CDR Case Files: Incident Response at a Law Firm Part 1

What happens when an incident response firm gets the call to investigate an account compromise? In a recent webcast, we dove into the details of a real-world IR case involving a compromised email account at a law firm. This incident is an instance of a common form of attack called business email compromise (BEC) that has cost organizations billions of dollars in losses and resulted in hundreds of arrests around the world. 

I spoke with Erik Rasmussen, principal and head of cybersecurity and risk management solutions at Grobstein Teeple LLP. In this blog post, I’ve captured the case timeline and path of investigation that Erik and his team took. In a following blog post, I will cover security practices and tools that Erik recommends to protect against and quickly recover from business email compromise. Let’s dive in.

The Case

On December 5, 2019, the law firm (client) engaged GTLLP to conduct a digital forensics review of firm email accounts and other data. The client believed that a few days ago, one of the partners in the law firm opened a phishing email that contained a malicious URL. This ultimately led to unauthorized users accessing their email account. The unauthorized users could also potentially access other firm assets. The law firm tasked GTLLP with the following objectives:

1. Conduct a forensic analysis to determine the root cause of the incident
2. Figure out if Personally Identifiable Information (PII) or any other sensitive data may have been exposed
3. Provide recommendations to recover from the incident and ensure that the threat is mitigated

Erik and his team worked with the head of Information Technology at the law firm to get the data they needed to conduct the investigation. With the right tools in place, they were able to gather forensic images, email, activity, location telemetry, and other data remotely, which accelerated the investigation and lowered costs. The law firm’s IT team provided Erik with 26 Portable Storage Files (PST) that contained email account data.

Investigation

The first step in investigations of such incidents is to narrow the scope of the review as much as possible. Rather than inspecting the email of every employee at the firm, the IR team started with the specific phishing instance, and then spidered out from there to see if they had to expand the scope.

The IR team discovered that the law firm partner received an email purportedly from a user at another law firm to the partner’s personal Hotmail account. They had configured their Hotmail account to automatically forwarded emails to the work Office 365 email account. This phishing email contained a malicious link designed to steal email username and password information. A representative screenshot of this email is shown below:

The email header from this email revealed the originating IP address for this email to be 45.56.148.178. A Whois lookup of this IP address confirmed it resolved to a Virtual Private Network (“VPN”) provider. Further investigation also confirmed this was not sent from the legitimate user of the second law firm’s email account. The law firm used Microsoft 365 for document sharing, so this didn’t seem out of the ordinary. The partner clicked on the link and got phished. The unauthorized user now had access to the partner’s email account. 

Erik’s team used Obsidian to get quick visibility into the activity timeline in the partner’s account to understand what the unauthorized users did. They were able to onboard Obsidian in minutes. Within an hour or two, they got a real time readout of what was happening in the user’s Office 365 account. They were also able to look at the actual unified audit logs from Office 365.

Obsidian’s activity map view showed new logins to that account from an unfamiliar location. A representative view of the activity map is shown below:

The Obsidian activity timestream provided a consolidated view of historical activity in the law firm’s Office 365 environment. Obsidian ties users, access and privileges with activity, and enriches this with location, event type, ISPs, and devices. A representative view of the activity timestream is shown below (not from the actual case):

Incident Response Findings

Based on timeline analysis starting with the phishing email, the incident response team discovered what actually happened.

1. The partner clicked on the email supposedly from the user at the second law firm.
2. Soon after, an unknown user logged in from a new location using a VPN.
3. The user then created an “AlwaysDelete” Inbox rule to cover their tracks.
4. They sent two emails from the partner’s email account to another employee at the firm. The first email contained information about wanting to make a “contribution payment” to a client. The second email, sent soon after, provided wire instructions.
5. The same employee received a third email asking for a status on the wire. To the employee’s credit, they did not wire the money.
6. The next day, an unauthorized user (likely the same intruder) logged into the partner’s email account and sent phishing email to other employees in the firm. Several hundred email accounts were on BCC. This email was similar to the one the partner received. This attempt to propagate was unsuccessful.
7. The attacker(s) tried to cover their tracks by deleting the sent email, but the IR team was able to retrieve the email from backups. They edited some more Inbox rules in the partner’s mail account to cover their tracks and create persistence.
8. Analysis of the data in the partner’s mailbox showed that no PII or other sensitive data was exposed.

Recovery

Once GTLLP concluded the investigation and identified the root cause and impact, they coordinated remediation efforts with the firm’s IT staff to remove the rules, change passwords for all email accounts at the firm, and block access from malicious IP addresses. Remediation efforts confirmed no further compromise occurred and the unauthorized users were no longer in the system.

In incident response situations, time is of the essence. Obsidian gave Erik’s team consolidated data about users, privileges and activity in the Office 365 environment, allowing them to run the investigation remotely. They were able to onboard and start using Obsidian for the investigation in a matter of minutes, saving them precious time.

In part 2 of this blog, we will talk about Erik’s recommendations for organizations to better protect themselves from business email compromise, and to be better prepared for incident response if/when such incidents occur. Stay tuned!