Solutions and Services

The Rise of New Tactics in Business Email Compromise

The use of mobile messaging apps and social media has drastically increased in popularity over the past decade, completely reshaping the way we communicate in our personal lives. But despite this trend, when it comes to workplace, email remains the preferred method of communication. There is no doubt that the way email is being used will continue to evolve along with the people that use it1: from initiating password resets to tracking package delivery status, it will extend our connection to the brands and services we associate with. As these changes occur, cyber criminals will also adapt their techniques to the changing landscape.

Email-borne threats change and materialize every minute, from sophisticated ransomware attacks to advanced Impersonation tactics such as BEC (Business Email Compromise), to CEO fraud and targeted phishing campaigns.

Cyber criminals today continue to find creative ways to entice email recipients to open these increasingly malicious messages, which can expose them to content that has the potential to cause significant financial and/or data loss.

According to our recent Email Threat Report, impersonation attacks, CEO fraud and business email compromise (BEC), showed a steady increase in Q1 2019 and are projected to rise through Q2 2019. Cyber criminals impersonate executives, senior managers and supply chain partners to dupe employees into taking action by authorizing fraudulent wire transfers or providing confidential information. Impersonation attacks can cost companies billions of dollars as well as severely damage their reputation.

Figure 1: Impersonation attack attempts trend upward in Q1 2019.

Figure 1: Impersonation attack attempts trend upward in Q1 2019.

As impersonation attacks increase, the report also showed phishing attacks were up 17% in the first quarter of 2019 compared to Q4 2018.

Figure 2: Most common brands2 detected in phishing attacks, Q1 2019.

Figure 2: Most common brands2 detected in phishing attacks, Q1 2019.

The prevalence of Microsoft Office 365 has led bad actors to target Office 365, along with OneDrive which part of the Microsoft Office suite. Often the intent is to harvest corporate credentials with the intention of account takeovers.

If a corporate end-user account is taken over, it is often used for malicious activities originating  from a legitimate, trusted email address for purposes such as:

  • Distributing malware internally
  • Spear phishing accounts with elevated privileges
  • Executive business email compromise (BEC)
  • Targeting customers and partners
  • Reconnaissance of the environment
  • Access to VPNs or other cloud services to further infiltrate the corporation

For the unwitting user, a phishing email may often look like a legitimate message from an established company support team asking to reconfirm their account details. Attackers spoof everything, from sender email addresses to brand look and feel to dupe recipients into providing passwords and other confidential information. Office 365, Dropbox, Slack and other SaaS services are popular targets for hackers, and once access to an account is obtained, they can easily root themselves into the network to expand their access within the organization.

The following illustrates a common phishing attack:

Figure 3: Example email-based attack with Office 365 branding.

Figure 3: Example email-based attack with Office 365 branding.

Figure 4: FireEye Email Security URL screenshot of Microsoft Office 365 landing page.

Figure 4: FireEye Email Security URL screenshot of Microsoft Office 365 landing page.

Tactics used and importance of having visibility

IT professionals know how critical an effective email security is and phishing is the most potent tool attackers have in their toolbox. Malicious URLs embedded within text can be difficult for most email security solutions to detect, and URLs can be weaponized after passing as clean to further avoid detection. For example, during business hours the URL within an email is weaponized and is linked to a phishing webpage, but during off hours the link leads to a blank HTML webpage.

FireEye’s Email Security - Server Edition, which integrates various signature, analytics, and machine learning plugins to detect URL-based email phishing attacks, features the ability for IT admins to visually inspect webpages embedded URLs lead to instantly and at all times.

FireEye PhishVision uses deep learning and compiles and compares screenshots of trusted and commonly targeted brands against web and login pages referenced by URLs contained within an email. Using this methodology allows FireEye to successfully identify phishing attacks, and also provide some targeted brand identity awareness.

Figure 5: Office Web Access Login URL.

Figure 5: Office Web Access Login URL.

Figure 6: Example OneDrive Phishing URL.

Figure 6: Example OneDrive Phishing URL.

The URL screenshots function illustrates at a glance what the malicious phishing URLs looked like to the recipient. This is useful in providing the analyst an overview of how convincing a URL landing page would have been to enter credentials, as well as for reporting purposes and user awareness training.

Having the ability to analyze credential harvesting threats helps IT teams mitigate risks. This insight also helps with the adaptive response measures to correlate with other internal technologies and validate if there was any impact to the organization. By reducing detection and response latencies, defenders limit damage and ultimately, prevent future threats.

Figure 7: Overview of grouped alerts for admins to quickly analyze.

Figure 7: Overview of grouped alerts for admins to quickly analyze.

At a glance you are rapidly able to drill down into any prioritized alerts, such as retroactive detections, or sort by specific threat types. For example, many analysts want to review any retroactive alert detections or not seen before threats as highlighted in Figure 7.

FireEye provides complete alert prioritization to help IT admins understand the severity of alerts, along with the intelligence about the tactics, techniques, procedures, and in-depth forensic analysis, such as the endpoint and network behavior along with the overall attack methodology.

Using this information, FireEye can automate responses and automatically quarantine emails identified retroactively, such as spear phishing URLs weaponized after email delivery. From alert to fix, the average time for FireEye to identify an alert is approximately 4 minutes, versus over 2 hours by other solutions3. The accelerated response will not only increase security operations efficiency, but also reduce the impact of security incidents to the organization.

Recommendation

The use of email is changing and the adaptive tactics of cyber criminals pose a great threat to organizations. It’s imperative that IT managers provide maximum email security in order to reduce a breach. Here are a few points to consider:

  • Implement multi-factor authentication. This stops many attackers, even if they have successfully phished credentials, as it introduces a secondary authorization control
  • Run regular user awareness training sessions. Reference real-world threats that you have blocked
  • Deploy advanced secure email gateway technologies such as FireEye Email Security Cloud or Server Editions – Take a tour of our Secure Email Gateway
  • Enhance visibility into your login sources such as on-premise Active Directory or Office 365 to detect unauthorized activity. Take a tour of our Cloud-hosted security operations platform – FireEye Helix.

[1] Why Email Remains The Top Enterprise Collaboration Tool, by David Roe – CMS Wire.

[2] Generic and spam phishing emails do not feature a brand.

[3] FireEye White Paper – The Uncomfortable Cyber Security Tradeoff: The Total Cost Of Handling Too Many Alerts Versus Managing Risk