Our Information Security Manager, Greg Nott, has analysed a recent security alert that came under our radar and has provided his insights on how you can avoid this happening to your people.
The following article addresses the alert that we noticed, the steps we took to secure this and how this can be avoided in the future. We want to help you avoid this happening to your organisation, so keep reading for Greg's insight.
The alert:
We recently received an alert that a user’s email address had been found for sale on the dark web along with a password. Instantly we took action to reset the user’s password followed by checking the log files for any suspicious log-in attempts to avoid this happening again.
Unsurprisingly we were able to see several unsuccessful attempts to log in to the account in the days prior – either blocked because they originated from a known malicious IP address, or because the user account in question had Multi-Factor Authentication enabled meaning the password alone was not enough for the attacker.
What was more interesting was that, while investigating this first alert, the same user raised a separate ticket about receiving a large volume of spam emails a day earlier.
Spam and phishing emails are on the rise with attackers trying to obtain vital information on your organisations for their own personal gain!
What we noticed:
Nowadays receiving quantities of spam is itself unusual, particularly in Enterprise environments, as spam filters become ever more sophisticated but other facts also stood out:
- The emails were predominantly Google Classroom invitations - ‘Invite spam’ is a relatively new technique compared to the more usual email spam, designed to evade filters that block the vast majority of traditional methods. It is also used to catch out otherwise ‘spam-savvy’ users by delivering malicious links into their calendar, taking advantage of the fact that certain email apps will automatically add these invites when received. Most people are conditioned not to click on dodgy links in their inbox…. But what about that meeting in your calendar you don’t recognise?
- The vast majority all arrived within a short space of time - ‘Email bombing’ is most often associated with Denial-of-Service attacks where huge quantities of mail are directed at the inbox with a view to overwhelm it and/or the mail server, preventing it from working. However, on a smaller scale, they can be used to flood a user’s inbox to hide legitimate emails such as ‘New Log-In’ notifications, order confirmations or notifications of bank transfers – messages that could highlight an attack.
- The proximity of these emails to the dark web alert -Finding an Enterprise email address for sale on the dark web does not necessarily mean that just the Enterprise account could be the victim of an attack. The email address may have been used to register for any number of cloud-based services, such as Amazon, PayPal or even online banking.
Looking at the above information together it could be theorised – as I did – that an attacker was attempting to use the credentials found online to log in to a cloud service and/or commit fraud against the user. A ‘spam distraction’ email bomb, using the ‘Invite spam’ technique to try and boost the success rate, could have been timed to coincide with the attempted attack to hide any confirmation emails sent to the user in the event of the fraud was successful.
What happened?
Working with the end user we were able to confirm that there were no suspicious meetings in their calendar, no other legitimate emails had been received into their inbox at the same time as the flood of spam and that their email address is not used to register for any other services.
The user’s password was reset, and the spam sender addresses and domains were blocked as a matter of course. The user's Security were also notified of the details of the event.
Monitoring the situation, we were also able to confirm that there was no other or subsequent, evidence of attack so the incident was logged, and the ticket closed.
What can we learn from this?
Firstly, basic security hygiene such as enabling Multi-Factor Authentication everywhere that you are able is essential. Passwords alone are no longer fit for purpose. Even with strong password policies & guidance in place, most users create passwords that are as easy as possible to remember. This makes them easy to guess or brute force. Reusing the same password across multiple services is rife, difficult to avoid, and increases the likelihood that these passwords will be breached and find their way onto the dark web.
Secondly, information is key. Having sight of as much information as possible about your IT systems enables the ability to find correlations and patterns such as those described above. Viewed in isolation, each alert may be treated differently, and an attack could slip through the net. Understanding the tactics and techniques that are being used against you can then be used to better inform other users on what to be looking out for.
Finally, having the right tools in place is crucial to be able to achieve the above. If your key systems don’t allow for Multi-Factor Authentication, or alternative access controls (other than just passwords) look for ones that do. If you aren’t already logging in and monitoring what your systems are doing, start now. If you want to broaden your view – and simplify your monitoring – systems like Dark Web ID, Microsoft Defender and Microsoft Sentinel can be used to automatically flag events across your systems, even correlating multiple events into a single alert. If you aren’t able to fit this into your normal workloads but know you need to do more, you could even consider employing a Security Operations Centre (SOC) to do it for you.
Most people recognise that they could be doing more about security but don’t know where to start. We can help with this! We partner with the best so we can secure your entire security posture from the user to your networks and everything in between. Want to speak to an expert? Get in touch here.
