FOUR MINUTES OR LESS…

Four minutes is all the time it took for a bad actor to infiltrate an email account through a phishing attempt.

WHAT HAPPENED?

We just had a case where our monitoring system alerted us to suspicious activity in someone’s Microsoft 365 mailbox. We disabled access and reset sessions and credentials, but a quick look through the audit trail shows that the bad actor used stolen credentials that they had obtained through a malicious shortcut in a phishing email. Within 4 minutes of obtaining the credentials, the bad guy was able to quickly create an inbox rule to redirect specific messages to an alternate inbox folder in hopes of hiding future activities from the mailbox owner.

 DID THIS EMAIL ACCOUNT USE MULTI-FACTOR AUTHENTICATION?

Yes! The attack was what is known as a AiTM (attacker in the middle or MITM, man in the middle). An MITM attack is where a threat actor puts themselves in the middle of two parties, typically a user and an application, to intercept their communications and data exchanges. For example, if you look at the diagram below you will see that the phishing attempt led the user to a realistic looking website that was a fake. They make the webpage look identical to a legit website, like your bank, for example, and then get you to input your credentials and they harvest your data this way. 

Below is a simplified diagram of what happened:

FINAL THOUGHT

Thankfully we were able to shut this attack down within minutes of starting, well before anything bad could happen. However, the reality is that most small businesses using MS Office 365 do not have the capability to detect and respond to this sort of suspicious activity. To protect yourself and your business, be proactive in verifying the validity of the emails in your inbox to be sure they are not phishing attempts and make sure all methods of protection, such as MFA, are enabled. When in doubt, don’t click on the links in the email, type the known URL in a separate window and check it out for yourself. It may take a few extra steps, but in the long run it can save you from a potential financial disaster.

Previous
Previous

Hurricane Technology Checklist

Next
Next

HEALTHCARE PROVIDER hacked after employee downloaded a malicious file