- Mar 13, 2022
Attackers have found a new way to avoid detection in business email compromise (BEC) and account takeover attacks by buying locally generated IP addresses to mask the origin of their login attempts, thus circumventing the common "impossible travel" security detection, Microsoft is warning.
An impossible travel flag occurs when a task is performed at two locations in a shorter amount of time than would be required to travel from one location to the other — for instance, if Employee A always logs on from Boston at 9 a.m., then a login attempt an hour later from Singapore would raise a red flag. However, masking the actual origin IP address from which a malicious task is coming provides "the ability and opportunity for cybercriminals to gather large volumes of compromised credentials and access accounts" from anywhere, Microsoft researchers wrote in a blog post.
Threat actors are using a combination of platforms such as BulletProftLink, a service for creating industrial-scale malicious email campaigns, and residential IP services to help them evade the flag, Microsoft Security researchers revealed.
Microsoft: BEC Attackers Evade 'Impossible Travel' Flags With Residential IP Addresses
Threat actors are circumventing geo-location-based security detections, using a combination of cybercrime-as-a-service platforms and the purchasing of local IP addresses.