Business email compromise (BEC) is a widespread and costly type of cyber attack that has surged in recent years. In this regular, bite-sized series, we look at the scale of the problem, the rapid rise in account takeover attacks on the Microsoft 365 platform, how investigations of these attacks are changing, and what all of this means to businesses, their cyber insurers and their legal representatives.
The previous article in this series is Easy prey: BEC fraud at an industrial scale and the next article is Consenting adults: the perils of application-based attacks.
In previous articles in this series we have explored the high costs of BEC and the alarming number of organisations that are unnecessarily exposed to it. But it’s not all bad news. Organisations can avoid straying accidentally into the firing line by following some essential security principles that significantly reduce the risk of attack and the threat actor’s probability of success. Looking at it from another point of view, organisations that fail to carry out these critical steps (and monitor their effectiveness) are placing themselves and their insurers directly in the crosshairs of experienced cybercrime groups.
1. Activate multi-factor authentication
Now that authentication apps are so widespread, the obstacles to using MFA have virtually disappeared – implementation no longer relies on dedicated external hardware devices. But if you can’t enable MFA immediately, work out whether it can at least be rolled out incrementally to certain groups, users, or applications…. partial MFA is better than no MFA. Best practice is that certain user groups should have “always on” MFA, which demands that users provide a secondary form of authentication for every login. This type of policy is often applied to administrators of Microsoft 365 environments, and should also be considered for staff members who handle finances or who are part of the approval process, including senior executives and members of the Finance and HR teams.
"Until MFA is more broadly adopted, there is little reason for attackers to evolve"
- Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft, All your creds are belong to us!, 3 October 2019
2. Turn off legacy authentication
Certain legacy authentication protocols such as POP3, IMAP and SMTP are inherently insecure, having been designed at a time before modern cyber attacks had been dreamt of. Organisations often permit logins from legacy apps that don’t support MFA, so all a cybercriminal needs to do to bypass MFA and gain access to an account is use a legacy protocol. Microsoft has found that organisations who disable legacy authentication experience 67% fewer compromises than those who leave it enabled.
In our previous article we touched on why many organisations have chosen not to block legacy authentication. One major reason is that enterprises with a large number of custom-built applications and systems are at risk of unintentionally blocking access to critical systems. These companies should consider an incremental rollout based on an analysis of legacy connections and simulations of new legacy authentication blocking policies. It should be noted that Microsoft was planning to block all legacy authentication connections to Exchange Online from 13 October 2020 (which would have substantially reduced the risk of account takeover attacks for customers still using it); however as a result of the COVID-19 crisis this has been postponed until the second half of 2021.
3. Reduce the phishing and social engineering threat
Administrators should implement technical measures to detect and block phishing emails, and can start by using the built-in capabilities of Microsoft 365. Businesses also need to implement controls focused on people and processes. Staff awareness can be improved through communications, live simulations and training (particularly in cyber security, social engineering techniques and common cyber fraud schemes). The FBI have some specific recommendations for safeguarding against BEC, which focus on spoofing and social engineering. Recent evidence of an increase in payment and invoice fraud gives extra urgency to the implementation of process controls such as multiple levels of approval for high risk transactions. You may also want to consider a more integrated solution for phishing simulation, training and reporting, such as Cyber Risk Aware’s platform.
4. Address the risk from third party apps
Administrators can be surprised to find out that users have full rights to connect new third party apps, and can provide full consent for the app to access their account and data. While this is convenient to the end user, delivering the capabilities of a wide range of services at the touch of a button, it also presents serious risks to security. As organisations implement MFA, threat actors with a valid username and password will no longer be able to log into accounts when they choose. But if a user grants access to a malicious third party app linked to a phishing email, the threat actor gains persistence without MFA. Administrators should close down this avenue of attack by preventing users from consenting to new apps on behalf of their organisation. Minor configuration changes in Microsoft 365 enable users to request access to new apps through an approval process overseen by an administrator.
5. Act on your Microsoft 365 secure score
6. Activate audit logging
Audit logging is an important source of information when responding to an incident, but in some cases we find that not enough log data is being collected to carry out a comprehensive investigation. This can have a direct financial impact on the total cost of an incident because good audit logging gives us more insight into the behaviour of the threat actor, potentially avoiding the expensive exercises to manually review mailboxes or notify data protection regulators. Unified audit logging and mailbox audit logging are two important sources of information during incident response, but neither are enabled by default. As a minimum, administrators need to toggle unified audit logging on, ensure that there are no unusual configuration settings at the user account level, and consider what additional logging and retention periods are appropriate for their environment.
7. Be realistic with your password policy
Passwords only protect against a relatively narrow set of techniques, so there’s a limit to how effectively you can protect against account takeover if you don’t have MFA turned on. But if you are relying on passwords alone for authentication, you need to ensure that your password strategy is as effective as possible. An excellent resource is the National Cyber Security Centre's guidelines for system administrators on password policy, which covers everything from password expiry to password managers. For an entertaining analysis of how real users behave when they choose passwords take a look at Microsoft’s research on password policy, which shows that users behave both very predictably and also completely contrary to accepted wisdom.
Coming up next
In the next part of this series, we look at a fast-rising type of attack known as consent phishing.
Find out more
Asceris’ business email compromise investigations combine the hands-on experience of our incident response specialists with our custom-built technology, enabling our customers and their insurers to respond quickly and with confidence. Our services leverage extensive automation, advanced analytics, automatic risk scoring, best in class IP address geolocation, external data feeds and intuitive reports, enabling us to uncover evidence rapidly from a wide range of data sources.
If you are the target of an active business email compromise attack, please request emergency assistance immediately.
Asceris offers a proactive risk assessment for Microsoft 365 environments to our cyber insurance partners and their customers. Our report presents environment-level risks and user-level risks that are based on our experience of responding to Microsoft 365 business email compromise incidents.
To find out more about any of our services, please contact us. To start a conversation or to report any errors or omissions, please feel free to contact the author directly.
Our mission at Asceris is to reduce the financial and business impact of cyber incidents and other adverse events. By understanding the cost drivers of claims and addressing these proactively through automation and continuous process refinement, we are able to deliver high quality incident response services in close collaboration with our industry partners.
Other recent insights