Article September 10, 2018

Web-based corporate email compromises rapidly increasing

The CFC Incident Response team has seen a surge in cybercrime against corporate web-based email accounts, like Office 365. Criminals compromise corporate email accounts by reusing credentials from well-known public data breaches to guess employee passwords.

Once they have access, they use these accounts to perpetrate funds transfer fraud and send malicious emails. Recent cyber claims made to CFC indicate that even strong or complex passwords are often not enough to protect employee email accounts from compromise.

Enable Multi-Factor Authentication to Prevent Email Compromise

Multi-factor authentication can improve the security of web-based email accounts by requiring an additional verification step for any external connection to email (for example: a code generated by a mobile app or through an SMS message). Most email systems provide multi-factor authentication and will allow users to establish ‘trusted devices’ to reduce the inconvenience of entering a code every time they log in. CFC encourages all clients to consider implementing multi-factor authentication to improve the security of their web-based emails systems.

Additionally, it is critical that IT administrators enable the right logging in the event that your mailbox is compromised as it can help you determine if attackers have compromised your private data. Properly configured, email systems such as Office 365 even allow you to set up alerts in the event certain security conditions are met which can help you quickly catch the attacker.

By default, Office 365 has limited logging of security events, and needs to be manually configured to make the investigation of suspected compromises possible. It is strongly recommended that all of the below stages are completed to enable an effective investigation in the event of an incident.

The three phases are as follows:

  1. The Unified Audit Log search must be turned on (documentation here)
  2. Mailbox Auditing must be enabled for all accounts (documentation here)
  3. Mailbox Owner events must be enabled (PowerShell script available here, API documentation here (look for the – AuditOwner section))

Additional Resources:

If you are using Office 365 for your business, you can find more information about enabling multi-factor authentication at no cost from Microsoft’s web site here. In addition, you can find information on how to enable mailbox auditing in Office 365 here. Lastly, Office 365 has a page for assessing how secure your configuration is, called the Secure Score, which is available here