By Jenna Garbett and Sama Manchanda, Palo Alto Networks
It was a typical day for our client, an executive with a U.S. financial services firm that relies on a widely used multi-factor authentication (MFA) mobile app to protect access to email, customer files and other sensitive data. His iPhone kept pinging him with MFA requests to access his email, interrupting him on a day packed with customer meetings. He was annoyed by the intrusion, figuring it was some kind of system error, and rejected each request so he could focus on work.
He thought it was over when the requests stopped. Months later, however, he learned he had mistakenly authorized one of those many requests, unknowingly granting an attacker unfettered access to his email. He learned about the compromise when his bank flagged suspicious wire transfers totaling nearly $1 million and our investigation uncovered the exposure of data belonging to the company, its employees and clients. Fortunately, the company was able to recover the stolen funds, but attacks of this nature can still be costly in terms of reputation and time and resources spent cleaning up after them.
This type of attack is known as a business email compromise, or BEC. Each year, Unit 42 security consultants spend thousands of hours on BEC investigations, combing through logs to identify unauthorized activity, determine how unauthorized access occurred and find security gaps that need to be addressed.
Many organizations think they’ve already taken steps to protect themselves against BECs. However, those steps may not have been properly implemented. Among the hundreds of BEC cases Unit 42 has worked on since the beginning of last year, our consultants determined that 89 percent of victims failed to turn on MFA or follow best practices for its implementation. That may seem surprising since the top email platforms – including Microsoft’s 365 and Exchange, as well as Google Workspace – offer multiple options for implementing MFA. This highlights just how important it is for organizations to understand and follow best practices for any security tool.
The consequences are costly: In investigations by Unit 42 consultants since Jan. 1, 2020, the average wire fraud attempted was $567,000 and the highest was $6 million. The FBI reports that BECs caused $1.87 billion in losses last year, making it one of the most expensive types of cybercrime.
The good news is that identifying MFA shortcomings is typically straightforward. Assessments can identify deficiencies in security controls and provide recommendations to mitigate those shortcomings.
Before diving into best practices for implementing MFA, plus other tips for preventing email compromise, it helps to understand why these best practices matter. Here are some more examples from the Unit 42 case files that show common mistakes that can lead to attackers gaining access to email environments – including when MFA is in place. We’re presenting scenarios to help organizations identify potential gaps in their own security, but have anonymized the examples to protect the identities of the victims.
Attackers targeted hundreds of employees at an insurance company with phishing emails. These emails led to an attempt to harvest login credentials through spoofed Microsoft 365 email login pages that looked identical to legitimate ones set up by that firm. The attackers succeeded in gaining access to a few of those accounts, which belonged to employees who hadn’t set up MFA, which led in turn to gaining access to sensitive data on an internal Sharepoint site.
Attackers gained access to the email accounts of two employees at one client organization that failed to disable legacy authentication for synchronizing email boxes via IMAP4 and POP3. That gave the threat actors access to everything in both mailboxes for over a month, enabling them to collect personally identifiable information (PII) from the victims’ contacts. This is one of the most common ways of bypassing MFA, especially in hybrid environments that have legitimate use for legacy protocols. (We provide more detail about how to handle legacy authentication below.)
Threat actors compromised multiple users at a job placement agency, then used those accounts to circulate job postings that asked recipients to provide personal data. They set up rules that moved all responses to hidden folders and forwarded them to an external account.
While there’s no silver bullet to stop email compromises, we recommend that organizations implement the following best practices. MFA implementation is crucial, but it’s only one component of a comprehensive strategy for reducing the risk of email compromise and minimizing the impact of successful attacks.