BEC On the Rise, Are You Ready?

By now, you have all heard of Business Email Compromise (BEC) cyber-attacks. In fact, many of you have probably seen some sort of BEC or email-based impersonation fraud. The sad fact is that data shows this to only be increasing in frequency and is here to stay. Mimecast, an email and data security company, releases quarterly Email Security Risk Assessment (ESRA) Reports, and when reviewing them, the trends are scary. They found a 269% increase in the number of BEC attacks in quarter three of 2019, compared to the second quarter of the year. The sharp rise in BEC attacks identified by the report echoes the findings of the State of Email Security 2019 report, also released by Mimecast, which revealed that 85% of the 1,025 global respondents experienced an impersonation attack in 2018. With 73% of those victims having experienced a direct business impact, like financial, data, or customer loss. This, in conjunction with statistics from phishing campaigns that show year after year, users continue to be one of the biggest vulnerabilities that face most companies, should have you asking not if, but when will this happen to us, and are we prepared?

In the past, I have talked about security awareness training and incident response testing, but now I want to focus on a step in between the two, preparation. As I have discussed in a previous incident response article, waiting until there is an issue, is a bad time to discover what resources are available. To that end, I want to discuss some common issues that I have seen when companies are faced with a BEC attack. In this article I am going to focus on Office 365 email accounts and settings since I have seen a considerable increase in usage over the past several years. In Microsoft's last report, they reported that Office 365 commercial has over 180 million users, which has not escaped attackers' notice. One of the most common issues companies run into is a lack of logging when a business email account is compromised. By default, the most forensically important audit log within Office 365 is not turned on. Microsoft's Unified Audit log captures activities in Exchange, SharePoint, Yammer, PowerBI, Sway, Dynamic 365, Flow, Stream, PowerApps, and Azure Active Directory. The following are auditable activities from within the Unified Audit Logs:

· File and page activities

· Folder activities

· SharePoint list activities

· Sharing and access request activities

· Synchronization activities

· Site permissions activities

· Site administration activities

· Exchange mailbox activities

· Sway activities

· User administration activities

· Azure AD group administration activities

· Application administration activities

· Role administration activities

· Directory administration activities

· eDiscovery activities

· Advanced eDiscovery activities

· Power BI activities

· Microsoft Workplace Analytics

· Microsoft Teams activities

· Microsoft Teams Healthcare activities

· Yammer activities

· Microsoft Flow activities

· Microsoft PowerApps activities

· Microsoft Stream activities

· Microsoft Forms activities

· Exchange admin activities

The unified audit logs are critical to investigating a business email compromise; however, there are several limitations that cannot be changed. The first is that email logouts are not recorded. You will not be able to tell how long someone was in your email system. The logs can also not identify what messages were reviewed, what search terms were used, and what attachments were viewed. The good news is, most of these attacks CAN be prevented with some simple security best practices. There are several entities that have produced Office 365 security best practices that can help significantly reduce the risk of email compromise and thus the need to review audit logs. Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has released several advisories related to Office 365, including the best practices and mitigations list below.

  • Use multi-factor authentication. This is the best mitigation technique to use to protect against credential theft for O365 users.
  • Enable unified audit logging in the Security and Compliance Center.
  • Enable mailbox auditing for each user.
  • Ensure Azure AD password sync is planned for and configured correctly, prior to migrating users.
  • Disable legacy email protocols, if not required, or limit their use to specific users.

When implemented correctly, these best practices have been found to be highly effective. A report from Barracuda Networks' research team showed if Office 365 administrators would have followed the best practices described above, most if not all of the accounts compromised as part of the Account Takeover (ATO) attack campaign discovered by Barracuda Networks would have resisted infiltration attempts from cybercriminals. This goes to show that when it comes to cybersecurity, a proactive approach is always the best one. Don't wait until there is an issue; when a few security best practices can avoid most of them.