Anatomy of an Account Compromise

Email attacks have always been a threat to businesses since their inception, but over the last decade they have exponentially evolved in sophistication and frequency. Instead of using detectable malware, links and attachments, they use social engineering to impersonate trusted sources. These extremely believable impersonations have led to a surge in account takeovers. And it all happens very quickly, with half of compromised accounts accessed within 12 hours of an attack. Unfortunately, the ongoing COVID-19 pandemic has added fuel to the fire. A rise in remote working alongside fear and uncertainty has created not only the ideal content for incredibly realistic phishing emails, but workforces who are more likely to fall victim to attacks.

With the evolving email threats that we are facing, traditional tools that focus on finding malicious emails, based on past campaigns are falling far short. The problem is that these breaches are often zero-day, unique attacks that haven’t been seen before. All threat actors need to do is to compromise one person’s email account to make headway through the business. They can then get their hands on employee credentials, sensitive information, and financial details, all of which can empower them to cause chaos.

What an Attack Looks Like

Account compromise attacks are among the most difficult to detect as well as being the most destructive to businesses. As they aren’t easy to uncover, they can lie in wait for some time, and that’s just what they do. Cybercriminals are stealthy and constantly find new ways to remain undetected for long periods of time so they can maximise their impact. In fact, more than one-third of hijacked accounts see cybercriminals dwelling for more than a week before launching their attack.

Understanding attacker behaviour and what an attack looks like is the first step towards proper protection. Here is the typical attack chain cybercriminals employ to breach your business:

  1. Obtain Credentials – cybercriminals use phishing attacks to collect email account details or purchase credentials using the dark web.
  2. Gain Control – once they have account details, attackers can log in, change passwords and set forwarders to ensure they have full control.
  3. Monitor activity – at this point, it’s all about reconnaissance. Attackers lay low, monitor activity, and wait for the optimal moment to join the conversation.
  4. Launch Attack – this is where the real attack happens; an incredibly realistic email will be sent to try to fool the recipient into assuming it’s from a trusted source.
  5. Trick Recipient – they may harvest more credentials, obtain sensitive or valuable information, or spread ransomware, but will remain as if they are a legitimate user.

Mitigation Strategies Against Account Compromise

It’s vital for you to be able to detect unauthorised users within legitimate email accounts if you are to defend against account compromise. Of course, this is no mean feat as there aren’t the usual indicators of compromise to look out for, and secure email gateways are rendered useless. The fact is that emails trick both humans and traditional security tools every day. To stand a chance, you need a defence in depth approach with advanced threat protection alongside artificial intelligence (AI) and machine learning-based technology:

  • Defence in depth – a single layer of protection isn’t enough to protect against today’s sophisticated attacks. Defence in depth layers protection across your organisation. You’ll not only have traditional defences, such as secure email gateways, antivirus solutions, authentication and encryption, but threat intelligence and behavioural analysis. It is the latter that can pick up on zero-day attacks that lack traditional indicators of compromise.
  • AI and Machine Learning – with cybercriminals deploying their best tactics, you need to deploy best-in-field technology. AI and machine learning can spot unusual activity by analysing behaviour and building a contextual understanding. By understanding good email behaviours, AI can then spot anomalies and patterns. Every email from every user and device is scrutinised to ensure previously established accounts can be trusted before anything reaches the inbox.

How to Protect Your Business

Email is a primary attack vector for cybercriminals. In fact, 78% of attackers don’t access any applications outside of email. So, it pays to ensure you are fully protected against the most advanced and sophisticated attacks. To find out how well your business is defended, get in touch with InfoTrust today for an email security assessment.

If you'd like to find out about the anatomy of a vendor email compromise, click here.

see our

Related resources