How to spot an email compromise

Office 365 is now the most common e-mail platform that we see companies using and as such has become the most common platform that we see attacked. In this article we look at how these attacks are often crafted and how you can identify the risk in your Office 365 setup and the most common methods for increasing the level of security.

Credential Theft Phase

We have seen many successful attacks against Office 365 users where the user has had their credentials successfully stolen. The most common method for these compromised credentials is “phishing” where the attacker will electronically steal the username and password by sending fake emails, messages or links to websites that convince the user to try and logon with their username and password.

Look out for unusual requests, emails requesting you to confirm your id and password, emails from customers and suppliers that do not have the usual standard of English grammar, style, or even slang that you expect. To reduce the risk of compromised accounts do not reuse passwords, this means do not use  the same account/usernames and passwords across multiple systems.

We do see some attacks where the attacker will use previously compromised usernames and passwords, these can be obtained via the dark web and are often the result of previous data breaches.

At the stage the account has been breached, the hacker will try and hide this.

Monitoring Phase

Once the hacker has these credentials there tends to be a short delay where we see a testing of the access, and the hacker monitoring the flow of emails. This allows them to understand the user’s role in the business, and whether they can be useful in either propagating the theft of additional credentials or to become a pawn in a fraud.

We have seen a range of levels in the sophistication of techniques used at this level. The most successful attacks see the hacker learn the writing style and understanding of the business processes, key people and prepare to intercept a flow of emails to their advantage. In some examples we see the attacker forwarding the emails out of the mailbox so they can be read without the user’s knowledge.

This is difficult to detect by the end user, with the right security addons we can detect unusual activity such as a logon for a user in the UK followed quickly by a logon in another country that would not be physically possible.

Pre-Attack Phase

This typically occurs just before the real attack, sometimes hours or even minutes before. We will often see a set of rules created that ar designed to hide the attacker’s actions. This will often be a rule that will either move the inbound emails in to an infrequently used folder where the user will not see them. This allows the attacker to intercept the flow of emails and send their own replies.

You have to be very observant or lucky to spot this phase, a sudden lack of email or emails appearing in an unusual folder. Setup alerts within Office 365 to notify the administrators and users of new forwarding rules.

Attack Phase

At this point the attacker has the knowledge and the trust, if it’s a fraud they will impersonate the user and use the trust element to encourage a supplier/customer/colleague to redirect a payment to a new account. During this phase they will use information gained to increase the trust and the authenticity of the attack by referring to confidential information that normally only the compromised user would have known such as invoice numbers, amounts, previous transactions.

Put in place a simple check process for confirming any change in the normal payment process. Call the customer or supplier on a known number and confirm any changes, consider this a second factor.

Like the previous phase, we need to have the ability to detect unusual logon behaviour, such as access to the account from another country.

Once the attacker has the payment, they will quickly disappear leaving the user and company wondering what happened.

Security Action Plan and Secure Score

Microsoft have put a lot of effort in to improving the security of Office 365 tenants, but the onus is on the end user to implement the changes.

Office 365 tenants now receive a security score that provides a numerical indication of the security level for your implementation. This score is accessed from within the Security and Compliance Centre.

Review the security score and implement the common changes, especially the multifactor authentication options.

Turn off unused access protocols.

Disable unused accounts before deleting them as part of a leaver process.

Put in place a retention policy, do not retain data within mailboxes for longer than is necessary.

Consider archiving solutions for email that allow you to remove the older email from mailboxes.