![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![[FREE EBOOKS] The Kubernetes Bible, The Ultimate Linux Shell Scripting Guide & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
.png?#)
.jpg?#)
_Christophe_Coat_Alamy.jpg?#)
![Rapidus in Talks With Apple as It Accelerates Toward 2nm Chip Production [Report]](https://www.iclarified.com/images/news/96937/96937/96937-640.jpg)
Hackers Leveraging Compromised Email Server To Send Fraudulent Emails
In a sophisticated business email compromise (BEC) attack recently uncovered by Trend Micro Managed XDR team, threat actors exploited a compromised third-party email server to conduct fraudulent financial transactions between business partners. The scheme, which unfolded over several days, involved manipulating email conversations between three business partners, ultimately leading to funds being transferred to accounts […] The post Hackers Leveraging Compromised Email Server To Send Fraudulent Emails appeared first on Cyber Security News.
In a sophisticated business email compromise (BEC) attack recently uncovered by Trend Micro Managed XDR team, threat actors exploited a compromised third-party email server to conduct fraudulent financial transactions between business partners.
The scheme, which unfolded over several days, involved manipulating email conversations between three business partners, ultimately leading to funds being transferred to accounts controlled by the attackers.
This attack represents an advanced version of typical BEC schemes.
Rather than simply sending fraudulent emails, the threat actors patiently inserted themselves into legitimate email threads between business partners, gradually replacing recipient addresses with their own controlled accounts while maintaining the appearance of normal communication.
The attack began when the threat actor intercepted an email reminder about an invoice sent from Partner A to Partner B.
Approximately four and a half hours later, the attacker sent a reply with updated (fraudulent) banking information through the compromised server.
While the security analysts at Trend Micro noted that the attackers continued manipulating the conversation over several days, eventually causing Partner B to deposit funds into the threat actor’s account instead of Partner A’s legitimate account.
What makes this attack particularly concerning is how the threat actors maintained two separate conversations – one with each legitimate partner – while neither partner realized they were communicating with the attackers rather than each other.
The precise technical mechanism involved a compromised email server with insecure configurations that allowed emails to pass Sender Policy Framework (SPF) authentication despite not originating from authorized domains.
.webp)
The threat actor initially inserted themselves into the email chain, after this they eventually took complete control of the conversation by separating the legitimate partners.
.webp)
The Compromise
Examination of email headers revealed critical security failures that enabled the attack.
The compromised emails showed concerning indicators that should have triggered security alerts:-
Authentication-Results: spf=softfail (sender IP is xx.yy.aa.bb)
smtp.mailfrom=PartnerB.com; dkim=none (message not signed)
header.d=none;dmarc=fail action=none
header.from=PartnerB.com; compauth=other reason=501Despite failing DMARC validation, the emails were delivered because the DMARC policy was set to “action=none” rather than enforcing rejection.
The attackers also exploited legitimate Reply-To functionality, as seen in this header:-
X-Auth-ID: compromised-account@compromised.email.server
Reply-To: finance-person[@]free-email-domain.comSecurity experts recommend implementing proper DMARC enforcement, DKIM email signing, and establishing out-of-band verification protocols for financial transactions.
Organizations handling sensitive financial matters should also consider implementing alerting rules such as:-
(mailFromAddresses: invoicing[@]partner_organizationA.com OR mailToAddresses:
accounts_payable[@]partner_organizationB.com) AND (mailMsgSubject:Invoice) AND
(mailWantedHeaderValue:dmarc=fail OR mailWantedHeaderValue:dkim=none) AND (mailDirection:3)Multi-factor authentication, digital signatures for emails containing financial instructions, and verification protocols between business partners remain essential defenses against these increasingly sophisticated BEC attacks.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
The post Hackers Leveraging Compromised Email Server To Send Fraudulent Emails appeared first on Cyber Security News.
