In our example, we’ll say the adversary is only interested in emails that contain terms like “direct deposit,” “wire transfer,” or “password reset.” As such, they can set up a rule that automatically moves any emails containing those words in any part of the email to a mailbox folder the victim rarely checks, like their “RSS Feeds” or “Archived” folder. In other words, adversaries set up forwarding rules as a form of insurance in case they lose access to their victim’s email account.Īdversaries set up forwarding rules as a form of insurance in case they lose access to their victim’s email account. Auto-forwarding emails in this way allows an adversary on-demand and real-time access to email messages without worrying about the legitimate user deleting emails or even changing their password. In the latter scenario, adversaries may create email forwarding rules tied to a user’s account that auto-forward all or specific emails to an external SMTP address. From there, an adversary can attempt to maintain access for as long as possible, quietly collecting valuable or sensitive information by simply reading through individual email messages, manually exporting messages to review offline, or stealthily forwarding email messages to external email accounts. We’ll start at the point where an adversary has successfully logged into a victim’s mailbox. Let’s talk through how things might play out before we describe some detection and testing options. We’re focusing on just one variant of email compromise in this article, namely those that involve an adversary who leverages email forwarding rules. An example, so we can show you how to detect bad things Whatever the actual numbers are, the damages caused by email schemes are right on par with those caused by ransomware-and therefore, we should probably make sure we’re not treating these email-based threats as an afterthought. Another oft-cited (but unsubstantiated) report estimates that ransomware might have cost as much as $20B in 2021. Cost estimates for ransomware, on the other hand, are all over the place, with the IC3 (almost certainly under-)reporting $30M in losses in 2020. The problem, quantified as best we canĪccording to the FBI Internet Crime Complaint Center (IC3), BEC alone cost victims more than $43B between June 2016 and December 2021-a figure that only increases when you combine it with other email-based threats. Additionally, we’re going to explain how you can leverage this telemetry source in your own environment, and we’ll also include some tests you can run to validate your detection coverage. Specifically, we’re going to talk about how Office 365 telemetry can help you detect email-based threats-and even more specifically about how we’re developing detection analytics that use Microsoft Unified Audit Logs to catch adversaries who attempt to forward email messages, a behavior associated with all variety of email-based threats and a wide variety of other attack techniques. In today’s blog, we’re going to discuss the scope of email-based threats and offer guidance on what security teams can do about it. Despite costing companies untold billions of dollars every year, email account compromise (EAC), business email compromise (BEC), and other email-based scams garner less attention-from defenders and media alike-than costly and often high-profile ransomware attacks.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |