Business Email Compromises in Office 365

Posted by Mark Greisiger

A Q&A with Chris Salsberry of Crypsis
One of the most prominent cyber threats affecting companies right now is business email compromise (BEC). These attacks typically begin with phishing emails that capture log-in credentials.The widely used cloud-based Microsoft Office 365 has proven especially vulnerable, with millions of dollars lost in fraudulent wire transfers over the past couple of years. We talked to The Crypsis Group’s senior director Chris Salsberry about this attack vector and how companies can avoid being compromised.

Can you describe to a layman the problem with Office 365 BEC?
These are essentially very sophisticated phishing campaigns where outsiders can email their way into a corporate environment and use social engineering to gain access to money. These spoofed emails can be very hard for a layperson to detect. What has made this problem so acute is the fact that many people nowadays use their email as a filing system, leaving much of their important data in their folders and files, so the amount of data exposed to an intruder could be quite significant. The primary focus here is on monetary gain, so the cases we see typically involve people trying to gain access to large wire transfers—a worst case scenario might involve the loss of millions of dollars. This is the fastest growing issue in cyber security right now. Over the past year we’ve seen extraordinary growth in this area with the number of BEC incidents skyrocketing. 

What are some symptoms that acompromise has occurred?
There are three different types of situations we see. In some cases, attackers will impersonate an established vendor and email an employee to get a wire transfer approved. They’ll ask if an invoice being paid could be wired to an alternate account. Ninety days will go by and the person who was supposed to receive the money will call to inquire about it, only to discover it’s already been paid tothe attacker. Or, they may impersonate the company and target the third-party vendors, trying to collect their money. A third instance we see is payroll access diversion, particularly when it’s a cloud-based payroll system. We know that has occurred when employees complain that they’re not getting their paycheck.

How can a customer secure and restore their Office 365 email function?
Reset all passwords, use multi-factor authentication. Conduct a secure audit of Office365 to make sure its full security functions are being used and maximized. Microsoft provides many tools to secure that environment but you have to know how to turn them on. Be sure to remove any rules created by a potential attacker as a result of gaining access. It’s also a good idea to create a policy to prohibit forwarding rules and otherwise secure multi tenant access control.

What are some forensic investigation challenges with regard to conducting Office 365 log reviews?
The data you can get is only as good as the logs being kept. It’s also a matter of being quick to respond. The longer a company waits to engage a forensic vendor,the better the chance that their logs will be overwritten and that emails will be deleted. A preservation effort up front and an implemented incident response plan can help quite a bit. Unfortunately, many people have not integrated Office365 or cloud services into their incident response plans. It has to be a holistic approach that covers the entire environment—someone gaining access to email can potentially gain credentials to other systems where potentially sensitive information is exposed.

Are there any cost-saving techniques that Crypsis can offer a client or their Breach Coach®?
We have technology that allows you to work with the different logs Microsoft provides to get a good overall picture of what the attackers are doing. I would also say that we work with clients to put together a proper Incident Response Plan that encompasses BEC incidents and can minimize damage. And again, I would stress using complex passwords, multi factor authentication and treating any BEC as more than a cloud-based attack. It truly needs to be handled like a network attack.

In summary…
We want to thank Chris(and Crypsis) for his commentary on the growing risk of BEC, and in particular BEC with Office365. We find that our risk manager clients, their insurance brokers, and our cyber risk insurance company customers are increasingly concerned about the cyber claims/losses attributed to BEC, resulting from the schemes that Chris laid out. In our 2018 Cyber Claims Study, the average BEC-related loss was $140,000, and some cases exceeded $1 million (significant since most claims impacted small business). These costs can also include needed services such as computer forensic investigation and notifying data breach victims,as well as for the monies fraudulently stolen. Finally, Chris rightly points out that companies can significantly mitigate risk by implementing baseline cybersecurity safeguards such as multi factor authentication.