Redscan Case Studies Investigating a Sophisticated Email Business Compromise Attack on an Insurance Provider

Edit This Case Study Record

	Investigating a Sophisticated Email Business Compromise Attack on an Insurance Provider Redscan

Investigating a Sophisticated Email Business Compromise Attack on an Insurance Provider

Redscan

Technology Category	Cybersecurity & Privacy - Identity & Authentication Management Cybersecurity & Privacy - Intrusion Detection
Applicable Industries	Buildings Finance & Insurance
Applicable Functions	Quality Assurance
Use Cases	Tamper Detection Usage-Based Insurance
Services	Training
Challenge	A leading independent insurance broker, specializing in providing insurance advice for high-value business mergers and acquisitions, was compromised by a cybercriminal. The firm was used as a platform to launch a Business Email Compromise (BEC) attack, designed to trick one of its clients into paying two open invoices, with a total value close to £300k, into an alternate bank account. The attack was detected before any payment was made, thanks to a vigilant member of staff from the client company who insisted on verbal verification of the financial details supplied. However, the firm was keen to understand the extent of the compromise and how to safeguard against similar threats in the future. They needed support from an expert cybersecurity company to help shed light on events surrounding the attack. Read More
About Customer	The customer is a leading independent insurance broker based in the UK. They specialize in providing insurance advice for high-value business mergers and acquisitions. As such, they process a wealth of sensitive data. Despite maintaining a high level of security, they were compromised by a cybercriminal and used as a platform to launch a Business Email Compromise (BEC) attack. The firm was keen to understand the extent of the compromise and how to safeguard against similar threats in the future. They needed support from an expert cybersecurity company to help shed light on events surrounding the attack. Read More
Solution	The firm turned to Redscan, a leading provider of threat detection and response services, to conduct a full forensic investigation. The initial focus of Redscan’s assessment was the analysis of email logs relating to the Office 365 accounts suspected of being used to instigate the fraud. The team identified that a phishing email had been received by a senior-level employee's account six weeks prior to the BEC attack. The phishing email, purporting to be from Microsoft®, claimed that the user’s account may have been accessed and requested that the user sign in to review activity for security reasons. Redscan's analysis revealed that the attackers had used the information gathered in reconnaissance to create a chain of spoof email communications designed to imitate the compromised user and request payment of the outstanding invoices to a substitute bank account. The Redscan team produced a formal incident report outlining a full timeline of events and included recommendations to help the firm prevent and detect future attacks. Read More Log in to view content
Contents

Technology Category

Cybersecurity & Privacy - Identity & Authentication Management

Cybersecurity & Privacy - Intrusion Detection

Applicable Industries

Buildings

Finance & Insurance

Applicable Functions

Quality Assurance

Use Cases

Tamper Detection

Usage-Based Insurance

Services

Training

Challenge

A leading independent insurance broker, specializing in providing insurance advice for high-value business mergers and acquisitions, was compromised by a cybercriminal. The firm was used as a platform to launch a Business Email Compromise (BEC) attack, designed to trick one of its clients into paying two open invoices, with a total value close to £300k, into an alternate bank account. The attack was detected before any payment was made, thanks to a vigilant member of staff from the client company who insisted on verbal verification of the financial details supplied. However, the firm was keen to understand the extent of the compromise and how to safeguard against similar threats in the future. They needed support from an expert cybersecurity company to help shed light on events surrounding the attack.

About Customer

The customer is a leading independent insurance broker based in the UK. They specialize in providing insurance advice for high-value business mergers and acquisitions. As such, they process a wealth of sensitive data. Despite maintaining a high level of security, they were compromised by a cybercriminal and used as a platform to launch a Business Email Compromise (BEC) attack. The firm was keen to understand the extent of the compromise and how to safeguard against similar threats in the future. They needed support from an expert cybersecurity company to help shed light on events surrounding the attack.

Solution

The firm turned to Redscan, a leading provider of threat detection and response services, to conduct a full forensic investigation. The initial focus of Redscan’s assessment was the analysis of email logs relating to the Office 365 accounts suspected of being used to instigate the fraud. The team identified that a phishing email had been received by a senior-level employee's account six weeks prior to the BEC attack. The phishing email, purporting to be from Microsoft®, claimed that the user’s account may have been accessed and requested that the user sign in to review activity for security reasons. Redscan's analysis revealed that the attackers had used the information gathered in reconnaissance to create a chain of spoof email communications designed to imitate the compromised user and request payment of the outstanding invoices to a substitute bank account. The Redscan team produced a formal incident report outlining a full timeline of events and included recommendations to help the firm prevent and detect future attacks.

Impact #1	The firm was able to gain a comprehensive understanding of the extent of the compromise and the methods used by the attackers. This knowledge was invaluable in helping them to safeguard against similar threats in the future. The firm was also able to implement the recommendations provided by Redscan, including the use of Office 365 Secure Score, full mailbox audit logging, enabling multi-factor authentication, proactive network and endpoint monitoring, blocking malicious IPs, and reviewing staff training needs. These measures significantly improved the firm's security posture and reduced the risk of staff falling victim to BEC attacks.

Impact #1

The firm was able to gain a comprehensive understanding of the extent of the compromise and the methods used by the attackers. This knowledge was invaluable in helping them to safeguard against similar threats in the future. The firm was also able to implement the recommendations provided by Redscan, including the use of Office 365 Secure Score, full mailbox audit logging, enabling multi-factor authentication, proactive network and endpoint monitoring, blocking malicious IPs, and reviewing staff training needs. These measures significantly improved the firm's security posture and reduced the risk of staff falling victim to BEC attacks.

Benefit #1	The attack was detected before any payment was made, preventing a potential loss of nearly £300k.
Benefit #2	The firm was able to lock down the compromised account and enforce multi-factor authentication for all Office 365 users, effectively preventing subsequent malicious login attempts.
Benefit #3	The Redscan team identified and disabled email forwarding, safely containing the attack.

Benefit #1

The attack was detected before any payment was made, preventing a potential loss of nearly £300k.

Benefit #2

The firm was able to lock down the compromised account and enforce multi-factor authentication for all Office 365 users, effectively preventing subsequent malicious login attempts.

Benefit #3

The Redscan team identified and disabled email forwarding, safely containing the attack.

Download PDF Version

Overview

Investigating a Sophisticated Email Business Compromise Attack on an Insurance Provider

Operational Impact

Quantitative Benefit