Microsoft Tailing Dynamically Generated Email Infrastructure

Microsoft has recently released a report over two elements of a new email infrastructure used to send over a million malware-laden emails each month. This infrastructure, which appears to be a substitute after the disruption of Necurs botnet, has been used to deliver at least seven different types of malware.

Emerging attacker email infrastructure

The emergence of this infrastructure dates back to March and April 2020. Since then, Microsoft has observed and analyzed this email infrastructure consisting of two segments named StrangeU and RandomU.
  • The StrangeU (using the word strange in new domains) and RandomU (creating domain names randomly) infrastructure has mostly targeted victims in financial services, healthcare sector, and wholesale distribution, located in Australia, the USA, and the U.K.
  • From commodity malware such as Makop and Mondfoxia to delivering persistent malware including Trickbot, Dofoil, Emotet, Dopplepaymer, and Dridex, the infrastructure has been used to mainly attack corporate email accounts, while avoiding consumer accounts.
  • However, according to Microsoft, the fundamentals have remained the same to gain initial access to systems. The core tactics and tools included spear-phishing emails, fake alerts, emergency notifications, and trendy lures.

Recent email-based attacks

In the past few months, several attack campaigns have been observed leveraging email infrastructure for targeting potential victims.
  • Last month, scammers were observed leveraging some loopholes in Microsoft 365 read receipts and out of office replies for targeting their victims.
  • In the same month, attackers had hijacked email security connections of a Mimecast-issued certificate used to authenticate some of the firm’s products to Microsoft 365 Exchange Web Services, with the aim to spy on targets.

Wrapping up

The use of innovative tactics such as dynamic domain-name generation for email infrastructure suggests that cybercriminals are making regular investments in improving their email-based attack tactics. Attackers are repeatedly relying on familiar malicious tactics such as emails with malicious links or attachments to gain initial access to systems. This calls for an urgent need to tighten up email-based security across organizational networks.

Cyware Publisher

Publisher

Cyware