Domino effect: the dangers of connected accounts

Edmée Vaudremer
July 2021
In some cases, email account breaches are the first step in a chain reaction of compromises.

In this article we dig into the ways that threat actors use a compromised email account to access other accounts that were registered from it.

We have written extensively about business email compromise and account takeover (ATO), from the reasons for its rapid rise to the most effective ways of preventing it. BEC attacks can be extremely damaging to affected organisations, because once a threat actor controls an account they have opportunities to conduct reconnaissance, exfiltrate data including calendars and contact lists, launch supply-chain phishing attacks to defraud customers, and pivot to other accounts in the organisation through an internal phishing campaign. Another tactic used by threat actors, which is particularly dangerous, is the use of a compromised account to gain access to additional accounts that belong to the victim.

The threat actor is exploiting the fact that password reset notifications are often sent to a registered email address. If a mailbox is compromised, the threat actor only has to search for accounts that are mentioned in the victim’s emails, then initiate a password reset to gain access to connected accounts, which could include social media, online storage, or financial accounts.

When threat actors take over connected accounts, the risk to victims often grows significantly. They may have access to a wealth of additional sensitive data: financial, personal, contacts, or identity-related.

Circumventing multi-factor authentication and one time passwords

In a recent case, we were asked to investigate a Microsoft 365 account compromise that had led to a fraud attempt. The threat actor accessed the email account early on a weekend morning and created inbox rules moving key messages to the ‘Conversation History’ folder – a location that would rarely be viewed by the user, helping the threat actor to evade suspicion. The organisation realised they had been compromised when the account owner received an email notifying them that a bank account had been connected to a cryptocurrency services provider.

After the threat actor gained access to the mailbox, they generated a one time password for the organisation’s cloud-based payroll system. One time passwords are automatically generated codes that are valid for only one login session. With multi-factor authentication (MFA) successfully circumvented and full access to the payroll system, the threat actor created a fake employee and initiated a new payroll cycle a few days after the account compromise, enabling $50,000 bi-weekly pay-outs to an unknown account. With the compromise of a single email account, the threat actor was able to circumvent a range of controls and risk a highly visible cash grab. Activating MFA on all online accounts would likely have prevented this attempted fraud, since the account takeover that preceded it would have likely been stopped in its tracks.

Creation of connected accounts

Sometimes the threat actor doesn’t breach a connected account, instead they create a new account using the compromised email address. During the detailed analysis stage of another BEC investigation involving a services company in May 2021, we observed that the threat actor primarily focused on one target’s mailbox. Three months after the original compromise of their mailbox, the threat actor successfully registered a Facebook account using the target’s business email address.

A visible clue in the target’s inbox enabled us to identify the attempted compromise of a connected account. Following the threat actor’s account registration, Facebook sent a legitimate verification email to the target’s account including a code to verify the account.

A legitimate email from Facebook, but the account was being registered by a threat actor

The threat actor then deleted the evidence related to the Facebook account registration by executing a hard delete of the Facebook verification email in the target’s ‘Deleted Items’ folder, from a suspicious IP address geolocating to a country that was unusual for the client environment.

Threat actors create new connected accounts because it gives them the opportunity to impersonate targeted individuals and organisations. But not all accounts created by the fraudster will reveal evidence of use. During our investigation, we asked the owner of the compromised mailbox to reset the password on the unauthorised Facebook account, by using the ‘Forgotten password?’ link on the Facebook login page. However, the Facebook account was already inactive, perhaps because the threat actor never accessed the account, they disabled it after it had served its purpose, or Facebook moderators had by that point identified and disabled the fraudulent account.

The attempt to gain control of the new account, but it was already gone.

Our recommendations

Obviously, the most effective way of avoiding the compromise of connected accounts is to avoid any compromise at all. Many organisations expose themselves to illegitimate account access due to insecure email environments. Simple security controls that can reduce the risk and limit the impact of account takeover include activating multi-factor authentication. Password-only authentication is highly risky for a variety of reasons, including the 52% password reuse rate. MFA alone can stop 99.99% of compromises. Organisations can reduce the phishing and social engineering threat and improve incident readiness by training employees to spot suspicious messages and by emulating realistic threats.

Large credential dumps occur relatively frequently and are inexpensive for threat actors to access. (High-profile consolidated credential dumps include the 2.2 billion unique pairs of email addresses and passwords in the Collections #2-5 dataset from 2019, and the 3.2 billion unique pairs in the COMB dataset from 2021.) Password reuse is a major risk, which means that implementing a robust password policy is crucial. A defence-in-depth strategy to password management and authentication including password complexity and length, password hashing, and password manager tools, must be implemented to defend against threat actors who are capable of stealing passwords via a data breach, phishing email, or by dropping malware with features such as keystroke logging.

And if the worst happens and an account is compromised, incident responders need to check for password reset emails (and other related types of messages). If these emails were received while the threat actor had access, the incident could be even more damaging than it initially appeared.

Find out more

Asceris’ business email compromise investigations combine the hands-on experience of our incident response specialists with our custom-built technology, enabling our customers and their insurers to respond quickly and with confidence. Our services leverage extensive automation, advanced analytics, automatic risk scoring, best in class IP address geolocation, external data feeds and intuitive reports, enabling us to uncover evidence rapidly from a wide range of data sources.

If you are the target of an active business email compromise attack, please request emergency assistance immediately.

Asceris offers a proactive risk assessment for Microsoft 365 environments to our cyber insurance partners and their customers. Our report presents environment-level risks and user-level risks that are based on our experience of responding to Microsoft 365 business email compromise incidents.

To find out more about any of our services, please contact us. To start a conversation or to report any errors or omissions, please feel free to contact the author directly.

Edmée Vaudremer
LinkedInenvelope by Bluetip Design from the Noun Project
Edmée is an incident response analyst at Asceris working on business email compromise cases, ransomware investigations, and tracking cyber threat groups and malware families. She previously assisted customers with personalising a leading anomaly detection tool to their environment. She has a background in terrorism research and analysis, and is a fluent French speaker.

About Asceris

Our mission at Asceris is to reduce the financial and business impact of cyber incidents and other adverse events. By understanding the cost drivers of claims and addressing these proactively through automation and continuous process refinement, we are able to deliver high quality incident response services in close collaboration with our industry partners.

Follow us on LinkedIn or subscribe to our RSS feed to make sure you don’t miss our next article.

Other recent insights