by Ryan Miller
Summary
Recently, as hackers' attacks have become more sophisticated, Microsoft has faced the risk of leaking confidential information and losing competitiveness due to hacking of senior executive accounts by email.
If these risks are not disregarded, it can lead to significant threats to both individuals and businesses. Learn how to strengthen email security through compliance with international security standards and safeguarding users from diverse cyber threats.
 |
Lately, hackers have evolved in increasingly sophisticated ways. Using techniques like phishing, social engineering, and complex malware, they reach their targets. In this situation, large enterprises, especially those with various amounts of data, are particularly attractive targets for them.
One of the main vulnerabilities targeted by hackers is account take-over. Once they obtain account information, they can access the company's internal systems, leak confidential information, or use it as a springboard for further attacks, which results in enormous financial losses and credibility for companies.
Even a global enterprise like Microsoft, with assets worth trillions and hundreds of offices worldwide, suffered from such attacks last November. Today, we're going to take a look at Microsoft's actual case of damage caused by these incidents.
 |
In November 2023, Microsoft's executive email accounts were hacked by the Russian hacking group, Midnight Blizzard (aka Novelium, or APT29). The group is known as a cyber espionage organization that mainly targets government organizations, NGOs, software developers, and IT service providers in Europe and the United States. On January 12, 2024, Microsoft discovered that this hacking group had breached their system and stole emails from their cybersecurity and legal teams, putting it at risk of leaking sensitive and confidential information to external parties.
The leakage of confidential information can cause serious damage to businesses. If important confidential information falls into the hands of hackers, it can be exploited by competitors or hacker groups. This can significantly weaken the company's competitiveness and cause legal issues, which can also directly damage its reputation and credibility.
Midnight Blizzard used residential proxies and "Password Spraying" brute-force attacks to target a small number of accounts. A password spraying attack is a method of repeatedly trying commonly used passwords across many user accounts. They coordinated password spraying attacks on a limited number of accounts to avoid detection, and Microsoft confirmed that MFA (Multi-Level Authentication) was not activated on test accounts, allowing hackers to access the system immediately after entering the correct password.
What is an Account take-over(ATO)?
 |
- 07.2.3 Account take-over
ATO is a social engineering attack that uses the account of a real user. After attempting to log in to the stolen email account to browse the email history of the user, the attacker finds confidential information and potential secondary victims. For example, account information stolen from a phishing site can be used by an attacker to send an email asking for remittance account changes or to deliver confidential information stored in the account to an external party.
Account take-over attacks usually occur via email, mainly using 7.2.1 Forged headers, 7.2.2 Look-alike domains, and 7.2.4 Uniform resource locator phishing. 7.2.1 Forged headers are attacks that bypass and steal emails by forging email headers when users reply. 7.2.2 Look-alike domains imitate legitimate domains to deceive users and expose them to attacks. 7.2.4 Uniform resource locator phishing directs users to click on malicious links, leading to install malicious code or link them to phishing pages.
For detailed standards, please refer below
- 7.2.1 Forged header
One type of social engineering attack involves scammers dodging detection by forging account information in a header. Attackers use email header forgery to bypass the destination of emails when a user sends a reply. Through a forged header attack, attackers are able to intercept emails from normal users that may contain information relating to a company’s credentials and personnel.
- 7.2.2 Look-alike domain
A look-alike domain is a type of attack where attackers send a malicious email from an email address that on cursory visual examination is remarkably similar to that of a normal, familiar sender. for example, capital ‘I’ and lower case ‘1’ letters are similar in appearance and this similarity can be abused in an attack.
- 7.2.4 Uniform resource locator phishing
URL phishing is the theft of the identifier(ID) and password of a victim, in which the attacker creates a phishing page or website to induce the victim to enter account information through the use of a malicious URL or file embedded in an email.
Password Spraying Attack
Password Spraying Attack is one of the methods of this Account take-over attack. In this type of attack, hackers repeatedly try commonly used passwords across multiple accounts to gain unauthorized access.
- Attack Preparation: Gathering substantial amounts of account information from public databases or leaked data
- Password Attempt: Repeatedly inputting commonly used passwords into each account
- Avoiding Detection: Targeting a limited number of accounts at a time to avoid detection, rather than attempting many accounts simultaneously
Stolen accounts can allow attackers to randomly send follow-up emails using a user's email list, resulting in secondary damage to other accounts and exposing them to additional phishing attacks. Moreover, using stolen accounts, attackers can gain unauthorized access to email servers to retrieve user passwords or access other computers and devices within the organizational network, posing a risk of damage to the company's internal systems.
As a result, there is an increased likelihood of confidential information such as confidential emails, customer data, and financial information being leaked. Furthermore, these attacks can result in significant financial losses related to data recovery, system recovery, legal action, etc., and can severely damage the trust of customers and partners, tarnishing the company's reputation. As an Account take-over attack can result in serious subsequent damages, compliance with international standards is critical to prevent this.
The cases above and attack types can be prevented through email security standards that comply with international standardization. Adopted by the International Organization for Standardization (ITU-T), this standard provides a reliable standard for email security. Firstly, they can be distinguished between preventing account take-over via email itself and preventing secondary attacks caused by stolen accounts. Let's begin with the former case.
To prevent account take-over via email, adhering to security requirements that mitigate 8.2.1 forged header attacks, 8.2.2 look-alike domain attacks, and 8.2.4 URL phishing attacks can effectively counteract such threats.
Countermeasures against Account take-over
- 8.2.1 Security requirements to counter forged header attacks
- It is required to block or warn users if the email address to be replied to is different when replying to an inbound email.
- It is recommended to verify compliance with the email communication protocol.
When replying to incoming emails, you can reduce damages caused by phishing and fraudulent emails by adhering to security requirements that warn or block you if the email address differs, and enhance the reliability and security of emails by verifying compliance with email communication protocols.
- 8.2.2 Security requirements to counter look-alike domain attacks
- It is required to inform a user of the level of risk similarity when the sender’s domain is detected as a similar domain based on accumulated email history and to block such emails.
- It is required to apply the difference in the number of email addresses as a criterion for judging fraudulent look-alike email attacks.
- It is required to manage it separately if the top-level domain (TLD) is different.
- It is recommended to enable security managers to directly register fraudulent look-alike email addresses that look suspicious.
Adhering to security requirements to prevent look-alike domain attacks can reduce the risk of confidential information leakage and fraud through phishing emails. Furthermore, by identifying risk levels based on domain similarity, users can be protected and managing top-level domain (TLD) differences can enhance security measures. Allowing security administrators to directly register suspicious emails also increases the flexibility of security management.
- 8.2.4 Security requirements to counter uniform resource locator phishing attacks
- It is required to continuously track the final destination of an URL that contains a web page inducing personal information input.
So the account take-over attack can be prevented through such provisions, and information leakage during this attack can be prevented by ‘Security requirements to counter intentional information leakage’ in the email security International Standards 8.3.1.
In the latter case, countermeasures against secondary attacks (Password Spraying Attack) resulting from a stolen account can effectively be prevented by understanding the concept of account take-over attacks accurately, adhering to security requirements: 8.3 ‘Security requirements to counter outbound email threats by user’, and 8.4 ‘Security requirements to counter outbound email threats by attacker’.
Countermeasures against Secondary Attacks Due to Stolen Accounts(Countermeasures against Password Spraying Attacks)
- 7.2.3 Account take-over (ATO)
- ATO is a social engineering attack that uses the account of a real user. After attempting to log in to the stolen email account to browse the email history of the user, the attacker finds confidential information and potential secondary victims. For example, account information stolen from a phishing site can be used by an attacker to send an email asking for remittance account changes or to deliver confidential information stored in the account to an external party.
To manage account take-over, it is important to comply with 8.3 'Security requirements to counter outbound email threats by user' and 8.4 'Security requirements to counter outbound email threats by attacker' below.
8.3 Security requirements to counter outbound email threats by user
- 8.3.1 Security requirements to counter intentional information leakage
- It is recommended that security managers be able to set conditions for email dispatch.
- It is recommended to have the ability to reconsider email sending if the condition set is not satisfied.
Allowing security administrators to directly set and manage email sending conditions is crucial in preventing information leakage. This control ensures that sensitive data is not sent without authorization and provides the capability to reconsider email sending if predefined conditions are not met, thereby blocking potential security threats. Such capabilities are essential for protecting the organization's confidential information and preventing legal and financial damages.
- 8.3.2 Security requirements to counter unintentional information leakage
- It is required to issue a warning or automatically block users from replying to or sending emails to an email address that has been classified as malicious.
- It is required to convert large attachments within an email to regular ones when transmitting the email from the isolated internal network to the external network.
- It is required to retrieve converted emails with large attachments after safe delivery from an isolated internal network to an external network.
- It is required to allow senders to recall sent emails in order to prevent data leakage.
- It is recommendd to encrypt contents of outbound emails that meet certain conditions, such as the IP address that checked emails and the number of times emails were opened.
Features such as warning or blocking emails sent to malicious addresses, securely transmitting large attachments, and preventing data leakage caused by user errors are essential for protecting confidential information and preventing security incidents. These measures are critical for minimizing information leakage and maintaining the organization's security.
8.4 Security requirements to counter outbound email threats by attacker
- 8.4.1 Security requirements to counter attacks using account take-over
- It is recommended to allow security managers and users to configure specific IP addresses and countries for accessing email accounts.
The feature to allow or block email account access based on specific IP addresses and countries enhances security by enabling rapid responses to suspected account take-over attempts. By blocking potential attacks beforehand, this measure is vital for the protection of an organization’s confidential information.
- 8.4.2 Security requirements to counter unauthorized email server access attacks
- It is required to ascertain detailed information about access in order to detect unauthorized email server attacks, and prevent the unauthorized email server from forwarding access requests to the email server.
- It is required to block mail delivery if sender SMTP information does not match that of the recipient.
By identifying detailed information during access attempts and blocking them immediately, unauthorized server access can be swiftly prevented. By blocking emails when the sender's and recipient's SMTP information do not match, forged emails can be effectively prevented.
5. Conclusion
 |
Keeping your personal information safe is very important now since there is a lot of damage caused by the leakage of personal information through e-mail. As hacking techniques are becoming more and more sophisticated and advanced, recognition and resolution of these issues are key to preventing such damages. In particular, there is an increasing number of incidents where account take-overs are attempted via email, and stolen accounts are exploited to cause secondary damages. To prevent this, compliance with international email standards, regular monitoring, and employee training are essential.
Adhering to international standards is an effective way in preventing these issues. The reliable email security standards adopted by the International Telecommunication Union (ITU-T) provide countermeasures for various types of email attacks.
For more details, please click the link below!
‘Learn about the standard email security solution from the company who established the international standard’
https://mailinspector2.blogspot.com/
These solutions protect users from a variety of email threats and keep their personal information secure.
References
The images used in this post were generated using artificial intelligence (AI).
<Ongoing Microsoft Azure account hijacking campaign targets executives>
<X.1236 : Security requirements and countermeasures for targeted email attacks>
https://www.itu.int/net4/itu-t/search#?ex=false&q=targeted%20email%20attack&fl=0&target=All
<Global Email Security Standards>
https://mailinspectplatform.com/resources/
![[Phishing URL] With just one click, your life can be phished](https://blogger.googleusercontent.com/img/a/AVvXsEiMZfwpN_jo42_q0JI6Cvn3pdWmBwZQ7ZjMhbFZA_firmlw2y0833OjRiWTtsWuU28F2BuzwH7gNRqifA0hHapX2ezZajNfa_SFZ84DRXr7_hDnoOP576GiLIou0MroeTU6U7ztyeyP_PcfoSPWOKyaESBvDlvnplTmduTRuT8npx-q49NkRYAirrN5JuU=w72-h72-p-k-no-nu)
![[Zero-day] Understanding zero-day attacks](https://blogger.googleusercontent.com/img/a/AVvXsEh2lWUhaQgbBMUsEIaEMq4-_EG0s_bz-VKacjDbO8N4TrTF1saQogoT6V2gDz7U8qaEJA-SMj3ngkstaZXyhjhGOrVIo8dJbrCnZptivX0XefGYiwoIr36kcsPMY6IQ_1J_3FyOOa0BKyVwXVOT48_5tUaK9RJRWxFiIgUM6mLm7YMA8EXUg3r3SA9I26U=w72-h72-p-k-no-nu)
![[Spoofing] Understanding Email Security and Spoofing](https://blogger.googleusercontent.com/img/a/AVvXsEjXTSVEx9-hYnpBUvm-rDLHpBJ8EzK0gwm5SIIWBAi--ObVwrAzsyArDLCIRpZmntrbW64m31GdtPBhmzjwNqgKiIgs9RU83Na0mxwIDqk2e_nlx4GRlSP7vHIPHasHURc2sHJGQZ2k3NXQvzf3swnrM3VWfCIhtfknj2vxadIJ9AWWWb1_DcWMVSqmKhw=w72-h72-p-k-no-nu)
0 Comments