Skip to content

At SBRC, we provide a helpline to support organisations that have fallen victim to cyber incidents. The helpline is also available to those that may have general enquiries and require guidance related to any cyber security issues.  

One of the most commonly reported incidents are compromised email accounts. In almost all cases, multi-factor authentication was not enabled. Some organisations only became aware that they had an account that was compromised when they discovered irregularities within transaction histories of bank accounts, an attack often referred to as a “business email compromise”.   

If the motivating factor behind an email account compromise is financially motived, then the threat actor will usually make it worth their while. In each successful attempt reported to us this year, five-figure sums were transferred. This ensues a nervy process of attempting to understand whether the funds can be recovered. In some cases, the transactions are not reversed. 

One of the reasons as to why these attacks are so common is that in order for a threat actor to be successful, they do not necessarily need to invest a significant investment of time and resource for the reward. This ultimately makes it relatively cost effective when considering other attacks which require greater overheads, such as development of malware for phishing campaigns, or attempting to exploit vulnerabilities within an organisation’s externally exposed infrastructure.    

By compromising an account, the attacker will be in a position where they can exfiltrate information from the organisation, by accessing the victim’s mailbox, resulting in a loss in confidentiality of the information it stores.

It also provides the attacker with the opportunity to impersonate the owner of the account, making it very difficult for recipients of email originating from the compromised account to distinguish legitimate requests from those that are fraudulent. In such cases, the only factor that may alarm recipients to this behaviour is that the request may be out of context or abnormal.

The intention of this blog post is to firstly raise awareness in respect to these attacks, based purely on the high number of cases we have observed this year.  

This document also provides a reference for dealing with this type of incident. It may also be useful for identifying whether any security controls are absent, as well as any missed steps within the organisation’s incident response plan. 

Impact 

In addition to the scenarios described above, an organisation that falls victim to this type of attack may suffer from the following: 

  • Data Loss / Exfiltration – Exfiltrate sensitive information, such as personal details, intellectual property, financial information or supply chain details 
  • Financial Loss – Business Email Compromise (also known as Payment Redirection Fraud), whereby an attacker conducts fraud by manipulating bank details or requesting payments
  • Onward Access (Lateral Movement) – Compromise of additional services by authenticating as the controlled account for broader access, or leveraging current access as a stepping-stone to target internal or external contacts
  • Reputational Damage – The attacker either intentionally or unintentionally causes embarrassment to the victim organisation 

Initial Access 

In order to compromise an unprotected email account, an attacker only requires two parameters; username and password. The first component is the easiest to acquire, an attacker can research the target organisation and its employees. In order to identify the password used to secure an account, threat actors may explore the following techniques: 

  • Bruteforcing: An attacker attempts to exhaust a list of common passwords against an account 
  • Password Guessing: An attacker expends effort up-front, specifically researching certain individuals to identify passwords they may use based upon their personal interests or other attributes that are publicly available to them, such as social media 
  • Password Spray: An attacker attempts to log into an account using a statically probable password which conforms to the bare minimum complexity requirements of the password policy (such as ‘Winter2021!’ or “CompanyName1!”) across e-mail addresses which are collected from web sites or other areas  
  • Credential Stuffing: An attacker capitalises on weak security controls implemented by third parties where the victim also re-uses the same password used to secure their email address, with another service. Attackers will often research credentials derived from data breaches     
  • Credential Theft:  An attacker sends a phishing e-mail to the victim which superimposes a service they would typically interact with, harvesting the credentials sent to a resource they control. Alternatively, they could attempt to induce the user to execute malware which is designed to steal credentials 

Containment and Recovery 

We observe that organisations tend to only identify an account compromise when they are notified by an external party. It is possible to implement proactive monitoring controls (as discussed within the detection section), but in reality, this is not feasible for small organisations. 

If an account is identified to be compromised, the following actions should be considered:  

  • Temporarily Disable the Account and Invalidate Existing Sessions: Inactivate the account until it is possible to communicate with the victim. If appropriate, ensure that any existing session tokens are forcefully expired so that existing login sessions are invalidated to prevent an attacker maintaining temporary access until session cookie expiry (after a password change)
  • Debrief with the Victim: Discuss whether the victim has observed anything suspicious recently, as this may help identify other affected accounts, or provide context and justification to investigate an endpoint compromise or a credential harvesting phish that may have been targeted at other users too. It is important to have this conversation without victim shaming
    • Employees should be educated to avoid performing risky actions, but encouraged to raise alert to mistakes made. In environments that do not have the maturity and resource to proactively detect compromises, the employee may be the earliest and the only alarm available to notify you
  • Implement Multi-Factor Authentication: Any Internet-facing service should be configured in a manner that it can authenticate an individual with more than just username and password combination alone. An additional form of authentication should be used, such as Hardware Token, App or SMS
  • Password Changes: The password of the account should be changed as soon as possible, NCSC guidance recommends a password which consists of three random words. The victim should also be advised to change the password for additional accounts where they may have re-used the password
  • Review Mailbox Forwarding Rules: Mail forwarding rules can be used by an adversary as a means to persist after remedial action has been taken (such as a password change or MFA enablement). This can sometimes be abused to maintain access to information, such as password reset e-mails for other services, which are then forwarded to an attacker controlled mailbox 

Reporting 

Upon identification of an email account compromise, external parties may need to be contacted dependent on the scenario:  

  • In-line with GDPR and the Data Protection Act 2018, the Information Commissioner’s Office (ICO) should be notified in the event of a data breach where appropriate. Other regulatory bodies may require notification, dependent on the industry the organisation operates in 
  • Where there has been financial loss, the victim organisation must contact Police Scotland on the non-emergency contact line (101) to report the incident, as well as the financial institution that the funds were stolen from 
  • If the organisation has some form of protection via cyber insurance, then the insurance provider should also be notified 
  • Dependent on the circumstances, there could be other victims (supply chains, clients and customers, other businesses) of the attack due to the threat actor obtaining access to information intended to be private within emails  

Basic Prevention 

In order to increase an organisation’s resilience to this type of attack, we recommend reviewing whether the following remedial action would be appropriate to implement:

Configure a Robust Password Policy: A password policy that implements a minimum password length of 8 and requires this to be changed every 3 months, is more likely to result in users choosing poorer passwords than a 14 character password changed yearly

Implement MFA:  The most effective method for preventing account compromises. Research by Google in 2019 identified that 100% of automated account takeovers could be prevented when any form of MFA was implemented

Password Managers: A password manager is essentially a utility where passwords can be generated and stored. As the burden associated with remembering passwords is removed from the individual, unique and complex passwords can be copy and pasted to services with ease. There are online-based password managers, as well as those store the credentials locally on the system

Corporate Website About Us Pages: The organisation may wish to reduce the amount of information that is publicly available about their employees, such as their email addresses and their interests, as this can be useful for social engineering and information gathering. It should be noted that this information can typically be gathered from other resources however, but generally not as quickly

Implement Robust Processes for Financial Handling: Organisations should consider implementing the anti-fraud advice outlined in this article for verifying transactions. This would include having a two step authorisation procedure for standalone payments, as well as verifying transactions details against previous or retained records to identify discrepancies

Detection and Analysis 

Dependent on the email service supplier, organisations may have the capacity to implement proactive detection mechanisms for identifying account compromises as they occur.  

Email service solutions such as Exchange Online, on-premises Exchange and Google Workspace all record details associated with activity of an email account for varying periods of time. 

From the logs, it is possible to extrapolate details which can be evaluated by rules in order to identify compromised accounts. Rules which monitor for the following can help identify accounts which are compromised to help reduce the impact: 

  • Multiple IP addresses accessing the same account  
  • The same, irregular IP address accessing multiple accounts 
  • Accesses from unlikely or suspicious geographical locations 
  • Multiple login failures, follow by a successful login  

For organisations which make use of M365 services, consideration should be given to enable Unified Audit Logs. This feature is enabled by default for enterprise organisations, but we recommend double checking the feature is enabled as it will not be possible to access logs retrospectively if this feature is disabled. These can be particularly useful for identifying whether an attacker has authenticated to other Microsoft services, such as Teams and SharePoint, beyond Outlook. 

Organisations that have the appropriate licensing may also be able to review audit trails to understand what emails a threat actor has accessed upon compromising an account. Upon investigating MailItemsAccessed records, which logs IP address, username, timestamp and session information, it will be possible to inspect bind and sync MailAccessType operations.  

The bind operation details where an individual email has been accessed, whereas a sync operation denotes download of a large volume of emails, synonymous with a synchronisation when using the Outlook application to populate emails within the client. It is common that attackers will perform a sync operation to access the entire contents of the mailbox, at which point it can only be assumed that there is a complete loss of confidentiality.   

A Final Word

It is expected that many more organisations will continue to fall victim to this type of attack until vendors implement the most secure default settings, such as mandatory MFA.  

Until then, an organisation’s nescience to improve upon the default configuration ultimately means that their primary defence from an email account compromise is likely reduced to the trust bestowed upon employees to make effective password choices and their resilience to interacting with malicious emails or web pages. 

The information presented in this blog post is intended to be generic and there may be additional factors in each scenario that require further investigation. If you have been affected by a cyber incident, please contact the Cyber Incident Response Line on 01786 437 472 for assistance.