Email security is considered by many CEOs, CFOs and other C-levels as an issue that has been mostly solved – they have all seen phishing attempts, BEC emails and malware in their inboxes – and believe they will know how to behave when they face the next attack. This couldn’t be further from the truth. Attackers don’t sit still and are always evolving to find new ways in. In this blog we will cover the ins and outs of a growing threat: intradomain-based attacks.
Today, the majority of organizations invest heavily in protecting their employees from attacks originating outside the organization. The more advanced ones are also applying advanced solutions to other entry points such as cloud storage, CRM, and messaging. Once a threat has managed to pass all of these layers, they count on the end point solutions to serve as the last frontier.
However, protecting against malicious emails from only external sources is simply not enough anymore. Contrary to popular belief, the days when email-borne threats come only from external parties are long gone.
Attackers are always on the lookout for ways to bypass and evade security checks in order to gain access to the end user. As attackers become more and more sophisticated, they are implementing more innovative ways to cause damage. One of their newer methods is by gaining authenticated access to a real employee’s email account and operating freely from within the organization. They rightfully assume that many organizations are saving money and not protecting internal communications because they trust their employees. This technique, known as “Account Takeover” (ATO), is gaining traction and popularity as it is extremely effective: according to Forter’s Fifth Fraud Attack Index, the number of ATOs has increased by 31% in year over year. Furthermore, Javelin research estimates that U.S. businesses lost more than $5 billion as a result of account takeovers during 2017.
In today’s world, due to the lack of proper defense against ATO’s and intradomain-based attacks, once an attacker is inside, he can do almost anything – spread malware, encourage employees to give away credentials via phishing links, or even directly target the financial department to wire transfer money.
Internal Attack Vectors
Although account takeover is the major threat within internal e-mail, it is not the only one. An internal attack can also occur when an employee or a group within an organization seeks to disrupt operations or exploit organizational assets.
We see three main attack vectors used through internal emails.
(1) Account Takeover (ATO) is when an attacker takes over a legitimate account or inserts himself into a message thread. In this case, the attacker can send an email with a link to a malicious file. Sophisticated attackers understand that once they gain an employee’s credentials they can “land and expand”, causing exponential damage.
(2) Insider Threat is a malicious attack that comes from within the organization. In most cases, it comes in the form of an unhappy employee that sends malicious content. A highly-skilled and disgruntled employee might choose to initiate an internal attack against his own company.
(3) Unintentional Spread happens when an unaware employee shares a phishing link or malicious content they got from another channel (e.g. WhatsApp) without being aware it is malicious. Copying directly from an unprotected channel into an internal e-mail (e.g. on their mobile phone) might bypass all regular security measures.
From this point forward, we will mostly refer to the category of ATOs and how attackers first gain access to accounts. Once they do gain access, all three of the above categories are similar when it comes to prevention.
Lateral Phishing Kill Chain
An account takeover happens when an intruder obtains legitimate log-in credentials of a targeted user and leverages them to spread malicious emails to other users in the organization. An attack through an internal email, usually looks like this:
1. Credential Theft: Intruder obtains legitimate log-in credentials of the targeted account via phishing, social engineering, or any other channel.
2. Reconnaissance and Weaponization: Intruder explores the e-mail box to understand the attacked user’s social interactions within the organization and looks for an opportunity to strike.
3. Delivery: Intruder sends malicious emails to different employees in the organization, spreading files or URLs until another user takes the bait. Many times, the intruder follows an already active e-mail thread to prevent suspicion and bypass the regular patterns of email threat detection, thus managing to overcome regular security awareness training.
4. Result: Intruder obtains confidential data or financial gain from mistaken actions made by the targeted users.
Attackers use three common methods to takeover accounts:
1. Credential Stuffing. Attackers exploit users’ habit of using the same username and password across multiple accounts. Hackers try specific passwords they gained from the hacked account of a less secured service an employee has used, and they use bots to test lists of credentials they obtained from data dumps of breached web sites of name-password combinations.
2. Credential Cracking. Similar to credential stuffing, attackers try various passwords to gain access into employee’s accounts. The difference is the scale. In this approach, attackers try to brute-force their way into accounts by trying variations of passwords they have found from hacked services and other common password dictionaries.
3. Credential Phishing. Attackers use regular phishing methods delivered through inbound e-mail or other services to trick employees into giving them their password through fake login web sites.
Once attackers get a foot in the door and obtain credentials for authenticated access to your mailbox, they can do whatever they like – spread malware, deliver malicious links and even obtain personal data or extract money. By neglecting the intradomain email space, companies remain exposed to sophisticated attackers that passed the front lines of defenses, although these companies still have a chance to prevent the most of the damage from happening.
In regular phishing an attacker sends an email from an account designed to look like a legitimate business. With more people aware of this scheme, it is getting harder to fool people.
Lateral phishing happens when an intruder sends phishing emails to peers through an internal legitimate account, thus gaining access to many new log-in credentials that can be used by the intruder or others for further creation of havoc. The success rate of this attack is almost guaranteed because the recipient recognizes the email account and is usually not suspecting anything.
Sending phishing and malware through the overtaken account is not the only exploitation used by attackers. An Intruder can also use the log-in credentials of an email they got through lateral phishing to spread threats in other collaboration channels (e.g. messaging apps or cloud storage platforms) which might be less protected (see Cloud Storage Security Risks).
Protecting Internal Email
Once understanding the full risk an unprotected internal e-mail service poses, the CISO must form a strategy to protect it. This strategy should have two main threads:
1. Security experts must treat this vector like they would treat any other point of communication: monitor the content of the traffic, enforce policies to meet the organizational standards, and implement security measures designated to protect it.
2. Mitigate the threat once discovered. One successful infiltration can escalate and harm the entire organization. CISOs must leverage a holistic, centralized threat detection mechanism to monitor the threat and make sure does not spread across the network.
As a matter of fact, Gartner predicts that by 2023, 65% of organizations will scan internal traffic for advanced threats.
Perception Point's Solution
It’s now clear that preventing only external email-borne attacks is simply not enough. Internal security must be enhanced by deploying advanced solutions that prevent account takeovers and lateral phishing attempts.
However, until today, scanning internal emails were problematic causing significant delays in email delivery or damaging the links or files.
Perception Point’s technology has solved these problems. Our platform takes a holistic approach to preventing threats across all cloud services in the organization within one unified system. The same layers of protection built to protect inbound e-mail (threat intelligence, anti-phishing, anti-impersonation, detonation, and more) are applied to protect internal e-mails.
Our layered solution combines multiple engines that work together to intercept spam, phishing, malware, BEC-based or highly advanced attacks, without compromising on end user experience. Perception Point intercepts internal threats driven by the multiple layers of defense philosophy – preventing attackers from neither “landing” in your organization or
“expanding” across your users:
1. ATO prevention designated, unique engines work to prevent any attempt to phish credentials from each channel protected by Perception Point.
2. Lateral Phishing Perception Point has invented a new way to intercept intradomain attacks, without compromising on user experience. Applying 7 layers of defense prevent any attack from expanding across your protected channels.
Learn more about our e-mail security product here.
you may also like
Connect with our team to:
* Learn more
* Get a live demo
* Get a quote
* Set up a free 30 day trial
We will respond to your enquiry within 24 hours.