searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
June 9, 2021
Share

What happens to email accounts once credentials are compromised?

Agari researchers entered unique credentials belonging to fake personas into phishing sites posing as widely used enterprise applications, and waited to see what the phishers would do next with the compromised accounts.

They found that 23% of all accounts were accessed almost immediately (likely in an automated manner, to confirm that the credentials work), 50% of the accounts were accessed manually withing 12 hours after compromise, and that 91% of the compromised accounts were accessed manually within the first week.

compromised accounts

How are the compromised accounts used?

The phishing pages into which the researchers seeded the uniqe credentials impersonated Microsoft OneDrive, Office 365, SharePoint, Adobe Document Cloud, or just (generically) Microsoft.

After six months, they detected activity in nearly 40% of their “compromised” accounts.

“Although a majority of the compromised accounts (64%) were only accessed one time, a number of the accounts were accessed repeatedly over an extended period of time. In fact, one account was accessed 94 times over a four-and-a-half month period, a great example of the persistent and continuous access cybercriminals maintain on compromised email accounts,” they noted.

Attackers use hacked enterprise mailboxes to pinpoint employees who have access to a company’s financial information / payment system. They often set up email forwarding or redirect rules to have immediate insight into incoming and outgoing emails.

Some of the attackers pivot from email to other Office 365 applications, the researchers noted, and use those to trawl for valuable documents or even to upload files (fake invoices and similar) that will be used for subsequent phishing attacks or fraud attempts.

But, mostly, the attackers used the hijacked email accounts to send out more phishing emails, sometimes targeting specific industries and sometimes a wide variety of them, and to set up additional business email compromise (BEC) infrastructure (e.g., to register for a variety services that will allow them to perform reconnaissance and lead generation, deliver emails, host malicious pages, or create malicious documents).

“By tricking people into giving up their credentials, threat actors can use legitimate accounts to run their malicious schemes — a dream come true from their perspective,” the researchers noted.

And compromised accounts lead to phishing emails and to more compromised accounts and more phishing – and so on and so forth, in a neverending circle that should be stopped.

More about
  • account hijacking
  • Agari
  • BEC scams
  • enterprise
  • phishing
Share this

Featured news

  • The rise of biometrics and decentralized identity is a game-changer for identity verification
  • Protect your entire business with the right authentication method
  • How cybersecurity decision-makers perceive cyber resilience
How to protect online privacy in the age of pixel trackers

Sponsored

Webinar: Tips from MSSPs to MSSPs – starting a vCISO practice

Security in the cloud with more automation

CISOs struggle with stress and limited resources

How to scale cybersecurity for your business

Don't miss

The rise of biometrics and decentralized identity is a game-changer for identity verification

Protect your entire business with the right authentication method

Microsoft unveils AI-powered Security Copilot analysis tool

How cybersecurity decision-makers perceive cyber resilience

New York law firm gets fined $200k for failing to protect health data

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us