The next day, you review your emails with the company and discover the email address you’ve been corresponding with changed three days prior to a different domain that has a near-undetectable difference. Have you been hacked? How did they insert themselves into an email chain without being noticed? How did they know all the relevant names, places, and details going months back?
They knew it all, and now you’ve transferred money to a stranger. Could your business survive?
How the Hack Happened
LoughTec was brought into this story when our client asked us for assistance in tracking down a suspicious transfer. They had nearly been the victim of a huge transfer fraud scheme, and they only caught it at the last minute. Thankfully, they were able to contact their bank, report the fraud, and have the transfer cancelled. However, it took 24 agonizing hours for the bank to confirm the cancellation and save their business.
They wanted to know how it happened, and our investigation set about uncovering the truth. At some point in the recent past, the Accountant of the company had his Office365 password compromised. The hacker was able to successfully log onto the client’s Office365 and set up a forwarding rule that sent all received email to a Gmail account owned by the hacker. Then, that forwarded message was deleted to hide the trail.
All the hacker had to do was watch the Gmail account for discussions of contract negotiations and a fund transfer. In this case, it just so happened the hacker had hit the jackpot with a huge investment in the works. They created a new rule forwarding any emails about the transfer, deleted evidence of the forward, and used previous email chains to fake a response. To the client, aside from the slight change in spelling of the email domain, the forgery appeared like an actual reply to an ongoing email conversation they were expecting, and the hacker was able to craft a convincing reply about a last-minute change in banking details. The client thought it odd but proceeded with the transfer.
Shortly after, they realized something was wrong and got us involved to help them out. The first thing we did was have the accountant reset his password. Shortly after, we discovered the forwarding rule on the accountants mailbox. A PowerShell script run on the organization showed no other suspicious forwarding rules in place on any other mailboxes, leading us to conclude that only the accountants mailbox was compromised.
Next we ran a message trace to all emails sent to the offending Gmail account and hit the window of reporting limits for Office365. The offending Gmail account was reported to Google, as was the offending domain account used in the transfer fraud reported to the registrar. Local authorities were notified, and the client had to send out a notice to their entire customer base notifying them of the compromised mailbox and the potential leaked information.
How to Protect Your Business against Hackers
There were a number of mitigating security policies the client could have implemented that would have prevented or limited damage from this type of compromise. We’ve outlined some of those strategies below and are recommending all our Office365 clients use the recommendations as a guideline for their own strategies.
Additionally, we recommend you talk with LoughTec about which strategies at different price points might be most advantageous for your business to implement:
Zero/Low cost mitigation strategies
- Enable two-factor authentication – By creating two-factor authentication, you strengthen your security so only the owner of the token and password can log into Office365. This does require periodic re-authentication so the token and token authentication on every web login remain secure.
- Disable forwarding rules companywide – This strategy prevents compromised accounts from forwarding emails on autopilot outside the organization.
- Implement complex and rotating passwords – Static passwords are easier to crack. Threats to email accounts are lessened if passwords go through more frequent rotations.
- Urge employees to conduct periodic reviews of mail rules and forwards –This empowers employees to be aware of their own settings and improves their ability to recognize if their account has been compromised.
Low cost mitigation strategies
- Use Advanced Threat Protection for Office365 – This solution provides a layer of security from email spoofing and email phishing scams and discourages virus attacks resulting from email and Bank transfer/social engineering fraud.
- Train employees on cybersecurity strategies – Employee awareness of email, web, and computer security improves their ability to recognize when anything is amiss and reduce one of the most common cyber threats: employee-caused data breaches.
Higher cost mitigation strategies
- Upgrade to E5 Licensing – This Office365 feature provides behaviour analysis alerting and automatic actions. Those range from automatic account lockouts and forced re-authentication to email and geo-location login alerts. E5 licensing is recommended for high risk employees such as executive team members, those involved in finance, executive assistants, or influencers in financial transactions.
Reduce Your Risk from Cyber Threats
The threat to your business from data breaches is not going away. Whether through your email or a weak point in your network, hackers will find any vulnerability and try to exploit it. The good news is that LoughTec’s team of trained cybersecurity professionals can help you prepare for threats and put the proper tools and practices in place to prevent and limit damage.
Contact Cyber Security Company LoughTec for a free no-obligation discussion on your business cyber security posture. Call +44 (0) 28 8225 2445 or email info@loughtec.com.