of at least 10,000 domains, 30 of which have already been tagged as malicious. Specifically, 22 of the domains were malware hosts while the remaining eight were spam senders.

Very few of the malicious pages, such as outlook-team[.]ru and o365-outlook[.]com, remained accessible. Take a look at their screenshots below.

The third live malicious website—outlooklive[.]org—showed a warning page to potential visitors.

Additionally, only 117 of them could be publicly attributed to Microsoft. As such, threat actors could be using the remaining 9,883 domains to spoof legitimate companies using Outlook 365 for their BEC scams.

The domains that resulted from our IoC expansion could serve as potential BEC scam or phishing vectors that could be closely monitored for signs of suspicious activity.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.