In the realm of cyber security threats, one concerning trend is the rise of Business Email Compromise (BEC). A key facilitator of this tactic is Perfect Data Software, initially designed innocuously for mailbox backup, it has seen a rise in exploitation by threat actors. Integrated into Microsoft 365/Azure systems, this software enables the covert extraction of mailbox data, such as email messages, contact lists, attachments and calendar items, leading to potential data breaches and compliance issues.
Understanding the Threat Landscape
In recent incidents handled by norm.‘s Incident Response Team, the techniques employed by threat actors have been alarmingly consistent. Phishing emails serve as the initial vector, luring unsuspecting targets to divulge their Office 365 credentials. Armed with these credentials, and leveraging Perfect Data Software, threat actors infiltrate compromised accounts, using an email backup to siphon off sensitive mailbox contents. The repercussions are extreme, ranging from financial fraud to extortion, highlighting the urgency of addressing this threat.
norm. has seen several such incidents where the threat actor has utilised ‘PERFECTDATA SOFTWARE’ and ‘Email Backup Wizard’ to exfiltrate mailbox data.
Despite its seemingly benign façade, Perfect Data Software’s integration capabilities and broad access permissions make it a potent weapon in the hands of malicious actors.
Unveiling the Attack Vector
The attack vector employed by threat actors follows a well-defined sequence of events:
- Phishing Email Delivery: Targets receive phishing emails, enticing them to divulge their Office 365 credentials.
- Credential Harvesting: Target interacts with phishing email and is directed towards a phishing site which harvest O365 credentials, granting threat actors access to compromised accounts.
- Perfect Data Software Integration: Threat actors utilise Perfect Data Software to obtain full mailbox access to the compromised O365 identity and exfiltrate mailbox data as a PST file.
It is important to note that if the compromised O365 account has administrator rights, then all mailboxes in the environment can be accessed using application impersonation rights.
Mitigating the Threat
In light of this escalating threat, proactive measures are imperative to mitigate the risk of BEC incidents. norm. recommends:
- Continuous Monitoring: Leveraging Managed Detection and Response (MDR) services for vigilant monitoring and rapid incident response.
- Enhanced Authentication Controls: Reviewing and monitoring high-risk sign-ins to detect suspicious activity promptly.
- Granular Consent Management: Monitoring and restricting consent grants for applications, particularly those with elevated permissions.
- Enterprise App Registration Restrictions: Implementing controls to restrict users from registering enterprise apps within Office 365, mitigating the risk of unauthorised access.
Responding to the Threat
While there are some legitimate use cases for Perfect Data Software, our intelligence suggests that all instances of this application should be treated with caution. In the event of detecting this application within your environment, swift action is paramount:
- Engage Incident Response: Contact norm.‘s CSIRT for immediate support and initiation of investigation procedures.
- Application Disabling: Disable the application promptly to prevent further unauthorised access (don’t delete!)
- User Review and Disabling: Review and disable all users assigned to the application, considering them compromised entities.
Conclusion: Navigating the Threat Landscape
As the threat landscape evolves, so must our defences against sophisticated adversaries. By staying vigilant, leveraging advanced detection mechanisms, and fostering a culture of cyber security awareness, organisations can fortify their resilience against BEC and similar threats. Together, we can navigate the complexities of modern cyber security and safeguard our digital assets against evolving threats.
Written by Ryan O’Leary
Ryan O’Leary is an Incident Response & Threat Hunting analyst who brings his expertise to norm.‘s Incident Response function, providing detailed analysis and forensic investigations helping our clients get back on their feet following a breach. Ryan brings his experience to the role from previously working within norm.‘s SOC.