By: Jacques Oosthuizen, Digital Forensic Manager, Cyanre
Email remains the number one attack vector for cyber criminals. According to Mimecast’s State of Email Security 2023 report, 82% of business leaders report higher volumes of email, 74% are seeing more email-based threats, 76% are expecting to face serious consequences from an email-based attack, and 84 % of security decision-makers have seen increases in email attacks over the past 12 months, particularly phishing emails. This is compounded by the fact that over 95% of all data breaches are due to human error, as per IBM’s Cost of a Data Breach 2023, and that by some estimates, 97% of users can’t recognise even a crude phishing email when they receive one.
The stats—and our own experiences at Cyanre—are all telling us the same thing: emails are being compromised every day and urgent intervention is required.
What is Business Email Compromise?
Business Email Compromise (BEC) is a type of email cybercrime scam in which an attacker targets and tricks an organisation or individual into divulging sensitive information (email account usernames and passwords), in order to gain access to a business or individual’s email account. This is usually accomplished through phishing campaigns.
Let’s look at how this is accomplished in action:
Delia Smith is about to retire and contacts her broker at XYZ (Pty) Ltd, via email requesting the brokerage transfers the money accumulated in her pension fund into a bank account of her choosing. All necessary documents are attached, reflecting the banking details and amount to be paid.
After a few days pass and Delia has not heard back from her brokerage, she sends a second email to following up on her transfer request. At this point, her broker responds with a proof of payment and email communication to this effect, previously sent to her by email.
There is definitely no money in her designation account, and it’s the first time Delia has seen the proof of payment or confirmation email.
Taking a closer look at the proof of payment reveals that the account details are incorrect. That is not the bank account in Delia’s original instructions. Has the brokerage firm made a mistake?
Upon review, the broker did not make a mistake. According to Delia’s instructions, the money was transferred to the correct account. However, the email trailing messages indicated that another email was sent soon after the legitimate email message was sent to inform the broker that the bank details have changed. Except we know that it wasn’t. What happened? The answer is deceptively simple: Another entity has compromised Delia’s email account.
Here’s what happened:
- Delia sent a legitimate email to her broker
- Soon after the legitimate email was sent, another email was sent from Delia’s email account indicating that the bank details provided are in correct and needs to use the new banking details. This is the email the broker received – it looks correct; it contains all of Delia’s details, correct email address etc.
- The broker acted on the last email message seemingly received from Delia’s email account, which resulted in the transfer of funds into the incorrect/fraudulent bank account provided.
What an investigation uncovered
How was Delia’s email intercepted by hackers? And how were they able to send such a legitimate email to her brokerage firm? The answer is business email compromise, in this case achieved through a phishing email.
A thorough investigation of Delia’s email account, audit logs and laptop computer, identified the following scam:
- One week prior to her discussions with her brokerage firm, Delia received an email with a phishing link.
- The email looked legitimate, and was requesting that Delia click on a webpage link to enter her email account login credentials to verify her email and access an account statement.
- This is how phishing emails work: they look legitimate, but the link will redirect the user to a site where hackers can capture their details.
- In this case, Delia clicked on the link and filled in her email address and password, and just like that, the hackers had her access details and Delia’s email was compromised.
- The perpetrator could review Delia’s communications, set up the necessary rules/filters to obscure any emails coming from the broker, and send their own emails in place of Delia’s emails.
- Soon after Delia’s interaction with the phishing site, suspicious logins were identified to her email account, making use of IP addresses not associated with ISPs used by Delia.
The email account audit logs revealed that a rule/filter was created on Delia’s email account for a certain period and removed again by the perpetrators. At the time the rule/filter was applied and active, all incoming email messages from the domain “xyz.com” were moved into a folder “RSS Subscriptions.” The rule/filter meant Delia had no knowledge of the email communication received from the broker, pertaining to the transfer of funds, which meant she didn’t realise her email account was compromised. If she had, she could have potentially acted promptly to stop the transfer.
This is just one of the many forms of Business email compromises. It can get as intricate as wrongdoers setting up fake email accounts for participants on both ends of the conversation.
Microsoft365 and Multi-Factor Authentication
Cyber training focuses on how to spot a phishing attack. One of the biggest rules is to never click on links. However, as we’ve repeatedly seen, phishing attacks are becoming more sophisticated. They aren’t always easy to spot and can look completely legitimate.
So, what’s the solution? Traditionally, one of the most effective safeguards against BEC compromises was Multi-factor Authentication (MFA). With MFA protocols in place, threat actors cannot access emails with only an email address and password. MFA adds an extra layer of security and an individual must confirm that they are the authorised user of the email account. For example, you could be logging in to Google account, and 6-digit pin code will be sent to your phone. The idea behind MFA is that even if a hacker has stolen passwords, they will not have access to this pin, or ‘verification token’.
What does this look like in the world of email? In response to the uptick in BEC attacks, Microsoft quickly enforced MFA on all personal and business email accounts. All users were prompted to add additional information to their accounts and to make use of Microsoft’s authenticator app if MFA was not previously enabled on the account.
Unfortunately, cybercrime is big business, and it’s highly lucrative, which means when one avenue closes, threat actors find another. Through numerous investigations, or team of digital forensic experts have identified that threat actors are using a new tool that enables them to duplicate a genuine website and set up their own backend server. There, they can capture user credentials and multi-factor authentication (MFA) tokens. Importantly, MFA tokens typically remain valid for a year, which means that if passwords are not regularly changed, the perpetrator can monitor all emails and documents in that account and strike at the most vulnerable time.
MFA is a crucial element in cybersecurity and one of the ways that Microsoft continues to combat the ever-growing cybercrime landscape. However, vigilance, education and good passwords practices are equally important.
With this in mind, here is how users and businesses can guard emails against suspicious IPs logging in, even though MFA is enabled:
- Be vigilant in all aspect of email communications.
- Invest in continuous training and seminars with all employees of the business.
- Apply Conditional Access Policies when MFA is requested.
- Do not enable an MFA policy that allows MFA to be skipped due to trusted IP addresses.
- Do not enable an MFA policy for trusted devices, as this is allows captured MFA tokens to be used more efficiently.
- MFA conditions should be applied with every login session.
- Investigate password-less authentication.
Cybercriminals are smart, ruthless and relentless. However, they can be beaten at their own game by organisations and individuals that stay one step ahead of their latest scams.