Beware! Big financial giants are scammed!

The fraud outbreak occurred in June 2023, when Microsoft’s Defender experts discovered that a sophisticated, multi-stage attack was being launched against large financial firms and banks. The hack group used Storm-1167 through ‘AiTM phishing attacks’ combined with ‘BEC scams’.

AiTM attack is a highly specialized attack method that can break through the defense system of enterprises and steal sensitive data. BEC fraud is the use of social engineering to defraud enterprises of funds.

“AiTM Cyber Attack” combined with “BEC Scam” attack:

Attack Phase 1

This multi-stage AiTM phishing and BEC attack typically involves a
phishing email
from a trusted vendor with a unique seven-digit code in the subject. The message body contains a link to view or download the file, which leads to a malicious URL for Hackers cleverly use the legitimate service Canva to conduct phishing campaigns and use it to host a fake OneDrive file preview and link to a phishing URL. Once the victim clicks on the URL, they are redirected to a
phishing page disguised as a Microsoft login page

Attack Phase 2

After the victim logs in to a phishing page disguised as a Microsoft login page and provides a password, the attacker initiates an authentication session using the victim’s credentials. When prompted for multi-factor authentication (MFA), the attacker modifies the phishing page to
a fake MFA page

Attack Phase 3

Once the victim completes MFA, the attacker can intercept the Session Token (usually a string of English numbers for identification purposes). The attacker can then use the stolen conversation cookie to impersonate the victim and bypass the authentication mechanism for passwords and MFA.

AiTM Attack: How to Protect Data from Theft?

AiTM attacks are typically multi-stage attacks in which attackers may use phishing emails, malicious links, or forged login pages to trick victims into account numbers and passwords to carry out unauthorized activities, including accessing sensitive information, launching financial fraud, or stealing confidential data. AiTM attacks are highly deceptive and stealthy attacks that require organizations to implement comprehensive defenses to deal with them.

Businesses can protect data from theft by:

  • Harden firewalls and encryption to prevent external attacks and internal leaks.
  • Ensure the security of your data with multi-factor authentication.
  • Establish a perfect data backup and recovery system to restore data in a timely manner.

What is BEC scam?

BEC Scam is short for (Business Email Hacking) and is also known as Face Change Scam.

BEC attacks mostly target people with remittance permissions, such as financial departments, executives, etc., but everyone in the enterprise may become the target of hackers, so BEC fraud can be preliminarily identified by the following methods.

The main method is email account intrusion (EAC) (Email Account Compromise), and then the use of social engineering to defraud the company of funds. Hackers will use ‘fake email accounts’ and ‘fake messages’ to see the opportunity to interact with victims and commit fraud. The FBI defines BEC fraud as a sophisticated fraud attack that intervenes when doing business with an external supply chain and/or executing wire transfers.

Businesses can identify them by:

  • Establish an internal control system to ensure the security of transfer and payment procedures.
  • Confirm that the object and amount of the transfer and payment are authentic.
  • Increase employee vigilance and screen suspicious emails and web pages.


In short, network security is a key element of enterprises, and it is necessary to establish a comprehensive security strategy and defense system to protect the security of enterprise assets. At the same time, enterprises also need to strengthen training and education to improve employees’ awareness and vigilance of cyber security and reduce security vulnerabilities and risks.