A delicate email affair

While this attack didn’t bother the CFO of the client as much as the first story, it did keep the PR team awake at night and worried for a few weeks. It is nothing newsworthy to talk about how more companies are now putting faith in the cloud. Especially when it comes to email and file shares, with Microsoft Office 365 taking the lion’s share of email hosting for big business. As with a lot of IT, this shift in practice has resulted in some security gremlins.

Email 1

1. High-level spam

In early 2019 a client contacted us with a “sensitive” matter relating to an O365 email hack. To keep the PG rating of this report, all I will say is spam emails of a rather adult nature had been sent to hundreds of thousands of accounts, from a high up individual in the organization.

2. Bad PR is not the only problem

This raised two problems for the client; the most obvious is the public relations nightmare of having a board-level member of an organization spamming so many people with such unadulterated filth, the second is that someone had access to highly sensitive emails held within the client’s O365 environment. Did they forward or download a copy of any of these emails? It became quickly apparent that the user in question had been the subject of a password stuffing attack.

3. Password stuffing

As it turned out the attack was far larger than first indicated. Thousands of username and password combinations had been pointed at the organization’s O365 infrastructure. From logs obtained from Microsoft, we managed to work out that the list used was probably the LinkedIn password database from 2016. The user of the first hacked account had the same email and password combo for both LinkedIn and their corporate email.

4. Banning insecure passwords

We found that well over a hundred accounts had been accessed from four suspicious-looking IP addresses that we could link to similar ‘smut’ based spamming campaigns. This is the first stage the client could have implemented protections to mitigate the risk of such an attack succeeding. Stopping users from reusing passwords is hard, but not impossible. Known leaked passwords can be blocked from use on corporate networks, services like “Have I Been Pwned” allow you to match password hashes to known leaked lists, meaning you can have a huge banned password list.

5. Tracking back the attack path

Once we were happy that we had identified all accounts that had been ‘popped’ during the attack we started to map out what had happened, and what access to data the attackers might have had.

6. Automated hack but no data breach

We could see from timestamps that the attack was automated. The time delay from the time of access to the time of the first emails being sent was just a few seconds, and the volume of emails sent in such a short time frame matched other campaigns that had been proven to be automated. We also didn’t find any signs of emails being synched or downloaded, nor did we identify any forwarding rules across any of the affected accounts.

7. Recovery

All we could see were hundreds of email accounts were being accessed, then sending out millions of top-shelf emails that swiftly got deleted. This made the data protection officer happy but put the PR and marketing team in a bad mood.

Email 3

Lessons learned

As with the first story, some easy changes could have been made to the setup to stop this early. Users tend to access emails from the same devices, and the same IP addresses (at least the same country IP block), so alerting on email access from abnormal IP addresses is a great tool for early warnings. Especially if you can then correlate those IP addresses to other authentication attempts.

The one big remedy though is two-factor authentication (2FA). In 2019 any organization that has internet-facing infrastructure/services without 2FA enforced is asking for trouble. 2FA stops the majority of “drive-by” or “opportunistic” attacks that cause so much damage. While scanning IPs is easy and free to roll out, 2FA can be a bit more tricky. But look at the advantages gained from the week or two worth of effort to get it set up. No doubt about it, everyone should be using 2FA.

Gartner: ”The Importance of Rapid Incident Response to Augment Threat Monitoring and Detection Is Growing”

Our Incident Response team helps you to recover completely from an incident. Download Gartner’s Market Guide on Managed Detection and Response now for free.


Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.