Blog //

Unveiling the Threat: Business Email Compromise Exploiting Perfect Data Software 

25 April 2024 // 4 Min Read

In the realm of cyber security threats, one concerning trend is the rise of Business Email Compromise (BEC). A key facilitator of this tactic is Perfect Data Software, initially designed innocuously for mailbox backup, it has seen a rise in exploitation by threat actors. Threat actors integrate this software into Microsoft 365/Azure systems to covertly extract mailbox data, including email messages, contact lists, attachments, and calendar items. This exploitation leads to data breaches and compliance issues. 

Understanding the Threat Landscape of Business Email Compromise

In recent incidents handled by NormCyber‘s Incident Response Team, the techniques employed by threat actors have been alarmingly consistent. Phishing emails serve as the initial vector, luring unsuspecting targets to divulge their Office 365 credentials. Armed with these credentials, and leveraging Perfect Data Software, threat actors infiltrate compromised accounts, using an email backup to siphon off sensitive mailbox contents. The repercussions are extreme, ranging from financial fraud to extortion, highlighting the urgency of addressing this threat. 

NormCyber has seen several such incidents where the threat actor has utilised ‘PERFECTDATA SOFTWARE’ and ‘Email Backup Wizard’ to exfiltrate mailbox data. 

Business Email Compromise. An example of: ‘PERFECTDATA SOFTWARE’ and ‘Email Backup Wizard’
The ‘PERFECTDATA SOFTWARE’ enterprise app shown in the Azure portal.

Despite its seemingly benign façade, Perfect Data Software’s integration capabilities and broad access permissions make it a potent weapon in the hands of malicious actors.

Unveiling the Attack Vector

The attack vector employed by threat actors follows a well-defined sequence of events:

  1. Phishing Email Delivery: Targets receive phishing emails, enticing them to divulge their Office 365 credentials.
  2. Credential Harvesting: Target interacts with phishing email and is directed towards a phishing site which harvest O365 credentials, granting threat actors access to compromised accounts.
  3. Perfect Data Software Integration: Threat actors utilise Perfect Data Software to obtain full mailbox access to the compromised O365 identity and exfiltrate mailbox data as a PST file.

Threat actors can access all mailboxes in the environment if the compromised O365 account has administrator rights, leveraging application impersonation rights.

Mitigating Business Email Compromise Threats

In light of this escalating threat, proactive measures are imperative to mitigate the risk of BEC incidents. NormCyber recommends:

  • Continuous Monitoring: Leveraging Managed Detection and Response (MDR) services for vigilant monitoring and rapid incident response.
  • Enhanced Authentication Controls: Reviewing and monitoring high-risk sign-ins to detect suspicious activity promptly.
  • Granular Consent Management: Monitoring and restricting consent grants for applications, particularly those with elevated permissions.
  • Enterprise App Registration Restrictions: Implementing controls to restrict users from registering enterprise apps within Office 365, mitigating the risk of unauthorised access.
Business Email Compromise: An example of: Permissions that are requested by 'PERFECTDATA SOFTWARE'
Permissions that are requested by ‘PERFECTDATA SOFTWARE’ when the threat actor signs in to Perfect Data Software tools using compromised O365 credentials.

Responding to the Threat

While there are some legitimate use cases for Perfect Data Software, our intelligence suggests that all instances of this application should be treated with caution. In the event of detecting this application within your environment, swift action is paramount:

  • Engage Incident Response: Contact NormCyber‘s CSIRT for immediate support and initiation of investigation procedures.
  • Application Disabling: Disable the application promptly to prevent further unauthorised access (don’t delete!)
  • User Review and Disabling: Review and disable all users assigned to the application, considering them compromised entities.

Conclusion

Navigating the Threat Landscape

As the threat landscape evolves, so must our defences against sophisticated adversaries. By staying vigilant, leveraging advanced detection mechanisms, and fostering a culture of cyber security awareness, organisations can fortify their resilience against BEC and similar threats. Together, we can navigate the complexities of modern cyber security and safeguard our digital assets against evolving threats.

Written by Ryan O’Leary

Ryan O’Leary is an Incident Response & Threat Hunting analyst who brings his expertise to NormCyber‘s Incident Response function, providing detailed analysis and forensic investigations helping our clients get back on their feet following a breach. Ryan brings his experience to the role from previously working within NormCyber‘s SOC. 

Insights //

More of the latest insights & articles.

Practical Steps to Align Your Organisation with the EU AI Act

Practical Steps to Align Your Organisation with the EU AI Act

Blog
Penalties for Non-Compliance and Governance under the EU AI Act

Penalties for Non-Compliance and Governance under the EU AI Act

Blog
Deployers of High-Risk AI Systems: Navigating the EU AI Act

Deployers of High-Risk AI Systems: Navigating the EU AI Act

Blog
Understanding AI Systems and Obligations under the EU AI Act

Understanding AI Systems and Obligations under the EU AI Act

Blog
Understanding Roles and Key Dates in the EU AI Act

Understanding Roles and Key Dates in the EU AI Act

Blog
GDPR & Consent: The Benefits of Getting It Right and the Penalties for Getting It Wrong

Webinar – GDPR & Consent: The Benefits of Getting It Right and the Penalties for Getting It Wrong

Events
See All Insights