Hello and welcome to the Friday, December 6, 2024 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Timing is everything in particular when it comes to defenses, being able to outrun the attacker as

their scheme unfolds. Got an interesting blog post here by one of our interns, Chris Kobe.

Chris is writing about business email compromise and well, unlike other interns, this is not Honeypot data, but data from an actual

business email compromise. Apparently, this all started on the 20th of May the overall scheme,

took about three days to unfold, and in the end end did result in a successful payment that the attacker

was able to trigger. One important rule that actually led to the detection of the attack

is the creation of a new inbox rule. These inbox rules, well, they are somewhat common.

People like to filter inboxes.

Apparently what the attacker did here was just send email with a specific pattern to an RSS feed box.

So didn't forward it to an external email address, which these days is often blocked in a better defended organization, and may likely also lead to more actionable alerts.

But I like how sort of the different phases of the attack are being laid out here.

I think the real detection here comes sort of from detecting the overall behavior,

not from looking for one specific alert.

And again, from a prevention point of view, just setting up these inbox rules could potentially be used.

If you block these inbox rules, well, the attack wouldn't work.

But that again, maybe a little bit too burdensome to your users.

The diary also summarized the lessons learned and some other technical steps that were taken to mitigate a repeat of an attack like this.

Well, whenever I mention Watchtower Labs, you probably know by now that there is probably an interesting

exploit coming. This time it's in MyTEL's My Collab.

MyTel is a company that deals most in voice over IP and similar solutions.

...