Why is my Outlook account named “ADMIN SERVICE”? — A story of a threat actor group from Nigeria and the compromise of an Outlook account
--
The Incident:
Outlook’s spam filtering and threat detection leaves a lot to be desired as typical phishing emails still reach the user’s inbox. In this article, I present a small phishing incident and describe the method of operation of a particular threat actor group.
For anonymity, let’s call this friend “Bob”. Bob is an average user with rudimentary knowledge of phishing attacks and runs his own business. On 14th April 2021, Bob received an email from an account named “ADMIN SERVICE” with the email address “macb***[@] msn.com”. The email is titled “Mail updates ready for you” as shown in the screenshot below.
Bob opens the email and begins to panic as Microsoft is indicating that they will stop processing his emails if he doesn’t verify his account. As a small business owner, Bob can’t risk this happening to his account as he conducts a lot of his formal communications with customers over email. Let’s pause for a moment to highlight some key observations from this email:
- The Sender’s Name: “ADMIN SERVICE” — Imitation of a service mailbox typically associated with sending service messages.
- The Sender’s Email: “macb***[@]msn.com” — A real MSN email address. A check on HaveIBeenPwned (shoutout to these guys) reveals that this account has been compromised in the past- “Pwned in 13 data breaches and found 1 paste”.
- The To Field: “window[@]notification.com” and “window[@]update.com”
- The Subject: Mail updates ready for you: Doesn’t e-mail update automatically? Am I waiting on a carrier pigeon?
- The Contents: The contents displayed are not actually text, but rather an image with text that is hyperlinked. The text contains numerous grammatical errors and triggers a sense of urgency.
- The Hyperlink: The image in (5) hyperlinks to https://www[.]notion[.so]/0utlook-Verification-beb9edea68274ff491c58da77e3e27c9
To a trained user, this is an obvious phishing email as the combination of spelling errors, subject, sender and title all look malicious. While the sender’s email is legitimate, this email may have been compromised as part of another attack and under the control of a threat actor. However, Bob clicks the link included in the email and is directed to the site below.
Bob clicks proceed anyway and is presented with the below page:
He then clicks the “Click here to verify your account” and the below link is opened in a new tab: https://ms-zqgr[.]weebly[.]com/
Bob enters his credentials and is immediately routed to his Outlook inbox. Let’s pause again and analyze the websites to highlight some key observations:
- First Link (Notion.so): The first link directs to a workspace on a platform named “Notion.so”. This workspace first warns the user that the page was indeed flagged as unsafe but allows the end user to proceed anyway if they trust the site. When the victim proceeds to the malicious site, they are presented with another link to click. The word “0utlook” is spelt wrong presumably to evade detection.
- Second Link (Weebly Website): The second link directs to a website on Weebly, a platform used to create websites. This site presents a simple login page with the Microsoft logo at the top left corner. Upon entering credentials, the victim is then directed to their inbox on Outlook.com.
The use of these links and platforms are presumed to be attempts to bypass Outlook’s and Chrome’s URL filtering, which as at the time of writing, does not block these links.
Identification:
Bob continues about his week feeling content that his Microsoft account will not be deleted from their databases and can continue running his business. A week passes and Bob realizes that no emails are reaching his mailbox as his clients have been complaining that they are unable to reach him via this medium. Bob gives Justin access to his laptop and asks him to take a closer look.
Containment and Eradication:
The first observation was that Bob’s email account has been renamed to “ADMIN SERVICE”. Upon checking his deleted items, there are several emails from customers that have been marked as read and deleted. Under his sent items, there are legitimate emails as well as emails similar to the phishing email above sent to hundreds of other users using BCC.
Bob’s account was breached.
The attackers made several changes to the account which needed to be reversed:
- Name: The name of the account was renamed from the victim’s name to “ADMIN SERVICE” to presumably use the compromised account as part of further attacks.
- Rules: New rules were set up to mark all incoming emails as read and divert it to the deleted folder. Presumably to reduce the likelihood that the victim realizes that emails are being sent to hundreds of addresses, many of which will bounce for various reasons.
Recovery:
To recover from the incident, the following actions were taken:
- Change password: The attackers didn’t change the user’s password, presumably not to alert that the account was compromised or risk locking the account in a state which cannot be logged into without needing access to the recovery email.
- Enable Multi-factor authentication using the Authenticator app.
- Signing out all devices
- Renaming the account to the original name
- Removing the email rule.
Further Investigation:
The Microsoft Account activity logs confirmed that the email above was the source of the compromise as the links included were accessed on the date the email was received.
No other unusual links were accessed prior to, or during the dwell time (time between initial compromise and execution of a further attack) of six (6) days for which the attackers presumably had access to the compromised account.
The sign-in activity logs painted a clearer timeline of the attack.
While credentials were entered on April 14, the actors waited till the next day to test the credentials using presumably an Exchange email client to reduce the risk of detection or to group with other compromised accounts.
The attackers waited until April 20th to begin executing the attack where emails were sent en-mass to mailing lists thus continuing the cycle. Each of the six (6) logins were associated with different IP addresses listed below:
- 105.112.53.227
- 105.112.42.43
- 105.112.153.168
- 105.112.78.63
- 105.112.153.168
- 105.112.79.252
These IPs belong to a block assigned to Airtel Networks Limited in Nigeria. Bob resides in Trinidad and Tobago and cannot travel to Nigeria (and probably would not as Nigeria is not on his list of vacation destinations) due to travel restrictions. He has no history of using VPNs to change his location nor has he traveled in the past year. A check on HaveIBeenPwned indicates that Bob’s email address is not part of a known data breach (kudos to Bob!).
Lessons Learnt:
While we place a lot of trust in security systems to protect us, security awareness is a must for everyone; learning to identify a phishing email can be the difference between being safe and being compromised. This article shows how controls can be bypassed using creative techniques by threat actors and how simple controls (e.g. detecting and blocking malicious logins from two locations which are not physically possible to travel between in a reasonable time) are often either not implemented, or not effective.
Looking back, multi factor authentication may have stopped the attackers from being able to utilize the credentials received.
This article also exposes the method of operation of a particular threat group possibly based in Nigeria. The attack does not seem targeted to a particular person; the group likely obtained a list of emails using OSINT or breaches and aims to compromise as many accounts as possible. The possibility of business email compromise is still likely with those victims who process wire transfers as the attackers likely monitored the victims’ mailbox for some time before executing any attack.
