How a Mimecast miss led to a wide scale email compromise
In the last few years, email attacks have rapidly increased in volume and sophistication, with well-researched and convincing impersonation attacks accompanying rising cases of account takeovers. Their sophistication has particularly accelerated over the course of 2020, with globally pertinent news and more businesses embracing new ways of working proving to be fertile content for email attacks.
In this threat landscape, traditional email tools – which create rules for what ‘bad’ emails look like based on past campaigns – are missing these novel and sophisticated hoax emails.
This blog looks at an Australian logistics company that had Mimecast operating in its Microsoft 365 environment, but moved to an autonomous approach to email security when a malicious email — deemed benign by all other tools — was detected by Darktrace’s AI.
The company was trialling Antigena Email which was installed in passive mode, meaning it wasn’t configured to actively interfere. However, looking into the email dashboard allows us to see what actions the technology would have taken – and the consequences of relying purely on gateways to stop advanced threats.
Without AI taking action, compromising one employee’s email account was all the attacker needed to continue making headway throughout the business. The attacker accessed several sensitive files, gathering details of employees and credit card transactions, and then began communicating with others in the organization, sending out over two hundred further emails to take hold of more employee accounts. This activity was picked up in real time by Darktrace’s Microsoft 365 SaaS Module.
Details of the attack
The company was under sustained attack from a cyber-criminal who had already performed account hijacks on a number of their trusted partners. Abusing their trusted relationships, the attacker sent out several tailored emails from these partners’ accounts to the Australian company. All used the same convention in the subject – RFP for [compromised company’s name] – and all appeared to be credential harvesting.
Figure 1: A sample of the malicious emails from the hijacked accounts; the red icon indicating that Antigena Email would have held these emails back
Each of these emails contained a malicious payload, which was a file storage (SharePoint) link, hidden behind the below text. It’s likely the attacker did this to bypass mail link analysis. Mimecast did rewrite the link for analysis, but it failed to identify it as malicious.
Figure 2: Darktrace surfaces the text behind which the link was hidden
When clicked on, the link took the victim to a fake Microsoft login page for credential harvesting. This was an accurate replica of a genuine login page and sent email and password combinations directly to the attacker for further account compromise.
Figure 3: The fake Microsoft login page
A number of employees read the email, including the CEO; however only one person – a general manager – appeared to get their email account hijacked by the attacker.
About three hours after opening the malicious email, an anomalous SaaS login was detected on the account from an IP address not seen across the business before.
Open source analysis of the IP address showed that it was a high fraud risk ISP, which runs anonymizing VPNs and servers – this may have been how the attacker overcame geofencing rules.
Shortly afterwards, Darktrace detected an anonymous sharing link being created for a password file.
Darktrace revealed that this file was subsequently accessed by the anomalous IP address. Deeper analysis showed that the attacker repeated this methodology, making previously protected resources publicly available, before immediately accessing them publicly via the same IP address. Darktrace AI observed the attacker accessing potentially sensitive information, including a file that appeared to hold information about credit card transactions, as well as a document containing passwords.
Perpetuating the attack
The following day, after the attacker had exhausted all sensitive information they could elicit from the compromised email account, they then used that account to send out further malicious emails to trusted business associates using the same methodology as before – sending fake and targeted RFPs in an attempt to compromise credentials. Darktrace’s SaaS Module identified this anomalous behavior, graphically revealing that the attacker sent out over 1,600 tailored emails over the course of 25 minutes.
Figure 7: A graphical representation of the burst of emails sent over a 25 minute period
Why AI is needed to fight modern email threats
For the logistics company in question, this incident served as a wake-up call. The Managed Security Service Provider (MSSP) running their cloud security was completely unaware of the account takeover, which was detected by Darktrace’s SaaS Module. The organization realised that today’s email security challenge requires best in class technologies that can not only prevent phishing emails from reaching the inbox, but detect account takeovers and malicious outbound emails sent from a compromised account.
This incident caused the organization to deploy Antigena Email in active mode, allowing the technology to stop the most subtle and targeted threats that attempt to enter through the inbox based on its nuanced and contextual understanding of the normal ‘pattern of life’ for every user and device.
The reality is, hundreds of emails like this trick not only humans, but traditional security tools every day. It’s clear that when it comes to the growing email security challenge, the status quo is no longer good enough. With the modern workforce more dispersed and agile than ever, there is a growing need to protect remote users across SaaS collaboration platforms, whilst neutralizing email attacks before they reach the inbox.
Thanks to Darktrace analyst Liam Dermody for his insights on the above threat find.