O365 mailbox takeover + auto-forward · 11-month supplier BEC · 2.6M TL loss detected
The O365 mailbox of an accounting assistant at a services firm was compromised via phishing 11 months earlier. The attacker used an "Inbox rule" to forward all supplier invoices to themselves, changed the IBAN and sent fake invoices. DSET detected 11 months of losses, the insurance reimbursement of 58% was approved, and the KVKK penalty risk was avoided.
01 The Challenge
A supplier called: "our money has not arrived for 11 months." Microsoft Defender had raised an "anomalous forwarding rule" alert 11 months earlier that had not been closed. Audit log: login from a Nigeria Lagos IP, which the assistant saw as "normal mail." The attacker had sent 280 fake invoices, with IBANs going to 4 mule accounts (Romania, Latvia, Turkey). A total of 2,640,000 TL in payments went to fake accounts.
02 DSET's Approach
T+0 · Containment
Entire O365 tenant: MFA enforced + Conditional Access + all forwarding rules revoked. The attacker was kicked out of all accounts within 24 hours.
T+24h · Microsoft DART
Joint work with the Microsoft Detection and Response Team, a 4-day investigation. All IOCs of the attacker from 11 months earlier were revealed.
T+72h · DSET forensic investigation
Mail header analysis: 280 fake invoices, 4 mule accounts. Initial access: a fake "Microsoft password expired" form (a phishing kit from Lagos).