Emerging Threat Update: July 2022 Business Email Compromise / Workday Fraud Advisory

TL;DR : 

Expel has observed Business Email Compromise (BEC) activity at multiple organizations as a means to access human capital management systems, such as Workday, with the goal of performing payroll / direct deposit fraud. Organizations should consider enabling automated remediation actions in Workbench to improve response and resilience to potential cyber attacks, specifically SaaS user account disablement (see Recommendations section for additional information where this is applicable), in Workbench to improve response and resilience to potential cyber attacks, specifically SaaS user account disablement. 

This is informational only. We will notify your team if we identify any suspicious activity.

The Details: 

Expel has observed the following attack lifecycle at multiple organizations: 

Initial access/Credential access: 

1. The attacker compromises an employee's Microsoft O365 or Okta account via phishing. In some cases, the attacker identified an exposed, re-used credential. 
2. To bypass MFA in O365, the attacker authenticates into the compromised account by using Basic Authentication (IMAP/POP3/BAV2ROPC).
3. To bypass MFA in Okta, the attacker performs a brute-force attack of push notifications until the target employee accidentally authorizes the fraudulent request. 
4. To circumvent preventive controls such as Microsoft conditional access policies, the attacker utilizes IP infrastructure associated with VPN services and hosting providers. 
5. In scenarios where an attacker compromises an Okta account and Workday is enrolled in Single Sign-On), the attacker accesses Workday. 
6. In scenarios where the attacker compromised an O365 account and the employee does re-use that password with Workday, the attacker performs recon and discovers a path to reset the employee’s Workday password.

Persistence: 

1. The attacker may enroll trusted devices via an organization’s mobile/endpoint device management platform (such as Microsoft InTune) to prolong access to the employee’s O365 account. 

Discovery:

1. In scenarios where the attacker compromises an O365 account and does not have direct access to Workday via SSO, the attacker will read available documentation on payroll systems and new employee payroll enrollment. The goal, in most cases, is to identify how to gain access to capital management systems such as Workday via new employee setup procedures or via password reset request.

Defense Evasion: 

1. The attacker may set up Outlook Inbox-rules within the compromised employee’s email account to delete or move emails related to workday.com / myworkday.com and/or emails that have keywords such as 'payroll' or 'assistance needed'. When the attacker makes a payroll request in Workday, this prevents the employee from seeing a Workday email notification of the change. 

Actions on Objectives: 

1. The attacker modifies the employee’s Workday direct deposit settings, adding the attacker’s direct deposit information so that 100% of the employee’s paycheck is deposited into an attacker-controlled bank account. 

Recommendations:

In Expel Workbench…

• Enable auto-disabling of compromised SaaS user accounts for security incidents. This automatically disables compromised accounts associated with any malicious activity we identify (Requires Okta, Duo, Google Workspace, Microsoft Office 365, or Github integration to enable).
• Review Workbench notifications configured for your org with your Engagement Manager (EM). 

You can find detailed instructions on how to configure auto-remediation actions in the Expel Support Center. Please contact your EM if you need any support enabling these configurations. We’re happy to help. 

Prevention: 

Our top recommendations to protect your organization: 

1. Require FIDO2/WebAuthn for all employees. 
1. Push notifications are susceptible to brute-forcing or can be made to appear legitimate. Tokens, via authenticator apps, can be phished.
2. In O365: disable basic authentication and legacy protocols. 
3. Enforce MFA within Workday. 
4. Implement approval workflows for changes to direct deposit information.
1. Option 1: Limit adding new payment elections to payroll administrators.
2. Option 2: Require approval by a Workday administrator and/or require an attachment that references the new bank account's details.
1. Note: Adding an account (alone) will not trigger the approval process. Adding or removing payment elections will.
5. Implement step-up authentication for access of sensitive resources within Workday.
6. Consider enforcing usage of trusted devices such that end users are notified of unrecognized devices attempting to access their account.

What Expel is Doing:

• We’re performing a retrospective analysis of authentication events into O365 and Okta and Outlook Inbox-rule activity. Specifically, we’re reviewing all Outlook Inbox-rule activity for known keywords (@myworkday, payroll, etc.) and authentications from known attacker IP addresses. We will notify your team if we identify any suspicious activity.
• If you’ve onboarded O365, Okta, Google Workspace or other email apps or cloud-identity providers we currently integrate with, we have 71 detections for atypical cloud app activity that span across the attack lifecycle viewable in the Expel Detection Transparency dashboard.
• The Expel Detection & Response Engineering team is reviewing all related activity with the goal to identify new detection opportunities and make improvements to existing ones. 
• To date, we’ve made improvements to Okta and O365-based detections related to Initial Access/Credential Access. 
• We’ve also added logic to the Suspicious Outlook Rule detection to spot payroll or Workday Inbox-rules created to evade detection. Our changes also raise the Expel alert severity if the employee is an executive or “high-risk” employee per your customer context (CCTX) database. 

We’re always making improvements to better protect your organization. In the Expel Detection Transparency dashboard, detections released in the past 30 days are labeled “New”. Anytime we make a logic change to an existing detection the “Last Updated” timestamp is updated. You can sort by “Last Updated” to gain a sense of all the detection improvements we’re making.