In this article we dig into the ways that threat actors use a compromised email account to access other accounts that were registered from it.
The threat actor is exploiting the fact that password reset notifications are often sent to a registered email address. If a mailbox is compromised, the threat actor only has to search for accounts that are mentioned in the victim’s emails, then initiate a password reset to gain access to connected accounts, which could include social media, online storage, or financial accounts.
When threat actors take over connected accounts, the risk to victims often grows significantly. They may have access to a wealth of additional sensitive data: financial, personal, contacts, or identity-related.
Circumventing multi-factor authentication and one time passwords
In a recent case, we were asked to investigate a Microsoft 365 account compromise that had led to a fraud attempt. The threat actor accessed the email account early on a weekend morning and created inbox rules moving key messages to the ‘Conversation History’ folder – a location that would rarely be viewed by the user, helping the threat actor to evade suspicion. The organisation realised they had been compromised when the account owner received an email notifying them that a bank account had been connected to a cryptocurrency services provider.
Creation of connected accounts
Sometimes the threat actor doesn’t breach a connected account, instead they create a new account using the compromised email address. During the detailed analysis stage of another BEC investigation involving a services company in May 2021, we observed that the threat actor primarily focused on one target’s mailbox. Three months after the original compromise of their mailbox, the threat actor successfully registered a Facebook account using the target’s business email address.
A visible clue in the target’s inbox enabled us to identify the attempted compromise of a connected account. Following the threat actor’s account registration, Facebook sent a legitimate verification email to the target’s account including a code to verify the account.
The threat actor then deleted the evidence related to the Facebook account registration by executing a hard delete of the Facebook verification email in the target’s ‘Deleted Items’ folder, from a suspicious IP address geolocating to a country that was unusual for the client environment.
Threat actors create new connected accounts because it gives them the opportunity to impersonate targeted individuals and organisations. But not all accounts created by the fraudster will reveal evidence of use. During our investigation, we asked the owner of the compromised mailbox to reset the password on the unauthorised Facebook account, by using the ‘Forgotten password?’ link on the Facebook login page. However, the Facebook account was already inactive, perhaps because the threat actor never accessed the account, they disabled it after it had served its purpose, or Facebook moderators had by that point identified and disabled the fraudulent account.
Obviously, the most effective way of avoiding the compromise of connected accounts is to avoid any compromise at all. Many organisations expose themselves to illegitimate account access due to insecure email environments. Simple security controls that can reduce the risk and limit the impact of account takeover include activating multi-factor authentication. Password-only authentication is highly risky for a variety of reasons, including the 52% password reuse rate. MFA alone can stop 99.99% of compromises. Organisations can reduce the phishing and social engineering threat and improve incident readiness by training employees to spot suspicious messages and by emulating realistic threats.
And if the worst happens and an account is compromised, incident responders need to check for password reset emails (and other related types of messages). If these emails were received while the threat actor had access, the incident could be even more damaging than it initially appeared.
Find out more
Asceris’ business email compromise investigations combine the hands-on experience of our incident response specialists with our custom-built technology, enabling our customers and their insurers to respond quickly and with confidence. Our services leverage extensive automation, advanced analytics, automatic risk scoring, best in class IP address geolocation, external data feeds and intuitive reports, enabling us to uncover evidence rapidly from a wide range of data sources.
If you are the target of an active business email compromise attack, please request emergency assistance immediately.
Asceris offers a proactive risk assessment for Microsoft 365 environments to our cyber insurance partners and their customers. Our report presents environment-level risks and user-level risks that are based on our experience of responding to Microsoft 365 business email compromise incidents.
To find out more about any of our services, please contact us. To start a conversation or to report any errors or omissions, please feel free to contact the author directly.
Our mission at Asceris is to reduce the financial and business impact of cyber incidents and other adverse events. By understanding the cost drivers of claims and addressing these proactively through automation and continuous process refinement, we are able to deliver high quality incident response services in close collaboration with our industry partners.
Other recent insights