At Proofpoint, we have seen a rise in highly targeted phishing attacks. 30% of organizations whose O365 environments we've analyzed suffered compromised accounts, mostly via brute force attacks on their O365 credentials. Sometimes these phishing attacks lead to compromised accounts that attackers can then use to carry on future attacks and start stealing confidential data.
How does this type of email attack unfold? Here’s a breakdown:
- Attackers compromise (or buy stolen credentials for) legitimate business email accounts
- They then iterate through messages in the victim’s inbox/archive and reply to each one with a malicious document
- Because the malicious documents are being sent in response to a legitimate business email, human recipients are (probably) much more likely to engage with this content. For example, here are some of the email threads that we’ve observed:
- “Help, I can’t log in to Concur!” “Here, please open this document”
- “I’m looking for a quote on XYZ equipment”, “Here, please see the attached document”
- “Do you have contact info for so-and-so?”, “See attached document”
As Product Marketing Manager, I focus my efforts on educating customers about the problems resulting from email-based attacks. Here are a few real-world examples of some of the attacks we have seen.
Two Internal Email Attack Examples
The first attack example comes from a high-tech customer we worked with. Like many sophisticated attacks, this one wasn’t detected for weeks. Once we engaged with the customer to determine what was happening, we found out that the attackers had compromised accounts and had set up persistent email forwarding rules to essentially run man-in-the-middle attacks.
Because they hadn’t been detected, the attackers gained detailed knowledge of how business was done between the compromised account and their vendors. The criminals intercepted invoices and modified them to redirect funds to their accounts. At the end of the day, this customer ended up losing seven figures in cash but perhaps even more damaging was their loss of reputation with the vendors they had been working with.
Higher education customer
Another example comes from a university we were working with that had experienced various compromised accounts. Once the attacker got their initial foothold with one account, they started to compromise other accounts with lateral email attacks. This approach allowed them to keep a persistent attack going because once one account was detected as compromised, the attackers would simply move on to the next account they had compromised.
With these compromised accounts, the attacker sent phishing attacks to vendors, research partners, and recruiters that the university was working with. Because email between these organizations had been whitelisted many of these phishing emails went right through without being detected. After the attack was disclosed the university’s email became blacklisted and their reputation with partners became severely tarnished.
Mitigate Risk of Internal Email Attacks
Organizations often prioritize the protection of their VIPs or executives. But your VIPs aren’t necessarily your Very Attacked People (VAPs). At Proofpoint, we are focusing on revealing who at your organization receives highly targeted attacks, what those attacks look like, and how you can best combat them.
Customer Success with Internal Mail Defense (IMD)
I had a great conversation with Scott Bridges who is the CISO at Southern Illinois University. He discussed some of the problems they were experiencing with compromised accounts and how our solution was able to help them get their hands around it. He described how they had multiple dedicated IT staff working on this problem because they didn’t have a good way to get visibility into it.
Essentially, they were relying on self-reporting from users and then manually tracking down compromised accounts. After utilizing Proofpoint’s Internal Mail Defense (IMD) solution, they were able to redeploy almost all their IT staff to other projects because IMD automated almost all of the process associated with finding and remediating internal malicious emails. As we have rolled out IMD to more customers we have started to see interesting results. Taking a sample of eight companies we were able to detect and remediate over 500 malicious messages that were sent internally over the course of one month. Without a solution like IMD to deal with that problem, it would inevitably keep getting worse.
To learn more about how to solve for compromised accounts and internal email threats, please reach out to us. Our security awareness and Internal Mail Defense solutions have helped many organizations address these problems, and we’d be happy to reveal how we can provide yours with similar results.