This month, as ever, we are thankful for our clients and our stellar staff, who support them so effectively. Not every business is so fortunate as to have these resources at their disposal. We are pleased to be able to offer both cautionary tales and examples of what can be done to protect your business. This month we share a sobering example of Business Email Compromise and Account Takeover.
The Scenario
An MSP (Managed Service Provider) got word from one municipality client that a staff member’s email account in an adjacent town had been potentially compromised, based on suspect emails received. This was confirmed by studying a recent log history for the staff member in question. The report showed several successful logins from various locations around the US and overseas overnight. By mid-morning, the hacker had successfully logged into the staff member’s Microsoft 365 account and gained access to her email. They then created a google site, disguised the link and sent phishing emails to dozens of her contacts. The hacker created an inbox rule that deleted all incoming messages subsequent to hack. This act hid the responses from the user while she continued to use her email.
The Response
Their IT team successfully mitigated the attack by forcing the hacker out of the email, resetting the password and enforcing MFA (multifactor authentication). Based on recipient responses, many of the emails sent out were acted on. Anyone who clicked the phishing link was in danger of their own account compromise.
It was discovered that the site the hacker listed linked to a malicious fake 365 sign-in page that is intended to collect sign-in data from unsuspecting users. Anyone who attempted to log in to this site was at risk. This had the potential to create exponential incidents of business email compromise across multiple organizations.
The MSP recommended their client issue a statement to the hacked staff member’s contacts and 3rd party vendors. The contacts were advised, if they had received an email from within the hours affected, to delete and not interact with it. The IT professionals also provided the client with a spreadsheet including the email addresses of the affected contacts.
Protecting Your Network from Business Email Compromise
We at BTS would make the following suggestions to a business in this situation, in an effort to mitigate a similar compromise going forward.
Enable Security Defaults: The MSP discovered during a post-event audit that the client did not have MFA enabled on a lot of their employees. In addition, they did not have security defaults enabled or conditional access policies in place. Each of these are used to enforce permission on users so hackers cannot access their accounts. Security defaults would have prevented this type of attack from occurring because hackers cannot typically bypass MFA. At BTS, we suggest enabling MFA for all users manually or via security defaults for ease of maintenance.
Security Awareness Training: Users who are better educated on what phishing emails look like are less likely to fall for them. This also trains your users to spot malicious links, fake sites, and fake emails. We highly recommend an ongoing security awareness training program for your staff. This includes training videos and tests for retention of information.
Do you feel confident in your network security protocols? Are your staff members at risk for compromise? Chat with one of our account managers for help assessing risk, vulnerabilities and solutions tailored to your organization’s specific needs.
Reader Interactions