On April 6, 2020, the FBI issued Alert # I-040620-PSA, announcing that cyber criminals conduct business email compromises through exploitation of cloud-based email systems, costing US businesses more than $2 billion.They include 11 different bullets suggesting remediation actions from multi-factor authentication, disable mail forwarding, prohibit legacy email protocols i.e. POP, IMAP, and SMTP to foreign login suspicious activity monitoring. Historically, many small-medium businesses (SMB) have been reluctant to take action on such remedial advice, until they’ve fallen victim to a business email compromise (BEC).
While many SMB owners have undermined such protection, the negligence is partially contributed to the inconvenience of authenticating and the other factor tied to technology costs. Ironically, most SMBs indicate that one of their top concerns is email security.
Many business owners are better convinced and educated with a visual. Let’s break down four of the suggested FBI recommended actions by providing five evidence examples when the protection is not in place and/or evaded.
Most commonly configured for convenience and often detected where employees-on-the-go communicate with a local email client, such as Microsoft Outlook.
The concern: legacy protocols can evade authentication policies, messaging is unencrypted (clear-text) and prone to email sniffing, vulnerable to exploitation, easier for spammers / phishers to relay unsolicited email posing as the user and many more.
Regardless of the origin, foreign or not, the risk is real and yes even outside of Russia and China. In North America alone, Microsoft 365 is by far the adopted cloud-based email of choice.
The concern: With the mass adoption of Microsoft 365 who wouldn’t be concerned about unauthorized access to their email system. Adversaries are continuously seeking a foothold with minimal layers of protection. This is one of the biggest blind spots in the industry – lack of suspicious login activity monitoring resulting in existing email compromises whereby the attacker remains unnoticed for a significant period of time.
Simply put, the copying of inbound and outbound email data to an illicit external account.
The concern: While mail forwarding has its legit usage, it is quite common for confidential data to be forwarded by the adversary or rules intentionally and unethically created by a disgruntled employee with the sole purpose of syphoning corporate information.
Kudos to the business for implementing a corporate policy by adding a layer of login authentication security. Is the policy configured properly and does the employee have rights to disable/circumvent the control?
The concern: Without 2FA, the likelihood of email compromise is higher and prone to password guessing attacks and stolen credential unauthorized logins.
Beyond and above the FBI recommendations for protecting Microsoft 365 environments, the RocketCyber SOC team made it our mission to solve common challenges we repeatedly hear from MSPs related to Office 365 security monitoring:
Business email compromise is a type of fraud that is detrimental to any employee and/or business experiencing such an incident. While the list of FBI remedies all merit consideration, it’s not practical for most SMBs to adopt each line item, but yet should serve as list of controls for improving the overall email security hygiene of the business. Figures 1-5 are screen captures by the RocketCyber Managed SOC demonstrating visibility and insight combating cyber-criminal business email activity.
To learn more about RocketCyber's 24/7 Managed SOC - Business Email Compromise monitoring capabilities across your fleet of Microsoft 365 users, schedule an online demo with a RocketCyber security engineer today.