Seven critical steps to avoid business email compromise

Neil Meikle
September 2020
Part three in our series on business email compromise

Business email compromise (BEC) is a widespread and costly type of cyber attack that has surged in recent years. In this regular, bite-sized series, we look at the scale of the problem, the rapid rise in account takeover attacks on the Microsoft 365 platform, how investigations of these attacks are changing, and what all of this means to businesses, their cyber insurers and their legal representatives.

The previous article in this series is Easy prey: BEC fraud at an industrial scale  and the next article is Consenting adults: the perils of application-based attacks.

In previous articles in this series we have explored the high costs of BEC and the alarming number of organisations that are unnecessarily exposed to it. But it’s not all bad news. Organisations can avoid straying accidentally into the firing line by following some essential security principles that significantly reduce the risk of attack and the threat actor’s probability of success. Looking at it from another point of view, organisations that fail to carry out these critical steps (and monitor their effectiveness) are placing themselves and their insurers directly in the crosshairs of experienced cybercrime groups.

1. Activate multi-factor authentication

Top of the list by a long, long way is multi-factor authentication (MFA). Flicking the switch on MFA blocks 99.99% of compromises, but despite this only 11% of enterprise users were being protected by it in January 2020. While MFA doesn’t provide absolute and unqualified protection from BEC attacks (more sophisticated attempts can be mounted by a highly motivated threat actor), it makes it significantly more challenging than just guessing a password correctly. A Microsoft blog observed that “MFA bypass attacks are so rare that we don’t have good statistics on them” – which is consistent with what we see during incident response investigations.

Now that authentication apps are so widespread, the obstacles to using MFA have virtually disappeared – implementation no longer relies on dedicated external hardware devices. But if you can’t enable MFA immediately, work out whether it can at least be rolled out incrementally to certain groups, users, or applications…. partial MFA is better than no MFA. Best practice is that certain user groups should have “always on” MFA, which demands that users provide a secondary form of authentication for every login. This type of policy is often applied to administrators of Microsoft 365 environments, and should also be considered for staff members who handle finances or who are part of the approval process, including senior executives and members of the Finance and HR teams.

"Until MFA is more broadly adopted, there is little reason for attackers to evolve"

- Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft, All your creds are belong to us!, 3 October 2019

2. Turn off legacy authentication

Certain legacy authentication protocols such as POP3, IMAP and SMTP are inherently insecure, having been designed at a time before modern cyber attacks had been dreamt of. Organisations often permit logins from legacy apps that don’t support MFA, so all a cybercriminal needs to do to bypass MFA and gain access to an account is use a legacy protocol. Microsoft has found that organisations who disable legacy authentication experience 67% fewer compromises than those who leave it enabled.

In our previous article we touched on why many organisations have chosen not to block legacy authentication. One major reason is that enterprises with a large number of custom-built applications and systems are at risk of unintentionally blocking access to critical systems. These companies should consider an incremental rollout based on an analysis of legacy connections and simulations of new legacy authentication blocking policies. It should be noted that Microsoft was planning to block all legacy authentication connections to Exchange Online from 13 October 2020 (which would have substantially reduced the risk of account takeover attacks for customers still using it); however as a result of the COVID-19 crisis this has been postponed until the second half of 2021.

3. Reduce the phishing and social engineering threat

Unfortunately, the use of strong authentication won’t completely eradicate the threat, which means that common techniques such as social engineering and phishing will always have a chance of success. The shift to remote working precipitated by the COVID-19 pandemic has been accompanied by an increase across all types of cyber-attack – Check Point’s Cyber Attack Trends: 2020 Mid-Year Report calculated a 34% increase globally at the end of June 2020 compared to March and April. 0.5% of all inbound mails on Microsoft 365 are phishing emails, and it only takes a single successful phishing email to breach an account. Once an account is breached, employees working remotely find it more difficult to verify information, for example to check the legitimacy of fund transfer requests.

Administrators should implement technical measures to detect and block phishing emails, and can start by using the built-in capabilities of Microsoft 365. Businesses also need to implement controls focused on people and processes. Staff awareness can be improved through communications, live simulations and training (particularly in cyber security, social engineering techniques and common cyber fraud schemes). The FBI have some specific recommendations for safeguarding against BEC, which focus on spoofing and social engineering. Recent evidence of an increase in payment and invoice fraud gives extra urgency to the implementation of process controls such as multiple levels of approval for high risk transactions. You may also want to consider a more integrated solution for phishing simulation, training and reporting, such as Cyber Risk Aware’s platform.

4. Address the risk from third party apps

Administrators can be surprised to find out that users have full rights to connect new third party apps, and can provide full consent for the app to access their account and data. While this is convenient to the end user, delivering the capabilities of a wide range of services at the touch of a button, it also presents serious risks to security. As organisations implement MFA, threat actors with a valid username and password will no longer be able to log into accounts when they choose. But if a user grants access to a malicious third party app linked to a phishing email, the threat actor gains persistence without MFA. Administrators should close down this avenue of attack by preventing users from consenting to new apps on behalf of their organisation. Minor configuration changes in Microsoft 365 enable users to request access to new apps through an approval process overseen by an administrator.

5. Act on your Microsoft 365 secure score

The secure score capability on the Microsoft 365 platform is a great way to check for risks and obtain targeted recommended actions for improving the security posture of an environment. Once the basics are addressed, businesses can then take the next step by making the most of other features that may be part of their Microsoft 365 subscription such as conditional access, data loss prevention (DLP), Microsoft Cloud App Security and geofencing.

6. Activate audit logging

Audit logging is an important source of information when responding to an incident, but in some cases we find that not enough log data is being collected to carry out a comprehensive investigation. This can have a direct financial impact on the total cost of an incident because good audit logging gives us more insight into the behaviour of the threat actor, potentially avoiding the expensive exercises to manually review mailboxes or notify data protection regulators. Unified audit logging and mailbox audit logging are two important sources of information during incident response, but neither are enabled by default. As a minimum, administrators need to toggle unified audit logging on, ensure that there are no unusual configuration settings at the user account level, and consider what additional logging and retention periods are appropriate for their environment.

7. Be realistic with your password policy

Passwords only protect against a relatively narrow set of techniques, so there’s a limit to how effectively you can protect against account takeover if you don’t have MFA turned on. But if you are relying on passwords alone for authentication, you need to ensure that your password strategy is as effective as possible. An excellent resource is the National Cyber Security Centre's guidelines for system administrators on password policy, which covers everything from password expiry to password managers. For an entertaining analysis of how real users behave when they choose passwords take a look at Microsoft’s research on password policy, which shows that users behave both very predictably and also completely contrary to accepted wisdom.

Coming up next

In the next part of this series, we look at a fast-rising type of attack known as consent phishing.

Find out more

Asceris’ business email compromise investigations combine the hands-on experience of our incident response specialists with our custom-built technology, enabling our customers and their insurers to respond quickly and with confidence. Our services leverage extensive automation, advanced analytics, automatic risk scoring, best in class IP address geolocation, external data feeds and intuitive reports, enabling us to uncover evidence rapidly from a wide range of data sources.

If you are the target of an active business email compromise attack, please request emergency assistance immediately.

Asceris offers a proactive risk assessment for Microsoft 365 environments to our cyber insurance partners and their customers. Our report presents environment-level risks and user-level risks that are based on our experience of responding to Microsoft 365 business email compromise incidents.

To find out more about any of our services, please contact us. To start a conversation or to report any errors or omissions, please feel free to contact the author directly.

Neil Meikle
LinkedInenvelope by Bluetip Design from the Noun Project
Neil is Asceris' Chief Technology Officer. Over the last 19 years, he has delivered a variety of large multi-jurisdictional investigations and has spoken frequently at conferences on technology-related subjects. He maintains deep hands-on expertise in a wide range of technical subjects including digital forensics, cyber incident response, forensic data analytics, machine learning and artificial intelligence.

About Asceris

Our mission at Asceris is to reduce the financial and business impact of cyber incidents and other adverse events. By understanding the cost drivers of claims and addressing these proactively through automation and continuous process refinement, we are able to deliver high quality incident response services in close collaboration with our industry partners.

Follow us on LinkedIn or subscribe to our RSS feed to make sure you don’t miss our next article.

Other recent insights