Are your Exchange Online accounts safe?

Cyber security Kristóf Arleitner todayFebruary 8, 2022 451

share close

You might think your corporate email accounts are safe enough, maybe you have a decent password policy, and your email service does a pretty good job of filtering suspicious emails and malicious URLs. Still, there are ways attackers could gain access, and the playing field isn’t level, cybersecurity threats are asymmetric. Meaning an attacker wins even if they succeed once out of a million tries, while defenders have to fend off all of their attempts without exception.


Use MFA!

"USE MFA" license plates on a car
Maybe this license plate is a sign for something… (source: Twitter)

Business Email Compromise

According to IC3’s 2020 report, BEC/EAC (business email compromise, email account compromise) makes up a whopping half of the money lost to cyber crime each year, almost $2 billion a year in itself, dwarfing categories like identity theft, tech support scams, investment fraud or credit card fraud.

Cyber crime loss categories (source: FBI IC3’s Internet Crime Report, 2020)

In a business email compromise (BEC), an attacker sends an email message to the victim, impersonating the real owner of the sender email account. There are two sides to this:

  • Your organization’s email accounts could be compromised to defraud your own company or one of your clients. You can mostly prevent this from happening by using the strong multifactor authentication methods available for Exchange Online.
  • You could be the one receiving the malicious email from someone else’s compromised account. There’s not much you can do to prevent these emails from arriving, as technically they will appear legitimate. It’s more a question of being able to detect them and report them to the IT or security departments.
How does CEO/BEC fraud work? (source: Europol’s handy infographic PDF)

Consider these scenarios:

  • A vendor your company regularly works with sends you an invoice with updated payment details
  • A CEO asks someone to purchase gift cards, then requests the serial numbers of the cards, ostensibly to use them as employee rewards
  • A CEO pressures their employee to urgently issue a wire transfer
A CEO’s compromised email account ordering a fraudulent wire transfer (source: FBI)

Long story short, the attacker impersonates e.g. a vendor or the CEO of your company and attempts to social engineer an employee into transferring funds in one form or another. Attackers’ writing style is often spot on, mimicking that of the person they’re impersonating, even email signatures and non-English language proficiency.

Signs that you received a BEC scam email or call (source: Europol)

To look into a bit of a futuristic scenario, advanced attackers could also try to impersonate someone’s voice or video image in real time using machine learning algorithms. Think of a phone call or Zoom call, talking to your CEO, except it’s not really them, but a scammer impersonating their voice or video image with uncanny precision using advanced technology.

Analysis of a real video on the left and a deepfake on the right

While this technique is intriguing and there are a small handful of real-life targeted scams carried out like this, we don’t have to worry about deepfake scams in practice (yet). Email compromise is much more common and it’s the low-hanging fruit that attackers will go for.

It’s not enough to be vigilant about emails you receive. You yourself could also easily be the person whose business email account gets compromised and abused to trick your colleagues or clients. This will likely lead to financial damage and a loss of trust towards your business as a whole.

What you can do to protect email accounts

These days we need to be able to access our email from anywhere, anytime. Think of all the laptops and smartphones that employees carry with them, working sometimes from the office, other times from home, in the field or on the go. For Exchange Online, this is made possible by the service being exposed to the Internet where users can sign into their business email accounts.

Users, employees need to authenticate themselves somehow, otherwise anyone could sign into their accounts. Traditionally this has been done with only a username and password combination, which turned out not so well.

Analysis of a large set of real passwords (source: Troy Hunt – The Science of Password Selection)

Microsoft’s Azure AD identity management service, responsible for securing all Exchange Online accounts, manages 1.2 billion identities and handles 8 billion authentications on a daily basis. (“Identity” basically means a user account.) Millions of accounts are probed and sometimes hundreds of thousands are breached daily.

Logic would dictate that if we avoid simple passwords like dictionary words or anything related to us personally, then we’re all good and safe. That’s true to some extent, a password like 2ouCy7eWqqNkisRA definitely beats something like 1234qwer.

Except Microsoft’s data shows that the largest impact on account security is not password complexity, but whether or not MFA (multifactor authentication) is set up for the account. Your accounts are 99.9% less likely to be compromised when using MFA, even with SMS or secondary email based MFA. It’s simply too much effort for most attackers to circumvent even the most basic forms of multifactor authentication, not to mention stronger options like a mobile app or a hardware security key.

See here for information on how to get started:

How we can help

Elevating your state of security requires a constant effort, implementing a few key measures may not be enough with the current threat landscape. Also, being inside an organization and infrastructure sometimes creates blind spots where it is simply impossible to see clearly how some steps could help. We can help you pinpoint the areas in need of improvement – contact us for a free initial online consultation.

  • Assessing the security posture of your organization’s email system.
  • Suggesting improvements.
  • Uncovering blind spots.
  • Fine-tuning the configuration of your identity infrastructure.

Written by: Kristóf Arleitner

Tagged as: , .

Rate it
Previous post

Similar posts