{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/payroll-fraud/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office 365"],"_cs_severities":["high"],"_cs_tags":["account-compromise","office365","payroll-fraud","data-destruction"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of compromised Office 365 accounts exhibiting behavior indicative of payroll redirection fraud. The attack involves an adversary gaining access to a target's email account and subsequently deleting email messages related to password resets, banking information, and direct deposit updates. The attacker's objective is likely to manipulate the victim's payroll settings to redirect funds to an account under their control. This activity requires timely detection, as the window of opportunity for such redirection is typically short. This brief uses detections developed and released in the splunk-escu project, specifically released around April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target's Office 365 account via credential theft or phishing (not directly observed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker searches the mailbox for keywords related to password resets, banking information, direct deposit, and payroll changes (e.g., \u0026quot;password\u0026quot;, \u0026quot;banking\u0026quot;, \u0026quot;direct deposit\u0026quot;, \u0026quot;OTP\u0026quot;, \u0026quot;MFA\u0026quot;).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies emails matching the keywords.\u003c/li\u003e\n\u003cli\u003eThe attacker deletes the identified emails. This is often done using \u0026quot;SoftDelete\u0026quot; or \u0026quot;HardDelete\u0026quot; operations.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the victim's payroll or banking information using data gleaned from the accessed emails or via impersonation.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain access to the compromised account, potentially setting up forwarding rules or other persistence mechanisms (not directly observed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker monitors for any alerts or notifications related to the changes they made, and attempts to delete or suppress them (not directly observed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker successfully redirects payroll funds to their own account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack of this nature results in financial loss for the victim. It can also cause reputational damage to the organization if employees' payroll information is compromised. The number of victims can vary greatly depending on the scope of the attack. This type of attack often targets employees in finance or HR departments, or those with access to sensitive payroll data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect instances where users receive and delete emails related to both password resets and payroll changes. Tune the rule for your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the user's mailbox activity and login history. Use the drilldown searches to view the detection results for the affected user.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Office 365 accounts to reduce the risk of credential theft.\u003c/li\u003e\n\u003cli\u003eEducate employees about the risks of phishing and social engineering attacks, and how to identify suspicious emails.\u003c/li\u003e\n\u003cli\u003eMonitor Office 365 audit logs for suspicious activity, such as unusual login locations, excessive email deletions, or changes to mailbox settings.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong password policies to prevent attackers from easily guessing or cracking passwords.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-o365-payroll-compromise/","summary":"Attackers compromise O365 accounts and delete emails related to password resets and payroll changes, potentially redirecting payroll to attacker-controlled accounts.","title":"O365 Email Password and Payroll Compromise","url":"https://feed.craftedsignal.io/briefs/2024-01-o365-payroll-compromise/"}],"language":"en","title":"CraftedSignal Threat Feed - Payroll-Fraud","version":"https://jsonfeed.org/version/1.1"}