Any organization using email is at risk of an email account compromise. Email account compromise (EAC) is when a bad actor gains unauthorized access, through different attack techniques, to an email account, and can put organizations at financial risk. The FBI estimated that in 2021, account compromises resulted in nearly $2.4 billion in losses (IC3 Report, 2021). EAC attacks exploit trusted relationships across colleges, customers, partners, and other parties to conduct malicious attacks. Once an email account has been compromised, bad actors can spread ransomware, exfiltrate sensitive data, and divert funds to fraudulent accounts.
The actions taken by bad actors in an attempt to compromise accounts create signals throughout the system before, during, and after an account has been compromised. These actions leave artifacts that can be analyzed to determine whether an account is being used by the designated owner, or by an unauthorized user for malicious gain. The good news is that bad actors leave breadcrumbs of malicious intent, the bad news is that these signals are hard to independently pinpoint as a leading cause of account compromise. The signals left behind often seem normal and unconnected, such as a failed 2FA login or password reset alert. These events can be hard to classify as leading indicators of a compromised account as they seem like innocent events at first glance, and when looked at independently. Security admins must quickly and accurately distinguish the everyday activity from the malicious intent, or risk a compromised account.
Armorblox is making this job easier for security admins through the release of enhanced EAC capabilities for detection, investigation, and remediation of email account compromise incidents. Armorblox machine learning-based detection provides highly accurate detection of compromised accounts. Armorblox EAC Timeline View captures and organizes all signals associated with potential account compromise in a single, consolidated audit trail. This enables admins to easily investigate and take quick action to lock down an account to protect users and the organization.
Armorblox EAC detection goes beyond hard-coded signal detection; machine learning algorithms provide the precision necessary to identify the signals and events with malicious intent. Using machine learning, Armorblox applies contextual understanding across signals instead of just looking at individual activities for accurate detection. Looking at an unique instance of a failed 2FA login would not be grounds to raise concern; however, when looking at the broader picture, this failed 2FA login paired with a login attempt from an anonymous IP can be a leading indicator of a potential account compromise.
To maintain accuracy and to reduce alert fatigue, Armorblox looks at the big picture, across threat intel, understanding the context behind email behavior to detect account compromise. Armorblox gathers and organizes signals and alerts across integrations with Microsoft to reduce mean time to respond.
Armorblox enables fast threat investigation by consolidating the audit trail of analyzed signals into the Armorblox platform as a single timeline view. Signals are collected pre, during, and post account compromise so that admins can investigate how the account was compromised and clearly follow any additional attacks performed post-account compromise.