This blog examines an account takeover attack that targeted students at a large university. The malicious email attack was sent from a compromised user account in an attempt to steal victims' sensitive personal information. The email attack bypassed native Microsoft 365 Email Security and had the potential to land in the inboxes of over 160,000 end users.
In today's Blox Tale, we'll discuss a recent account compromise attack that targeted a university. The attack involved the use of a compromised user account to execute a malicious email attack to university students about a job that turned out to be too good to be true. When Armorblox first engages with an organization, we do a three month historical lookback and provide a free vulnerability assessment report for them where we highlight all the threats and threat actors that are still active in their environment. As part of this assessment, we noticed that a malicious actor had gained access to a few user accounts and had tried to cover their tracks to avoid detection. This account compromise could have had the potential to impact more than 160,000 end users and a much larger number of organizations outside as well from this compromised account in a trusted university email domain. So grab a notebook and pen, because class is in session and this malicious actor is about to get schooled.
Mailboxes: More than 160,000 mailboxes
Target: A large national university
Email security bypassed: Native Microsoft 365 Email Security
Techniques used: Social engineering, legitimate email account takeover, using trusted applications
The Account Compromise Attempt
Account compromise attacks are oftentimes long-tailed email attacks, with various signals leading up to the actual email attack initiated from the legitimate account of an end user within the target organization. Signals indicative of an account compromise attempt captured by Armorblox during a historical look back showed a similar pattern. Within the span of a couple days, the malicious attacker gained unauthorized access into a legitimate user’s account, sent an email attack to contacts within the end user’s address book, and set up automatic deletion rules in order to not raise any flags about their malicious activity.
Fig 1: Armorblox EAC Timeline View provides account compromise detection and analysis
In the above screenshot, we see on January 10th Impossible Travel was identified due to an attempted sign-in to the end user’s account from an unfamiliar location. After successfully gaining access into the legitimate account, Unusual Mail Deletion Rules were set up by the attacker to forward emails from the user account to an external mailbox so they can continue their recon without being logged in.
The attacker also set up Mail Deletion Rules in order to automatically delete emails containing the subject of the malicious email attack from the Sent folder as well as automatically remove and delete any responses prior to landing in the Inbox. This was intentional in order to prevent the legitimate user from stumbling upon the email campaign sent from their account as well as not receive any emails in response to the executed attack.
The subject of the email sent from the employee’s legitimate email address was Personal Assistant Service. Although this subject did not include any language that would suggest a need for urgent action, it does take advantage of the victims’ curiosity bias - our undeniable desire to learn more.
Fig 2: Job scam email attack sent from legitimate account
Upon opening the email, the victim finds themselves reading what seems like a promising part-time, flexible job opportunity. The attacker aims to catch students’ attention through the inclusion of language through the body of the email that is meant to pique and keep the reader’s attention: Approved Job for the School, amazing offer, fun, rewarding, flexible. The language used is meant to make recipients of the email eager to apply and click on the main call-to-action button, Apply Here.
Clicking the Apply Here button took recipients to a google form that included a summary of the open position and asked for copious amounts of sensitive information: address, phone number, bank name, full name, age, etc.
The attacker aimed to exfiltrate sensitive data from more than 160,000 unsuspecting victims through this extensive google form, and made sure to get submissions by including an elaborate explanation about the positive reasons to apply for the job: working for seasoned entrepreneur to elicit excitement, multiple inclusions about the potential growth of weekly pay, and the benefits for the person of hire (including AD&D Insurance and 401K benefits). It may have been a few laps around the sun (or more) since any of us have been in University, but a job opportunity like this seems like a once in a lifetime opportunity for a current student trying to juggle school and expenses. Unfortunately, this job opportunity was too good to be true and unsuspecting victims who fell for this job scam attack would have unknowingly given up sensitive PII information straight to the attacker.
The Attack Flow
In order to successfully execute this attack, a malicious actor gained access to a legitimate end user account and set up automatic mail forwarding and mail deletion rules after sending this malicious email to individuals across the end user’s address book. This email attack impersonated an approved job opportunity for students at the organization, with the intention to create a sense of excitement in the victims to apply. Attackers included language within the email as well as the Google Form that talked about the benefits and opportunity that this job would provide, all in order to exfiltrate the victims’ sensitive personal information.
The Power of Armorblox
In addition to compromising a legitimate account to execute this email attack, the malicious actor used language to instill trust and persuade victims to click and apply to the too good to be true job opportunity. This email bypassed native Microsoft 365 email security (receiving an SCL score of -1) because it was 1) sent from a legitimate account and 2) included a link to a Google Form which is a trusted application used across common business workflows. These native email security layers are able to block mass spam and phishing campaigns and known bad URLs; however, when it comes to a compromised account attempt with a link to a trusted application for gathering data, these security layers fall short.
This email attack would have been delivered to more than 160,000 end users’ inboxes if this targeted organization had only relied on native email security layers. Native email security enforces security measures that can identify and block threats - but only those that are already known - putting organizations at risk who solely rely on legacy solutions to protect against today’s sophisticated and emerging threats.
Fortunately, for end users that are protected by Armorblox, with account compromise detection and protection, potential account compromise attacks are accurately detected through signals and alerts across integrations with microsoft, prior to this email attack being executed, and continued to monitor activity within the compromised account enabling faster audit and appropriate remediation actions to be taken. Even in scenarios where the compromise might have already happened, Armorblox is able to detect signals of compromise based on the historical lookback and alert organizations to these compromised accounts so the attackers can be shut down and prevented from doing further damage.
Armorblox goes beyond hard-coded signal detection with machine learning algorithms that precisely identify the signals and events with malicious intent. Armorblox applies contextual understanding across signals instead of just looking at individual activities for accurate detection, looking at the broader picture instead of an unique instance (failed 2FA login paired with a login attempt from an anonymous IP can be a leading indicator of a potential account compromise).
Armorblox uses Natural Language Understanding (NLU) to understand the content and context of email communications to protect organizations from all types of targeted email attacks that bypass native and legacy security solutions. With these sophisticated detection techniques and custom machine learning models, Armorblox provides organizations and end users the protection needed to stop today’s emerging threats. Such as this malicious email attack sent from a compromised account that bypassed traditional security layers – Armorblox protected end users and prevented them from engaging and unknowingly providing sensitive information straight to the attacker.
Please note that sensitive information has been obscured from the above screenshots for privacy reasons.
Recap of Techniques Used
This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.
Social engineering: The email subject, design, and language used aimed to induce a sense of trust and urgency in the victims. Trust was induced through using a compromised account to execute this sophisticated attack, as the recipient saw an email coming from a domain that they trusted. A sense of urgency was created through the content within both the email and the Google Form, taking advantage of the students’ needs in order to receive a completed form.
Account compromise: The email was sent from a compromised account belonging to an end user associated with the target organization. The legitimacy of the domain enabled the email to bypass authentication checks. We have repeatedly observed account takeover being used as the starting point to launch follow-up attacks to exfiltrate sensitive user and organizational data plus exfiltrate user credentials.
Using trusted applications: The main attack vector to exfiltrate sensitive information was hosted on Google Forms, a trusted application used for collecting information across multiple business workflows. Free online services like Google Forms make our lives easier, but unfortunately also lower the bar for cybercriminals to launch successful phishing attacks. We have also observed attacks exploiting Google Firebase, Box, Google Sites, and Typeform in a similar manner.
Guidance and Recommendations
1. Augment native email security with additional controls
The email highlighted in this blog bypassed past native email security. For better protection and coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2022, as well as Armorblox highlights this in the 2022 Email Security Threat Report, and should be a good starting point for your evaluation.
2. Watch out for social engineering cues
Since we get so many emails from service providers, our brains have been trained to quickly execute on requested actions. It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, the language within the email, and any logical inconsistencies within the email.
3. Follow multi-factor authentication and password management best practices
If you haven’t already, implement these hygiene best practices to minimize the impact of credentials being exfiltrated:
- Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
- Don’t use the same password on multiple sites/accounts.
- Use password management software like 1password to store your account passwords.