Email services are lucrative targets for threat actors, yet are often overlooked by organizations. Email messages contain an abundance of private data, financial information, confidential business plans, personally identifiable information (PII), and sensitive conversations. Many organizations rely on default configurations, but email access should have the same level of protection as an internal network. Business email compromises (BECs) can occur when an attacker hijacks an email account using stolen credentials.
Threat actors can obtain credentials via credential dumps from third-party breaches, credential-harvesting malware, or phishing emails that direct victims to false webmail portals (see Figure 1). The stolen credentials provide access to a company’s publicly exposed email portal, such as Outlook Web Access (OWA) or Exchange Online (also known as Office 365), and allow an attacker to steal sensitive information, perform fraudulent wire transfers, and launch phishing campaigns.
Figure 1. Spoofed webmail portal. (Source: Secureworks)
Secureworks® incident response (IR) analysts have responded to numerous BEC engagements and have identified proactive and reactive actions to address this threat. Proactive actions include implementing two-factor authentication (2FA), enabling appropriate logging, incorporating email security solutions, and educating personnel about techniques used in social engineering attacks. Reactive actions such as exporting data and reviewing mailboxes and transport rules are useful when responding to a BEC incident.
Implement Two-Factor Authentication
While organizations use 2FA for virtual private network (VPN) access, many have not implemented it for their publicly facing email service. Most web-based email services support 2FA, and Secureworks analysts recommend enabling it to prevent unauthorized access to company email even if the credentials have been compromised.
Log Mailbox Access and User Login History
Depending how the email service is configured, log files can provide crucial information:
- The date and time a user account logged into webmail
- The number of times a user account attempted to authenticate
- The number of successful or failed authentication attempts
- The source IP address used for the authentication attempts
Log file investigation could reveal anomalous activity. For example, if an account that is regularly accessed from a U.S.-based IP address is suddenly accessed by a Nigerian IP address, then the account may be involved in malicious activity. Unfortunately, these logs often provide the IP address of a load balancer instead of the original source, making it impossible to determine the malicious IP address. To ensure that logs record appropriate data, organizations should perform functional exercises and examine the logs.
By default, Office 365 user login history auditing is disabled. Organizations should enable this option when migrating to or starting this service.
After identifying a BEC incident, organizations should preserve related data. Investigators should capture the original phishing messages received by the victim and export the victim’s mailbox for safekeeping. An exported mailbox contains all of the user’s email, including messages deleted from the Deleted Items folder. Most email services retain “hard deleted” emails based on the organization’s retention policy; the default is 14 days for Microsoft Exchange. In Exchange, investigators can recover deleted messages by exporting and preserving the personal storage (PST) file, which provides additional context about what occurred during the incident.
Review Inbox and Transport Rules
After gaining access to an account through a publicly facing email system such as Exchange Online, threat actors often create rules to auto-forward emails or to delete specific messages that could reveal malicious activity. In one incident, an attacker logged into a company’s webmail portal using stolen credentials to initiate a wire transfer. The threat actor reset the compromised employee’s credentials and obtained sensitive information. Secureworks analysts detected an attacker-created inbox rule to forward email to an external address. The company did not examine the Exchange rules, so the threat actor was able to intercept messages from the victim’s email account. Organizations should consider disabling auto-forwarding to external recipients.
Email is a vital component for businesses. Organizations must continuously review mail policies, evaluate default settings, and implement appropriate logging of user activity. Implementation of 2FA is not just a best practice, it is critical to minimizing the risk of unauthorized access. If a BEC occurs, investigators should export the available logs, preserve the mailbox by creating a PST, review inbox rules, and ensure passwords are reset for the appropriate accounts. Network defenders may never be able to stop BEC attacks, but these recommendations can help organizations prevent most attacks and effectively respond and minimize the impact of security incidents.