Business Email Accounts: An Attacker’s Favorite Target
By Kevin J. Baker, EnCE, ACE, Director, Advisory Services
One of the greatest threats to companies today is unauthorized access to business email accounts. Not only is a significant amount of sensitive data stored in email, but email is a common gateway to other accounts. Think about how often you reset your password using a link received via email. Once an email account is compromised, it can also be used by attackers to send fraudulent emails in your name, to gain access to other sensitive information or accounts. Business Email Compromise, or BEC, has affected most companies. According to the Proofpoint 2021 State of the Phish report, 65% of organizations faced a BEC attempt in 2020.
There are many different ways a business email account can be compromised. One common method is credential stuffing. Credential stuffing attacks are where an attacker uses lists of compromised credentials (usernames and passwords), normally purchased on the dark web, to access accounts where a password has been reused. For example, an attacker may get a list of usernames and passwords from the Yahoo!, Adobe or eBay data breaches and then try the corresponding username and password to access corporate email accounts. With so many websites using your email address as your username, it is easy to identify likely targets by looking for usernames from the same domain (i.e., @yourcompany.com).
Different levels of information can be acquired on the dark web. Everything from password lists that are distributed freely to very expensive lists of verified accounts with security questions are readily available. If you want to see if your account information was included in one of the popular data breaches, click here.
Another common attack tactic used to compromise business email accounts is Phishing. Phishing attacks are where a fraudulent email is sent to numerous recipients with an inducement to take some action, generally to click on a malicious link or attachment. A variant called Spear Phishing targets a specific individual using information gathered from publicly available sources to create a credible email that makes it more likely the victim will act as requested. These attacks routinely take a user to a fraudulent website where they are asked to enter their username and password. Once they enter this information, likely under the guise of needing to “validate” or “verify” their account, attackers use the credentials to compromise the user’s business email account. Then the attackers can use that account to collect sensitive information or make additional attacks against the company.
Preventing Business Email Compromise Attacks
Although there are other ways to compromise an email account, the vast majority of successful attacks involve accessing the credentials for the account. This makes securing a user’s credentials the most valuable method of preventing BEC attacks. One of the best ways to secure a user’s credentials is to turn on multifactor authentication (MFA) or two factor authentication (2FA). This is the familiar text message with a code or an authentication app that prompts you to approve a login. Adding 2FA/MFA greatly reduces the risk of an account compromise. Note though that a sophisticated attacker could still entice a user to provide the 2FA/MFA text code or approve a malicious login request. Although MFA/2FA is not perfect, it is an effective and inexpensive way to prevent BEC attacks.
Training is another prevention method that can be very effective. Users should understand the risk of reusing passwords and be on the lookout for suspicious emails. Sophisticated social engineering is commonplace among the criminal organizations carrying out these attacks. However, most of the time a trained user can spot an attack if they’re paying attention and know what to look for. Most training programs also include phishing tests where emails are sent to users to see if they will click on fraudulent emails. This helps to identify weaknesses and gauge a training program’s effectiveness. In addition to phishing tests, some companies will perform more targeted spear phishing tests to identify security weaknesses and better understand where additional training would be valuable. During one such recent test, Marcum was able to induce a high value target to not only provide credentials, but also approve an MFA request. This resulted in complete access to the account, including email. It is much better to identify these weaknesses during testing than as the result of an actual attack.
There are also some technological defenses that can help prevent attacks. In addition to spam filters, firewalls, intrusion detection systems and web filters, banners at the top of email messages or indicators in email subjects that an email is from an external party help users identify malicious email. In a spear phishing attack, a look-alike domain intended to trick a user into believing it is the legitimate company domain (i.e., microsoft.com vs. rnicrosoft.com) is often used. A banner at the top of an email identifying a look-alike domain as an external domain immediately alerts the user that the email is not from an internal company address, but actually from an external party.
Business Email Compromise Investigations
Investigating BEC attacks entails three critical phases. The first is identifying how an account was compromised, or in some cases whether an account was compromised if a company is not certain that an attack actually occurred. The second phase is identifying what was done with the account after it was compromised. The third phase is identifying other accounts that also may have been compromised.
Log files from email systems are the primary source of information used to investigate a BEC attack. Actual email can also be used to help identify the genesis of the attack. The amount of log data available is dependent on how the email system is configured. In some cases, years of detailed log data is available, which can be used to pinpoint the attack vector and identify any compromised accounts. At other times, audit logs are not enabled on the system at all and very limited information is available to aid an investigation.
One of the most unfortunate outcomes of an investigation is finding that audit logs were not enabled and no relevant log data is available for analysis. This is why companies are more frequently including a review of their email systems (more or less a “test” investigation) as part of their cybersecurity measures. Knowing there are configuration issues before an attack can mean the difference between a smooth, successful investigation and the challenge of having to review every account in the dark. This is especially true with on-premises systems and older Microsoft 365 accounts provisioned before logging was enabled by default.
Once a compromised account is identified, the login activity is analyzed to identify unusual logins. This could include logins from known malicious IP addresses, logins from unexpected locations, or activity at unusual times. The account is also checked for mailbox rules, such as rules that automatically move or delete email messages, which is a common tactic of attackers. After identifying the malicious logins, all of the associated account activity is analyzed to understand the scope of the attack and the actions of the attacker. The IP addresses and other connection information are then used to identify any additional accounts compromised by the attacker.
Cybersecurity is a challenge for any company. Recently, the increase in business email compromise attacks has caused companies to focus their cybersecurity efforts on BEC prevention and identification of compromised accounts. There are many things a company can do, from user training and phishing tests to proactive investigations. However, no single solution can guarantee an attack will not be successful. Like most things in cybersecurity, a layered approach with multiple lines of defense is the best way to prevent infiltration. The goal is to minimize the chance of a successful attack and reduce the time it takes to identify a successful attack when one happens.