This article is a companion piece to a recent Kivu Coffee Break video, which you can watch here.
Since the onset of the COVID-19 pandemic, cyber criminals have been changing their tactics to exploit remote work environments in order to make a fast buck. While the techniques themselves have not changed, Kivu has been seeing an uptick in Business Email Compromise (BEC). Many threat actors are only looking for financial gain, but with access to an individual’s Microsoft 365 account, a threat actor could sync inboxes, contacts, or even other Microsoft cloud services such as SharePoint, OneDrive and Teams. This would constitute a serious privacy breach. Just like ransomware, BEC is preventable and best practices are easy to implement. Here are Kivu’s top tips and tricks to help keep your organization safe.
To begin, it is imperative to know how a threat actor can get into an environment in the first place – it is usually through human error. Typically, a legitimate user will receive a phishing email. Sometimes the email will look exactly like boilerplate Microsoft messages attempting to persuade the user to log on for ‘x’ reason. However, if the user were to hover over hyperlinks in the email, they would notice a tooltip which shows the user the true path of the hyperlink. If this step is missed, they may be directed to a fake website which looks identical to a Microsoft login page. There, an unsuspecting user may enter their Microsoft credentials and—BINGO! —the user has just given a malicious actor the keys to their account.
So, now what? The first thing an IT specialist should be doing is to reset every password within the business environment. You might think resetting passwords for every user is excessive, but the actor can now send phishing emails from the breached account to other team members. We are built to trust the familiar, and this increases the chances of others clicking a malicious link. After resetting all passwords, ensure that multifactor authentication (MFA) is enabled across all accounts. These steps will effectively eliminate any access the threat actor once had.
After your business has changed passwords and enabled MFA, it is important to assess what the threat actor was doing while inside the environment. Kivu has seen time-and-time-again threat actors creating inbox rules to hide emails the legitimate user received. If this attack is financially motivated, you might see malicious inbox rules such as “If subject contains “$”, mark email as read and move to deleted items folder”. Further, check your sent items folder and look for any unusual activity such as emails with fake invoices or messages sent to contacts asking them to enter login credentials. If the threat actor cannot find an avenue for monetary gain, they may attempt to pivot and send out further phishing emails to your business contacts.
These are just initial considerations around BEC mitigation and prevention, but there are many things one can do for better protection. One best practice every organization should be following is enabling unified audit logs. In the event of an incident, the unified audit log is the most crucial piece of evidence during an investigation. Ensure these logs are set to document the full 90 days Microsoft allows for—because the more information, the better! Unified audit logs and due diligence logs allow investigators like Kivu to determine indicators of compromise. In fact, Kivu has developed an automated tool to significantly speed up this process and run the evaluation remotely (download our BEC investigations factsheet for more information). Once breached accounts are identified, the next step is to perform a message trace to find phishing emails sent and received and track anyone who was contacted by the threat actor.
As mentioned in a previous blog, Mal-Where? What to Look Out for Online, staying cyber-secure is something all of us want, but the buck ultimately stops with the individual. The best thing all of us can do to remain safe is to stop rushing and think before we act. This advice is worth repeating because many cyber security incidents like business email compromises and ransomware attacks can be prevented simply by enabling MFA or hovering over a link before clicking. These extra steps take only seconds but can save a lot of headaches and the stress of a breach and subsequent investigation.
Kivu is committed to supporting organizations improve their security posture, offering a range of entreprise protection services. We hope these practical tips and insight from our analysts help inform you and your staff. Should you require incident response support, get in touch.