Threat Hunting Rules: Water Nue Phishing Campaign

In today’s news, we want to warn you about the ongoing campaign by Water Nue targeting the business Office 365 accounts in the US and Canada. Notably, the fraudsters successfully reached a number of high-level managers in companies worldwide and harvested over 800 sets of credentials. Although their phishing toolset is limited, they do not use any trojans or backdoors and take advantage of cloud services. Without any attachment or payloads involved in the attack, the victim accounts can not be protected with traditional security solutions.

In their spear-phishing activities that started in March, the Water Nue attackers used to switch their infrastructure once it was blocked by multi-factor authentication and blacklisted.

Combining password spraying and brute-force attempts, the threat actor gets admission to accounts with the most secure protocols. Besides, the researchers emphasize that legacy email protocols such as POP, SMTP, MAPI, IMAP, etc. do not support MFA that is believed to provide the overall protection, and the attackers successfully penetrate into the victim infrastructure by switching to an application, and obscuring its information.

To stay protected against BES scams such as the recent Water Nue campaign, it is vital that employees get trained on working with sensitive information and necessity to scrutinize the incoming emails. 

Sigma rule by Osman Demir helps to detect the recent Water Nue phishing campaign targeting C-suite’s Office 365 accounts: https://tdm.socprime.com/tdm/info/1MpOfTTpAiW0/M_wR2HMBSh4W_EKGGv47/

The rule has translations for the following platforms:

SIEM: ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Carbon Black, Elastic Endpoint

Tactics: Initial Access

Techniques: Spearphishing Link (T1192)

Ready to try out SOC Prime TDM? Sign up for free.

Or join Threat Bounty Program to craft your own content and share it with the TDM community.