This post is also available in: 日本語 (Japanese)
It was a typical day for our client, an executive with a U.S. financial services firm that relies on a widely used multi-factor authentication (MFA) mobile app to protect access to email, customer files and other sensitive data. His iPhone kept pinging him with MFA requests to access his email, interrupting him on a day packed with customer meetings. He was annoyed by the intrusion, figuring it was some kind of system error, and rejected each request so he could focus on work.
He thought it was over when the requests stopped. Months later, however, he learned he had mistakenly authorized one of those many requests, unknowingly granting an attacker unfettered access to his email. He learned about the compromise when his bank flagged suspicious wire transfers totalling nearly $1 million and our investigation uncovered the exposure of data belonging to the company, its employees and clients. Fortunately, the company was able to recover the stolen funds, but attacks of this nature can still be costly in terms of reputation and time and resources spent cleaning up after them.
This type of attack is known as a business email compromise, or BEC. Each year, Unit 42 security consultants spend thousands of hours on BEC investigations, combing through logs to identify unauthorized activity, determine how unauthorized access occurred and find security gaps that need to be addressed.
Many organizations think they’ve already taken steps to protect themselves against BECs. However, those steps may not have been properly implemented. Among the hundreds of BEC cases Unit 42 has worked on since the beginning of last year, our consultants determined that 89 percent of victims failed to turn on MFA or follow best practices for its implementation. That may seem surprising since the top email platforms – including Microsoft’s 365 and Exchange, as well as Google Workspace – offer multiple options for implementing MFA. This highlights just how important it is for organizations to understand and follow best practices for any security tool.
The consequences are costly: In investigations by Unit 42 consultants since Jan. 1, 2020, the average wire fraud attempted was $567,000 and the highest was $6 million. The FBI reports that BECs caused $1.87 billion in losses last year, making it one of the most expensive types of cybercrime.
The good news is that identifying MFA shortcomings is typically straightforward. Assessments can identify deficiencies in security controls and provide recommendations to mitigate those shortcomings.
Before diving into best practices for implementing MFA, plus other tips for preventing email compromise, it helps to understand why these best practices matter. Here are some more examples from the Unit 42 case files that show common mistakes that can lead to attackers gaining access to email environments – including when MFA is in place. We’re presenting scenarios to help organizations identify potential gaps in their own security, but have anonymized the examples to protect the identities of the victims.
Attackers targeted hundreds of employees at an insurance company with phishing emails. These emails led to an attempt to harvest login credentials through spoofed Microsoft 365 email login pages that looked identical to legitimate ones set up by that firm. The attackers succeeded in gaining access to a few of those accounts, which belonged to employees who hadn’t set up MFA, which led in turn to gaining access to sensitive data on an internal Sharepoint site.
Attackers gained access to the email accounts of two employees at one client organization that failed to disable legacy authentication for synchronizing email boxes via IMAP4 and POP3. That gave the threat actors access to everything in both mailboxes for over a month, enabling them to collect personally identifiable information (PII) from the victims’ contacts. This is one of the most common ways of bypassing MFA, especially in hybrid environments that have legitimate use for legacy protocols. (We provide more detail about how to handle legacy authentication below.)
Threat actors compromised multiple users at a job placement agency, then used those accounts to circulate job postings that asked recipients to provide personal data. They set up rules that moved all responses to hidden folders and forwarded them to an external account.
While there’s no silver bullet to stop email compromises, we recommend that organizations implement the following best practices. MFA implementation is crucial, but it’s only one component of a comprehensive strategy for reducing the risk of email compromise and minimizing the impact of successful attacks.
- Education: End users are commonly the weakest link in security incidents because we’re susceptible to all kinds of phishing scams. Education makes users significantly more likely to be able to identify phishing attempts and report suspicious activity to security teams for appropriate review.
- Enforce MFA: Simply enabling MFA allows users to choose whether they want to set up MFA, which gives organizations a false sense of security. It’s critical to not only enable, but enforce MFA by requiring users to add it to their accounts and verify every time they log in.
- Use Strong MFA: Use a one-time password (OTP) application for MFA and avoid the use of SMS for verification. Requiring a user to manually type a code generated in an OTP application (such as Google Authenticator) reduces the likelihood of a user mistakenly accepting unauthorized MFA requests in the event of brute-forcing or stolen credentials.
- Control Legacy Authentication: We recommend blocking legacy authentication by default and leveraging tools such as Azure Active Directory’s conditional access to allow any specific exceptions, such as older devices or legacy on-premises SMTP relays.
- Review Network Protections: Regularly review end users’ ability to execute or download code and applications, such as macro-enabled Office documents, unauthorized software, USB devices, etc. As previously recommended by our Unit 42 Threat Intelligence team, URL filtering rules should be established to restrict access by default to the following categories of domains: Newly Registered, Insufficient Content, Dynamic DNS, Parked and Malware.
- Regularly Review Delegation and Account Permissions: Regularly review user accounts and permissions, including non-owner delegation, shared mailboxes and administrative rights. Every account should be uniquely named and mapped to an individual, and credentials for service accounts or shared mailboxes should be securely stored in a password vault and protected with MFA where possible.
- Disable Client-Side Forwarding Rules: Client-side forwarding rules can be an indicator of a compromise that allows attackers to forward all inbound emails to an external address. They can also be set up by end users to forward company emails to personal email accounts. In both cases, this creates a risk to confidentiality, and we highly recommend disabling client-side forwarding rules. Users who require forwarding rules for business should have manager approval and be regularly reviewed by IT.
- Audit Logging and Event Monitoring: Ensure the logging of administrative events is enabled. Depending on the email platform or licensing level, auditing and log retention may not be enabled by default. Unit 42 recommends the aggregation of email server logs to a centralized location such as an extended detection and response (XDR) or security information and event management (SIEM) tool to retain logs for more actionable auditing and insight into email server security events. Additional data and context helps organizations better understand what normal activity looks like for an account and determine what data has been compromised in the event of an incident.
Your organization can prepare to defend against email attacks with expert assistance. Learn about Unit 42’s Business Email Compromise (BEC) Readiness Assessment.