Businesses tend to obsess over business email compromise. This obsession is misguided. Observations from the front lines of combating business email compromise at the SMB scale and what we should focus on instead.
By Matt Kiely, Principal Security Researcher at Huntress
The security community tends to obsess over business email compromise (BEC) attacks. This obsession is misguided and BEC should not be getting so much attention. Instead, security companies should be focusing on more constructive topics.
As a principal cybersecurity researcher, I bear the shield and fight off cybercrime that would otherwise target and destroy the small to medium sized companies globally and the managed service providers that protect them. Most of these businesses wouldn’t survive a ransomware or BEC attack. According to the FBI, business email compromise amongst smaller companies is now a $50B issue that is crushing their dreams. These are the construction companies, barber shops, bakeries and 1-off retail stores who would be devastated if they were ransomed for $500,000 or if massive funds disappeared from their banking account as a result of a fraudulent wire transfer. The stakes are high.
The point is that these attacks are worth businesses’ attention and SMBs need to be defended.
Detecting Business Email Compromise Is Too Little, Too Late
In January 2023, Huntress detected over 3,300 Microsoft 365 events that indicated a compromise of a partner identity in some capacity. Any one of these incidents could result in a BEC attack that could wipe a small business out for good. But the critical thing to point out here is that very few of these detections identified the BEC attack itself. In fact, if the actual BEC attack itself is the only thing identified, this is considered to be a detection failure.
BEC is more of the “ransomware” of the cloud security world. Like ransomware, these attacks are one of the tangible, visible outcomes of a cloud cyberattack chain. The operating phrase here is “attack chain.”
These attacks don’t magically appear out of nowhere. A threat actor who’s pulled off a BEC, much like a ransomware attack, had to develop their campaign enough to execute the final phase of the attack. This means that they had to gain access to an account, install some method of persistence, enumerate the target environment, evade defenders and finally execute the steps of the BEC attack itself.
This equates to a process of an enemy spy sneaking into a maximum security base. The spy has to ballet dance through a hallway of lasers to make sure they remain undetected. Every step, every dip and every jump is another opportunity for them to mess up and trigger one of the lasers. As defenders, it’s the security company’s job to put as many lasers in the hallway, at various heights and angles, so that the spy’s mistakes are detected and punished.
This is why companies are getting BEC all wrong; since they tend to watch business email compromise attacks unfold as if there’s no way to prevent them from happening. It’s not a good practice to watch the train careening down the tracks towards the cliff side with their jaw on the floor, saying, “Someone should really do something about this!” Defenders should realize it’s their place to take action and pull the lever to reroute the train.
Any threat activity that takes place before the BEC attack itself is a good place to look to forestall these attacks. A great place to look for indicators is right when the threat actor gets their foot in the door—initial access. “Account takeover” is the most common method of initial access, where a threat actor has passed or stolen the authentication requirements and simply logs in as the given identity. There are more ways to gain initial access to an identity than just account takeover, but it is the most common method by a wide margin.
Hunting Account Takeovers at the SMB Scale
Focusing on BEC is like focusing on the train after it gets wrecked. Maybe you want to join me in the hunt for account takeovers so we can cut off the BEC attack closer to the start. But where do we start? How can we effectively deter these attacks if we don’t understand them first?
String up your bow and sharpen your arrowheads. Here are three of the major adversary tactics that result in account takeovers.
Adversary in the Middle: Transparent Proxy Phishing
One of the worst tactics in the adversary playbook is session token theft via transparent proxy phishing. This attack is insidious. Our partners often ask, “Now that I’ve implemented multi-factor authentication on my account, I should be safe, right?” Transparent proxy phishing is the reason why experts can’t answer “yes” when they ask that question.
The premise for this attack is simple: multi-factor authentication (MFA) would stop an attack in progress given that the adversary doesn’t possess the additional authentication factor at the time of the attack. But most modern websites, including the Microsoft 365 login portal, grant a session token to the user after the user logs in with their password and provides their additional factor for authentication. Once that session token is in the user’s browser, it becomes a de facto proof of identity for that user. So, why not steal that session token instead?
The adversary tricks the victim into visiting their attacker-controlled domain. When the victim visits this domain, usually after receiving a phishing email with a link that directs them there, they see the Microsoft 365 login portal. The victim figures there’s some weird error going on and they need to log back into Microsoft 365. Unfortunately, they’re entering their credentials into a transparent proxy, which brokers the victim’s session with the actual Microsoft 365 page.
The victim enters their password, which is captured by the evil server in the middle. The evil server relays the password to the real Microsoft 365 login site, which passes the first authentication stage. Microsoft 365 then requests the additional factor, which is relayed back to the victim through the evil server. When the victim completes the additional factor, the session passes authentication and the resulting session token is delivered to the victim’s browser…by traveling through the evil server! The adversary effectively captures the session token while it’s on its way back to the user and can inject it into their own browser to log into the victim’s account. Dastardly!
Much like the classic vampire of legend, these attacks can’t hurt individuals or businesses unless they’re invited in. Social engineering is still the primary method for delivering the links that result in a user landing on one of these transparent proxy login pages. The URL of the site in question is still the most trusted source to determine if the website is legitimate or not. For example, a user who wants to log into Microsoft 365 should expect to land on “login.onmicrosoft[.]com” and not “some.evilsite[.]com”.
End users in regards to this attack should keep a healthy amount of suspicion for the links that people are asking you to click. Verify with the person that’s supposedly sending you this link. Did they actually send it? Is there urgency about the situation? Have they tried to build rapport with you to coerce you into clicking? This attack can compromise even the hard targets who protect their accounts with MFA, so it’s worth the due scrutiny and time needed to verify.
Credential Attacks: Password Sprays, Credential Stuffing, Brute Forcing
For individuals out there who don’t use MFA, the threat equation is much more simple. For any accounts that don’t have an additional factor, an adversary would either have to guess or acquire the victim’s password to log in as that identity. These credential attacks come in three flavors; password spraying, where the attacker tries to guess the same password against multiple accounts; credential stuffing, where the attacker uses known credentials from a breach and uses them against other services where the user may have an account; and brute forcing, where the attacker guesses multiple passwords against the same account.
Unlike the adversary in the middle attack example from earlier, this attack requires no interaction on the part of the victim. Tools like MFASweep and trevorspray, which are both available free and open source on GitHub, allow attackers to carry out credential attacks and check to see if any accounts lack MFA. An attacker that finds an account with a weak password and no MFA has found a prime target for a business email compromise attack.
VPN use for initial access
This tactic is more closely aligned with defense evasion than initial access, but it’s included here because it’s a common attribute of account takeovers. According to reports from the Huntress Security Operations Center, about 75% of confirmed attacks against Microsoft 365 identities come from VPNs. A smaller percentage of attacks come from anonymous proxies, like Tor. While VPNs and proxies are different technologies, it’s considered that they are similar in terms of impact to partners. Threat actors use proxies and VPNs to conceal their IP address while performing account takeovers.
Like a good jiu-jitsu counterattack, security businesses can use this tactic to their own advantage as defenders. Is VPN use normal for their users? If VPN is normal, which types of VPNs should be in use? Analyzing the IP address from the login can reveal key facts and intelligence that they can factor into the threat calculus, like the IP’s service provider or if the IP is a known exit node for a shady proxy service. This allows them to differentiate between a user who logs in while using a common corporate SASE solution and a user who logs in from Tor. These two events aren’t the same in terms of risk and good detection programs should be able to recognize it and act accordingly.
Conclusion
Taking a bite out of BEC is about forestalling adversaries at any point along the attack chain. Identifying and combating tactics that indicate different phases of the attack chain, like persistence, defense evasion and execution activity, is an effective means of combating business email compromise. Every phase of the attack chain can telegraph different indicators and presents opportunities for detection. It only takes one detection to halt what would otherwise be a business-ending event. For businesses’ own security programs, maybe initial access is a great initial place to look!
About the Author
Matt Kiely and I’m a Principal Security Researcher at Huntress. Matt Kiely is a Principal Security Researcher at Huntress developing products that hit hackers where it hurts. He currently leads MDR for Microsoft 365 product research. He is a skilled cyber expert with over 10 years of experience in IT and security working for organizations including: Massachusetts Institute of Technology, financial institutions, SimSpace, and the United States Marine Corps. Matt holds a Bachelor of Science in Information Technology from Northeastern University and a Graduate Certificate in Cybersecurity from the Rochester Institute of Technology. Some of Matt’s professional credentials include OSCP, eCPPT, eCPTX, CRTO, and CRTP Matt can be reached online at our company website https://www.huntress.com/.
Source: www.cyberdefensemagazine.com