Email communication is the most common method of business communication today and unfortunately, it's also the most common avenue for a threat actor to attack your organization. The pandemic has seen an increase of 600% in sophisticated phishing email attacks and the remote work scenario only adds to it. For companies to fight against these rampant cyberattacks, it is essential that they incorporate security best practices into their conventional work environment.
There are different ways that a hacker can attack your system including malicious code, ransomware, phishing scams, computer viruses, and even hybrid attacks. The emergence of machine learning has made these attacks more sophisticated, making it extremely difficult for organizations to protect their infrastructure environment. As emails are the basic means of communication within many organizations, they are more prone to phishing attacks. In this blog, we will look at a day in the life of a hacker, what they can do when an account is compromised, insights into what you need to do to protect your email inboxes and a quick demo of how a hacker can easily get into your system.
A Day in the Life of a Hacker - What They Can Do When an Account is Compromised
Hackers work to grab your password: A hacker can gain your password in a number of ways, but the most common way is through a combination of brute force attacks - spoofing, phishing, malware, and password spraying. Among all this, phishing might be the quickest and most effective method as it relies on human error rather than spending an effort on cracking someone's password. According to statistics, 95% of cybersecurity breaches are caused by human error.
Once they have your password, hackers will connect to your inbox through old, less-monitored protocols: Once the hackers have successfully harvested the user's credentials possibly through a phishing email, they then proceed to log into the mailbox through an IMAP connection. An IMAP connection is considered a legacy protocol and is just a method to connect to your mailbox and download it to their machine. IMAP connections can be used to download your mailbox onto a machine and enable offline viewing of emails without having to connect to a tenant or to email anymore. But this can also allow the hackers to kind of sip through an entire mailbox for any sensitive information which they can use for their next attack. Hackers can either continue to attack the company they hacked or attack other companies through the compromised account that they hacked in the first place. They can continue attacking that same company by sending out malicious emails to the CFO for example or to someone on the finance team if they are trying to extract financial information from the user. They can even send out random phishing emails to your entire contact list or your partner’s or to anybody you've dealt with in the past, anybody who is a part of your email chain or email history to be able to capture additional credentials.
Hackers can easily hide their location which makes it extremely difficult to trace them: Once the hackers have identified what they want to do, their next plan of attack is to log back in from various countries like China, Russia, Bulgaria, Nigeria, etc. They hide their IPs through a VPN (Virtual Private Network) or TOR (The Onion Router) and then sign in from different locations to obscure their identity.
Hackers can create forwarding rules, so your emails can go to mailboxes they designate: One of the primary reasons that hackers sign in again to the compromised account is to set up something called “forwarding rules.” Forwarding rules typically are created for any email coming in to go to an email account owned by the hacker. Also, in some cases these forwarding rules are triggered by certain keywords such as funds, donations, wire transfers, invoice, etc. or they can just say “all emails coming into this mailbox automatically forward it to my (i.e., hacker's) Gmail account”. All the hacker needs to do then is monitor their Gmail account for discussions around fund transfers, donations, and invoices and when those emails pop up then they can plan their next attack.
As they say, knowledge is power, and by doing this, the hacker can gain knowledge about who usually approves invoices, how funds get transferred, where donations come from and other finance related activities. They do this to plan their next attack or to plan their next victim. They then proceed to send fake invoices and impersonate those individuals that are proven voices, hoping to fool someone in the company to transfer the funds to their accounts and most of the time it works.
Hackers will delete traces of their entry into your system in an attempt to hide their tracks: Hackers try to minimize their footprint as much as possible by deleting emails they sent from the compromised accounts in an attempt to hide their tracks. They try to hide their tracks by deleting all their emails and that's typically done in an automated fashion.
Insights on what you need to do to protect your mailbox
As an organization you need to be proactive about these attacks and close any gaps that could allow someone in through your email and keep in mind that email is just one of the attack vectors that hackers are attacking these days. Since it's one of the most attacked vectors, what can you do to help protect your environment and help protect your emails?
Stop Password Grabbing in its Tracks:
1. Multifactor Authentication (MFA) 🔒 : Implementing MFA can help stop the hackers from signing in even with stolen passwords (even if someone did fall for a phishing attack). Even if you provided the hacker with your credentials, they still would not be able to sign in because you had multi-factor authentication turned on and a second authentication method like a randomly generated code would be needed.
2. Spoof Protection 🛡️ : Including proper spoof protection, like putting DMARC or DKIM records in place can stop the hackers from spoofing and impersonating you, your employees, and executives.
3. Defender for Office 365 🔎 : If your organization has Defender for Office 365, improved EOP (Exchange Online Protection) settings, and Ransomware protection rules in place, it can help you detect malicious links in phishing emails and block an invoice file before it reaches your mailbox. Protocols can also be put in place to ensure that certain common passwords (like Password123) are banned from being used by your employees.
Disable Old Protocols:
4. Legacy Authentication Protocols ⚠️ : It is essential for your organization to disable legacy authentication protocols like IMAP/POP, so that the hackers cannot sign in and download an offline local copy of your mailbox.
Deny Access to Hackers:
5. Conditional Access Policies ⛔ : Implementing conditional access policies in conjunction with MFA can help you limit the hackers from signing in from outside the country of origin. For example, if you're operating from Canada or from the United States, you can create a rule that says only allow our users to authenticate against your tenant from this country, from this location, from this IP address. This way hackers would not be able to sign in from outside your home country or outside that specific range of IPs.
Block Forwarding Rules from Being Enabled:
6. Auto Forwarding ↪️ : Blocking auto-forwarding by enabling an email auto-forwarder rule can stop hackers from redirecting important corporate emails to another unauthorized account or even to their gmail account.
Improve Mailbox Auditing:
7. Mailbox Auditing 📧 : With proper mailbox auditing in place, you can have more information about what the hacker did within the mailbox. This can help in the investigation process to understand what was accessed, what was deleted, what emails were sent and to get a better picture of what the hackers did within your environment.
Now, let's take a quick view of a phishing attack from a hacker's perspective. To start we are going to create our own phishing link with a tool called Hidden Eye. This tool allows us to create any phishing page from different platforms. For this demo, we have created a Microsoft phishing page and it is quite easy for anyone to get these tools and create their own phishing links. It doesn't necessarily need to be some worldwide known hacker or some hacking group, anybody can practically do it around the world. There are lots of attacks happening every single day from script kitties to actual hackers and it's just a matter of increasing your awareness.
As shown in the demo above, these are some ways that hackers can steal your password, log into your environment, steal information from your environment and plan their next attack. One thing that you need to keep in mind is that anybody could be a victim of cyber-crime, it's a matter of when they get hit and not if they get hit.
Are you Ready to Protect your Email Inbox and Prevent Phishing and Spam?
Organizations are suffering from both targeted and non-targeted attacks so it doesn't matter what your business is or how many employees you have or if you have an exposed vulnerability, it will be used and abused. At ProServeIT, we offer a Mailbox Guardian Report that captures information from your Office 365 tenant and helps you to find out where your gaps are and recommends how to close those gaps to improve your overall security posture.
We also offer phishing campaign assessments, and the results of these phishing campaign assessments can show you the susceptibility of the personnel in your organization to social engineering attacks, specifically email phishing attacks, and part of this includes setting up a phishing payload and seeing who clicks on the phishing links, and who actually provides their credentials. For those who fail, they'll have to take a training module in an interactive video format to help them understand how phishing works.
If you're interested in finding out whether your organization is susceptible to these phishing attacks, we recommend running simulated phishing attacks at least twice a year, depending on the organization. Afterward, you will receive a report showing who passed, who failed, who clicked on the link, who actually provided their credentials, who completed the training, who did not, and make sure we can follow up for all the users to complete their training and be educated against phishing attacks.
In addition to these offerings, there are also some Microsoft-funded security workshops that we can help implement in your environment. These are all Microsoft funded so they are complimentary for your organization.
We also have a security operations center offering called Alarm Guardian. This offer can help you get security for your IT environment including your Office 365, emails, SharePoint, OneDrive, Teams, your Azure tenant, servers, Google cloud, Amazon cloud workstations, firewalls, etc. With Alarm Guardian, you would be able to keep an eye on your environment for security risks 24x7. There are different tiers that you can choose from based on your organization size and we can either deploy it for your organization and you manage it yourself or we can manage the security on your behalf with our security operations center as a managed services offering.
Edited by: Nikita Gill and Betty Quon