You're missing the point. A "product" has to have a market to generate revenue. That even applies to illegal activities. Yes, as I mentioned earlier, <insert product/service>aaS has also grown in the black hat world. I wonder how many black hat providers operate in a contingency agreement. Probably none. They're going to want money up front, and the minimum is probably not trivial, and even more once pay day arrives.
Not missing the point at_all. Far from my first day on the job. I know many criminals like these operate as a business...how much $ will this investment generate. These kits aren't in the thousands anymore. There's in the hundreds...low hundreds, and even under a hundred. And you don't have to be a code writer to use them, they're sold as easy peasy kits to use, made for non computer savvy crooks to use.
Payback doesn't take much. It's not so much that there's value in finding files in OD/SP. Some of these people can be smart...they know how to operate in stealth, and wait for the right moment. Case in point...and...(I know it won't be believed, but it's quite common)....those that bust into the email accounts of Realtors, brokers, law firms that deal with real estate...especially the paralegal in those offices. Those are usually small offices...the law firms, say a paralegal or two, and one or two attorneys. The one I know personally..that had it happen a few times til he left his prior IT guy to come over to me, was just him, his paralegal, and one other office girl. Very small office, a little hole in the wall. Not a "big juicy target". He got hit at least 2x times. His paralegal had her account popped...they watched. They watch the email coming in and out. There will be a trend noticed over time, certain broker offices the firm works closely with, certain banks they work with...there's generally small circle involved with every closing...buyers side, and their lender, the sellers side, and their bank. The crooks watch....and for example, see a closing is scheduled for 1pm today. They see the crossflow of email between all parties...noting the email address of all involved, type of language used, etc. Often, not too long before closing, they'll use the paralegals email account that they poached and have been watching everything with, to send an email out to the buyers side to redirect the deposit to a different bank. The closing appointment time comes...the buyers side walks into the room "Oh yeah, I got your email..don't worry we did redirect that deposit of $65,000". Sellers side goes bug eyed "What? What email?!"
Since my wife is a Realtor...for quite a while...and quite a successful one in her career....I have talked to lots of other Realtors and brokers (as she's worked at a few different ones...since many offices try to steal her from others)...and have talked with the smaller law firms she becomes friends with for the closings. In my little corner of sleepy south east Connecticut (not a big city). And we have what I'll call a "fairly decent sample size of clients"...near 200x 365 tenants...each of those varying sizes of clients...many little offices of 2-3, a decent amount of medium offices of a dozen or a few dozen, and a small handful of larger businesses towards 100. So in our own little world...under our own umbrella...we run across situations where a staffs account got poached. I'm not making that up. I see it with my own eyes, I'm not dreaming, not crying world. It's not like we manage the IT for the Whitehouse or the Pentagon or Lockheed Martin. We manage the IT for typical every day mundane businesses....staffed with every day mundane people. Save for yeah, 2x particular clients I forget if I mentioned above, one is a branch of the Coast Guard located at the Academy, the other is a larger manufacturing business located in both CT and FL...does some pre fab and repair work for a big name in the aerospace industry.
Several months ago we lost a client...a fairly large client (around 60-70 staff)...was great monthly money..on an MSP plan, and located 2/3 of a mile right down the road from us. The company sold, a new "boss" came in...and he was a pain. Our relationship strained (not my client but one of our other engineers clients). The boss had his 365 account poached. We had him on MFA. But he let the bad guy in. The check that his finance lady stroked and sent was $85,000 (based on the email sent to her from his account)...and he tried to sue us to get that back, blaming us for his account getting poached. We were getting tired of that client anyways...but it sucked to lose that...3500 or near 4k/month.
Just 3 or 4 weeks ago, the CEO of a client of mine that is a small "foundation" (only about 8 staff)...had her email poached. They have had MFA enforced by conditional access. Some ...what I'll call..."test" emails from the intruder were sent to board members. She noticed them...and called me. She was smart. But it did happen...I'm not making it up.
Anyways, we're clearly all just dug into our trenches here...not budging. I'll still probably start a thread or add to the other 365 InTune thread I have on better "locking down" a 365 tenant...so a couple of people here might find it helpful can check it out.
