On this page:
Attack Spotlight
December 19, 2024
Callback phishing using Living Off the Land (LOTL) techniques to send invoices in bulk via distribution lists.
Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.
EMAIL PROVIDER: Microsoft 365, Google Workspace
ATTACK TYPE: Callback Phishing
Recently, we’ve seen a spate of novel callback phishing attacks that combine the techniques of Living Off the Land (LOTL) and automatic bulk email redirects. In these attacks, bad actors use free, free trial, or compromised accounts of a legitimate service to generate notifications that require user action (ex: invoices, requests, etc.).
Instead of sending the notifications directly to their targets, they are sent to an intermediary distribution list that automatically redirects the email to a large quantity of targets without changing the From
address displayed by mail clients.
By combining techniques, attackers are able to keep the service account from getting shut down, as the distribution address would be the one getting blocked or reported. For the attacker, it’s easier to spin up a new distribution list than to start up/steal a new service account.
Additionally, this prevents red flags from getting raised by the service provider, as they’ll only see one outbound email generated by the attacker-controlled account from their service.
We have seen attack attempts initiated using a variety of service providers, including Microsoft, Venmo, PayPal, Docusign, Coinbase, and more. The exact steps taken will vary by service, but the overall methodology stays the same.
The attacker will create a new service account or compromise an existing account. One downside of using a compromised account is that the owner of the account could notice the hijacking and regain control.
The attacker then sets up a distribution list to receive invoices and then automatically redirect them to a list of targets. The distribution list acts as an automated, server-initiated redirection rather than a manual, client-initiated forward.
The distribution list redirect maintains the From
information of the original sender, whereas a client-initiated forward creates an entirely new message with a new sender address in the From
header. As a result of using the distribution list, the attacker can ensure that the original, authoritative email address remains in the From
(Ex: service@paypal.com
) header.
When an invoice is generated, either automatically or manually, the attacker can embed the callback phishing number in a variety of ways. With manually generated invoices, they can put a fake customer service number in the invoice description. With automatically generated invoices, they can embed it within the billing address.
When the invoice is generated, it will first go to the distribution list address which will then forward it out to a much larger set of targets. The targets will then see the phone number within the invoice and potentially call, completing the callback phish. If a target does call back, the attacker could try to get financial information, gain access to systems, and more.
This LOTL attack has been seen using different legitimate services. We’ll look at two variants that Sublime has prevented.
In this variant, the attacker either used a free trial or a stolen card. Then, when they configured the new account, the attacker put the callback phishing number within the address of the billing information. As a note, Microsoft will warn this is an address it can’t locate, but it will not prevent the creation of the account.
After the account was created, they went into the Microsoft 365 admin center and configured a distribution list full of targets that had the Allow external senders to email this group setting set to true
.
Once that was configured, they updated the billing notifications of the account to email the distribution list address. In this example, they used azure-noreply@etechltd419.onmicrosoft.com
as the address for the distribution list.
With the distribution list configured, the attacker will then buy products within the Microsoft marketplace (Microsoft 365 seats, Copilot, etc.). The invoice from each purchase was then sent to the distribution list, which automatically redirected to all of the targeted emails in the list – with the callback phishing number within the email message.
In response to an attack being flagged and blocked, the attacker would create new distribution lists to bypass detection. As specific phone numbers become flagged as phishing scams, the attacker could easily adjust their billing profile right from the Microsoft 365 admin center.
In the case of an attack using PayPal, the attacker used a completely different service to configure the distribution list (neworder@ilinoirstudio.net
), but still used it to redirect invoices in bulk to targets. In this case, they put the callback phishing number in the Note from seller with an indication that a call is expected.
Sublime's AI-powered detection engine prevented both of these attacks. The top signals for these attacks were:
See the full Message Query Language (MQL) that detected these attacks in these publicly available Rules in the Core Feed: PayPal invoice abuse and Microsoft infrastructure abuse with suspicious patterns.
Sublime detects and prevents callback phishing and other email-based threats. Start your free account today, in the cloud or self-hosted, for out-of-the-box coverage for these types of attacks with the ability to customize their handling for your environment.
Read more Attack Spotlights:
Sublime releases, detections, blogs, events, and more directly to your inbox.
The latest research, attack spotlights, and product updates.
Experience Sublime’s adaptable email security platform and take control of your email environment today.