The FBI is investigating the global campaign in which millions of dollars have been stolen from at least 150 victims.

The FBI is investigating a global business email compromise (BEC) campaign that has netted cybercriminals at least $15 million in illicit proceeds. On Wednesday, cybersecurity researchers from Mitiga said the campaign, which is ongoing, uses social engineering techniques to impersonate senior executives using Microsoft Office 365 email services.

In what is known as a homograph technique, the website addresses used to impersonate a company include alterations made via letters or symbols that would be difficult to spot — such as the difference between ‘,’ and ‘” If a victim accepted a phishing message and unwittingly executed a payload, this could also lead to their inboxes becoming compromised.

When conversations were intercepted via compromised accounts, the attackers used a forwarding rule to bounce all communication back to another attacker-controlled account.  “This provided the threat actor with full visibility of the transaction and allowed for the introduction of the fake domain at just the right moment, i.e., when the wire transfer details were provided,” the company added.

What to do?

The organization needs a policy and training to advise email users of phishing activities.  Train employees not to open emails which are from unknown sources.  Advise employees to check the email address and URLs of emails from unknown sources.

It’s recommended that users are wary of documents asking them to enable macros, especially if it’s from an untrusted or unknown source. Businesses can also disable macros by default.

Organizations should also ensure that operating systems and software are both patched and up-to-date as this can really help to stop malware being successful as many attacks use known vulnerabilities that can readily be patched against.

What can you do to when this happens to you?

Restore the system from a known uninfected backup.


This USVBA Cyber Alert is provided by our partner, 171 Comply. Please visit their website to learn more about CMMC and their services.