Security operations · 2 MIN READ · JONATHAN HENCINSKI, JENNIFER MAYNARD, RAY PUGH, KYLE PELLETT, ANDREW BENTLE, DAVID BLANTON, DESHAWN LUU AND BEN BRIGIDA · JUL 27, 2022 · TAGS: MDR
In July 2022, our security operations center (SOC) observed Business Email Compromise (BEC) attacks across multiple customer environments, targeting access to human capital management systems—specifically, Workday.
The goal of these attacks? Payroll and direct deposit fraud.
In this post, we’ll share the attack chain we’ve seen across multiple environments and high-level tips for spotting this class of fraud.
How they get in
An attacker begins by compromising a user’s Microsoft Office 365 (O365) or Okta account, often using BasicAuthentication (BAV2ROPC, IMAP, POP3) to bypass multi-factor authentication (MFA)—usually occurring from VPN and hosting IPs.
From there, attackers can access the victim’s Workday account directly through Okta, the compromised password, or a password reset email.
In scenarios where the attacker compromises an O365 account and doesn’t have direct access to Workday via single sign on (SSO), an attacker will read available documentation on payroll systems and new employee payroll enrollment. The goal, in most cases, is to identify how to gain access to human capital management systems using new employee setup procedures, or password reset requests.
(Side note: we’ve also seen cases where attackers don’t use BasicAuthentication, and the compromised user authorizes an MFA notification for the attacker using brute force Duo push requests. This involves an attacker continuously sending Duo push notifications to the victim until they accept.)
Attackers can then create inbox rules within the compromised user’s email account to delete or move emails related to workday.com, myworkday.com, and/or emails with keywords (like “payroll” or “assistance needed”).
To prolong this access, attackers can enroll trusted devices through an organization’s mobile or endpoint device management platform (for example, Microsoft InTune).
Now, the attacker can modify the compromised user’s settings to add the attacker’s direct deposit information—depositing the victim’s paycheck into the attacker’s account.
How to spot it
So what can you do to detect—and hopefully prevent—these costly attacks? Here’s what we recommend:
For security teams:
- Alert for new Outlook Inbox-rules created with suspicious names (two to three characters in length, or repeating characters could be a clue). Also watch out for certain keywords, like “payroll” and “Workday”
- Alert for multiple Okta sessions from the same user with multiple, non-mobile operating systems
- Alert for potential brute force Duo push requests
- Review any authentication using legacy protocol (UA = Bav2ropc) into O365 as it may represent MFA bypass. (P.S. Have you disabled legacy protocols yet?)
For employees (if you notice your paychecks aren’t correct):
- First, log into your payroll platform and check your paycheck. Check that the amounts are correct and are distributed to your legitimate bank accounts.
- Check the rules for your Outlook Inbox for any abnormal or suspicious rules you didn’t set up. Click “File” and then “Rules & Alerts” to review the rules you’ve implemented.
- If anything is incorrect, alert your security team immediately.
- If you get locked out of your account for an unknown reason, check your deposit information immediately when you regain access.
For businesses, the impact of this likely varies based on size. A large business may have more of a safety net when it comes to resources to compensate employees that have been compromised. A smaller operation might suffer more if it boils down to lack of funds—not to mention, the loss of the employee who was victimized in the first place.
Our most recent quarterly threat report revealed 57% of all incidents our SOC observed were BEC attempts in O365—with 24% of our customers experiencing at least one BEC attempt in O365.
We’re sharing this information to raise awareness on this class of fraud, help defenders spot it in the wild, and as a reminder that effective security operations is so much more than just protecting the endpoint.