Cyber attacks targeting business email accounts continue to rise and are increasingly being perpetrated by organized crime enterprises that target specific organizations and executives via elaborate techniques. Organizations using Office 365, Microsoft’s cloud-based productivity solution, are particularly at risk and attacks are occurring across all industry sectors (healthcare, financial services, professional services and higher education).
These attacks are expensive, typically requiring programmatic and manual searches of years’ worth of emails to determine whether personally identifiable information (PII) or protected health information (PHI) has been put at risk. Unfortunately, for organizations hit by a BEC attack, many inboxes, if not hundreds, are typically compromised.
For larger scale email compromises, if the majority of users sent and received PII or PHI, the total cost of legal, forensics, data mining, manual review, notification, call center and credit monitoring can exceed $2 million. And even for the smaller scale email compromises, the costs can easily exceed $100,000.
Business email compromise is an efficient and profitable way for hackers to assault an enterprise, because access to a single account gives the hacker a platform from which to spear phish, within and outside the organization.
In addition to securing a base for spear phishing attacks, attackers can also leverage compromised accounts to request fraudulent wire transfers, redirect an employee’s paycheck, and steal sensitive information within the inbox. According to Dasha Tarassenko of Mandiant, “Phishing emails coming out of the compromised accounts are becoming more targeted and impressively crafted than ever before. They’re not just sending thousands of spam emails. They’re doing reconnaissance within the compromised inbox and then tailoring the next phishing email to the recipient.”
More sophisticated attackers may exploit PowerShell to log in to Office 365 and do more extensive reconnaissance. If they are able to compromise credentials for a user with the right administrative privileges, they may be able to search every single inbox for the entire organization.
These attacks can easily be prevented by turning on two-factor authentication and training employees. Disabling permissions for third-party applications to access Office 365, can also reduce the likelihood of an attacker using PowerShell for reconnaissance or other purposes.