Callback phishing using Living Off the Land (LOTL) techniques to send invoices in bulk via distribution lists.

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.

EMAIL PROVIDER: Microsoft 365, Google Workspace

ATTACK TYPE: Callback Phishing

Recently, we’ve seen a spate of novel callback phishing attacks that combine the techniques of Living Off the Land (LOTL) and automatic bulk email redirects. In these attacks, bad actors use free, free trial, or compromised accounts of a legitimate service to generate notifications that require user action (ex: invoices, requests, etc.).

Instead of sending the notifications directly to their targets, they are sent to an intermediary distribution list that automatically redirects the email to a large quantity of targets without changing the From address displayed by mail clients.

By combining techniques, attackers are able to keep the service account from getting shut down, as the distribution address would be the one getting blocked or reported. For the attacker, it’s easier to spin up a new distribution list than to start up/steal a new service account.

Additionally, this prevents red flags from getting raised by the service provider, as they’ll only see one outbound email generated by the attacker-controlled account from their service.

Anatomy of an attack

We have seen attack attempts initiated using a variety of service providers, including Microsoft, Venmo, PayPal, Docusign, Coinbase, and more. The exact steps taken will vary by service, but the overall methodology stays the same.

1. Start a new account

The attacker will create a new service account or compromise an existing account. One downside of using a compromised account is that the owner of the account could notice the hijacking and regain control.

2. Create a distribution list to act as the intermediary address

The attacker then sets up a distribution list to receive invoices and then automatically redirect them to a list of targets. The distribution list acts as an automated, server-initiated redirection rather than a manual, client-initiated forward.

The distribution list redirect maintains the From information of the original sender, whereas a client-initiated forward creates an entirely new message with a new sender address in the From header. As a result of using the distribution list, the attacker can ensure that the original, authoritative email address remains in the From (Ex: service@paypal.com) header.

3. Embed the callback phishing info within an invoice

When an invoice is generated, either automatically or manually, the attacker can embed the callback phishing number in a variety of ways. With manually generated invoices, they can put a fake customer service number in the invoice description. With automatically generated invoices, they can embed it within the billing address.

4. Wait for the calls

When the invoice is generated, it will first go to the distribution list address which will then forward it out to a much larger set of targets. The targets will then see the phone number within the invoice and potentially call, completing the callback phish. If a target does call back, the attacker could try to get financial information, gain access to systems, and more.

Attacks in the wild

This LOTL attack has been seen using different legitimate services. We’ll look at two variants that Sublime has prevented.

Microsoft

In this variant, the attacker either used a free trial or a stolen card. Then, when they configured the new account, the attacker put the callback phishing number within the address of the billing information. As a note, Microsoft will warn this is an address it can’t locate, but it will not prevent the creation of the account.

After the account was created, they went into the Microsoft 365 admin center and configured a distribution list full of targets that had the Allow external senders to email this group setting set to true.

Once that was configured, they updated the billing notifications of the account to email the distribution list address. In this example, they used azure-noreply@etechltd419.onmicrosoft.com as the address for the distribution list.

With the distribution list configured, the attacker will then buy products within the Microsoft marketplace (Microsoft 365 seats, Copilot, etc.). The invoice from each purchase was then sent to the distribution list, which automatically redirected to all of the targeted emails in the list – with the callback phishing number within the email message.

In response to an attack being flagged and blocked, the attacker would create new distribution lists to bypass detection. As specific phone numbers become flagged as phishing scams, the attacker could easily adjust their billing profile right from the Microsoft 365 admin center.

PayPal

In the case of an attack using PayPal, the attacker used a completely different service to configure the distribution list (neworder@ilinoirstudio.net), but still used it to redirect invoices in bulk to targets. In this case, they put the callback phishing number in the Note from seller with an indication that a call is expected.

Detection signals

Sublime's AI-powered detection engine prevented both of these attacks. The top signals for these attacks were:

  • Brand impersonation: Message contains references to brands commonly associated with callback phishing scams.
  • Engaging language: The message appears to be financial related.
  • Callback phishing language: Language in the message appears to engage the user to call the sender, often to install malware or steal sensitive data.
  • Sender behavior: Your organization has previously never communicated with the reply-to address.
  • PayPal invoice abuse: The message resembles a fraudulent invoice/receipt sent via PayPal's invoicing service. (PayPal scam only)
Attack Score Verdict from PayPal to distribution list scam

See the full Message Query Language (MQL) that detected these attacks in these publicly available Rules in the Core Feed: PayPal invoice abuse and Microsoft infrastructure abuse with suspicious patterns.

Prevent callback phishing with Sublime

Sublime detects and prevents callback phishing and other email-based threats. Start your free account today, in the cloud or self-hosted, for out-of-the-box coverage for these types of attacks with the ability to customize their handling for your environment.

Read more Attack Spotlights:

About the Author

About the Authors

Author headshot

Brandon Murphy

Detection

Brandon is a Threat Detection Engineer at Sublime. He is a seasoned cybersecurity professional with over a decade of experience protecting internet users. Prior to Sublime, Brandon put his detection engineering expertise to use as a Sr. Staff Threat Analyst at Proofpoint.

Get the latest

Sublime releases, detections, blogs, events, and more directly to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.