The client, an airport terminal, wired a payment of $47 million dollars to the incorrect account as the result of a business email compromise (BEC) attack. The client identified spoofed domains and wanted to investigate how the threat actor was able to find the information able to accomplish the BEC. FTI Cybersecurity was hired to assist in tracking the flow of money from the client account and to assist with the recovery of funds.
We worked with the client to gain access into their Microsoft 365 (M365) environment to perform a log review and to also review M365 activity to identify where the system breach happened and when access occurred. We also examined the spoofed emails. From there, we reviewed the dark web for potential leaked credentials or leaked client materials that would have aided in the theft of stolen funds. Our experts also did a comprehensive review to identify additional accounts that were compromised. Through existing connections, we coordinated with law enforcement and financial institutions to track movement of the stolen funds.
After our review and analysis, we provided recommendations to harden and secure the client’s M365 environment. We were able to identify the point of compromise and assisted with drafting a strategy to remove threat actor access form the environment. Our coordination with law enforcement helped track and return more than $46 million.