Targeted Business Email Compromise through weaponising your own tenant!

Targeted Business Email Compromise through weaponising your own tenant!, As we in the ‘Industry’ are well aware, 90% of Cyber security incidents start with email, its simple, we all use it and an email attack targets the weakest link in our security posture, me and you.

During the past month an old/new cyber criminal attack has been working its way into Small and mid sized businesses in Australia, I have assisted several customers to this point who are unable to find a technical solution to the problem and are even unsure if they have stopped the attack.

The attack I am referring to is related to Tailored Subdomains: Tailored Subdomains Found in Credential Phishing Campaigns and these attacks from my experience so far require some intent on the attackers part, they are going beyond opportunistic and into areas that are going to affect businesses in Australia that are ill equipped to deal with them.

With this current attack, email security tools don’t block, why would they? the emails are coming from legitimate email domains and the Company login portal looks legitimate too.

Credential phishing campaigns are using customers with insecure tenants, creating subdomains and tricking unsuspecting users into entering their credentials, thereby giving a threat actor credentials that are typically used immediately, to login to the tenant – past this I have not seen but I expect all the typical discovery, reconnaissance, privilege elevation starting phases to occur or simply gathering credentials to sell on the Dark web – though this seems less likely as the attacks seem to be more local than I have previously found.

These attacks are not originating in the typical nations from my past experience e.g. Russia or a host of other European countries. This time these attacks ‘seem’ to be from the USA and Australia – sure maybe a VPN, or worse maybe there are bad people targeting local businesses from within our shores now which seems to make sense from the evidence.

Slowing this old/new attack is down to a few indirect processes:

1. An adequate security posture across the assets your business needs to operate with: Protect, Detect, Respond (at the least)
2. Network Layer 8 security tools, the people who click the emails, the people who your business relies on completely to stay in business.

So how do you mitigate/manage this risk, first I will state that my list is by no means exhaustive, I am not an expert but time and time again a successful defence against cyber crime comes down to some basics:

1. Have an incident response plan and invoke it when any suspicious activities are occurring – scratching beneath the surface could show much deeper issues.
2. Disable the ability for users to be able to set up sub domains on your M365 tenant – you may be surprised what access a normal user has to M365/Azure admin portals – try it with your normal user account.
3. Ensure a robust user awareness training program is in place for all employees, train your users on identifying phishing emails and make sure they report these and not simply delete.
4. Ensure that URL and attachment sandboxing is enabled, consider if possible blocking .HTM attachments
5. Create a no threat environment when a user does make a mistake, so that they will report the attack.
6. Have robust security controls, such as: Multifactor Authentication, Device security, Identity Security, Email Security, patching OS and Application process and a good team to help with the investigation.

+ Look to engage a security partner who can provide services to help reduce the risk of a cyber incident through good security posture baselines and who can provide expert assistance when you have run out of your own capabilities.

I say this as a common element across all of the incidents I supported, was that the people involved don’t have time for cyber security incident response, IR requires significant time and resources on top of normal business operations which all fall away while looking for a “Needle in a Haystack”.

In Summary

Many organisations just don’t have the expertise to know what to do and yet these incidents are becoming more frequent with small and mid sized businesses, who do not have enough resource to begin with to manage day to day operations let alone manage a cyber security incident.

Finally, regardless of your above choices ensure that you have a way of leveraging all the signals and telemetry data in one place to make responding to an incident more efficient – not easier as cyber security incident response is NOT EASY.