New Research: Organizational Email Account Takeovers Push Lateral Phishing

Email account takeover and lateral phishing, where hackers use compromised accounts to distribute phishing emails to other recipients including company contacts and associates at other companies, present a growing organizational threat.

Over the past year, researchers from Campbell, Calif.-based Barracuda Networks, the University of California Berkeley and the University of California San Diego, teamed up to study the nature of email account takeovers, how attackers select potential victims, and tactics used to make attacks stealthier and more convincing. The research, detailed how email account takeover attacks are a widespread and effective attack enterprises need to defend against.

“Because attackers send these lateral phishing emails from legitimate accounts, they can effectively fool many existing email protection systems and unsuspecting users,” the report claimed. It added, “In this study, spanning nearly 100 organizations, we take a detailed look at the widespread and dangerous nature of this attack, analyze the different strategies that attackers use for selecting their potential victims and the content they use in their attack messages, and highlight a few forms of sophistication and stealth exhibited by this evolving attack.”

Key findings:

• Email account takeover and lateral phishing present a growing threat to enterprise organizations. One in seven organizations experienced lateral phishing attacks within a seven-month timespan, based on a random sample of enterprise organizations. Of the organizations who suffered from this attack, over 60% experienced multiple incidents.
• Because email account takeover takes advantage of compromised, but nonetheless legitimate, enterprise accounts, these attacks are effective and particularly insidious. Over 11% of attacks successfully compromised additional employee accounts, and over 42% of the lateral phishing incidents appear to go unreported by a recipient to the organization’s IT or security team.
• Over 55% of the attacks in the study target recipients with some personal or work relationship to the hijacked account.
• Lateral phishing attacks rely on two popular narratives to trick their victims into falling for the attack: “account error” and “shared document” lures. While 63% of the lateral phishing incidents used generic and commonplace messages, 37% tailored content to be more enterprise-oriented or highly specific to the victim organization.
• Nearly all the lateral phishing attacks occurred during the regular workweek and during the victims’ regular working hours, even though the attackers perpetrating the email account takeover might be remote or foreign actors.
• Roughly one-third of email account takeover attacks in the study engaged in additional behavior designed to make their lateral phishing emails stealthier or more convincing, such as actively responding to recipients’ questions or actively deleting all traces of the phishing email from the hijacked account.

Across the study’s dataset, attackers used a total of 154 hijacked enterprise accounts to launch lateral phishing attacks. Researchers identified four primary strategies attackers used to select the potential victims:

Account-agnostic: Across 45% of the hijacked accounts, attackers did not appear to draw heavily on the hijacked account’s relationships when selecting their victims. “These attackers appeared more interested in opportunistically phishing as many accounts as possible, rather than compromising victims with some tie to the hijacked account.”

Organization-wide: Attackers leveraged the hijacked account to send phishing emails to dozens to hundreds of fellow employees at the same company; 25% of attacks used this strategy.

Targeted-recipient: Attackers selected their victims by mining the hijacked account’s recent or close contacts; 29% of attacks followed this strategy.

Lateral-organization: Attackers used the hijacked account to send phishing emails to recipients at other organizations within the same industry, e.g., business partners of the hijacked account’s organization. Only 1% of attacks adopted this strategy.

“Because attackers control a legitimate account in an email account takeover attack, they could mine the hijacked account’s emails to craft custom and highly personalized messages,” the research observed. Across the incidents studied, researchers found the majority of lateral phishing attacks rely on two deceptive narratives: 1.  Messages that falsely alert the user of a problem with their email account. 2. Messages that provides a link to a fake “shared” document

In both cases, the attacker provided a link for the victim to click on, which often leads to a phishing website designed to look like a legitimate login page but that ultimately steals the victim’s username and password.

The study also looked at studies that hypothesized that attacks such as phishing might be detectable by looking for suspicious emails sent at unusual times. However, based on the attacks in this study, it appears that attackers send lateral phishing emails from compromised accounts during the typical working hours of the affected organizations. A full 98% of the lateral phishing incidents occurred during a weekday. Researchers also found 82% of lateral phishing attacks sent by an attacker occurred during the compromised account’s typical working hours.

The research recommended three critical precautions to help protect against lateral phishing attacks: improving security awareness training and making sure users are educated about this new class of attacks; organizations should invest in advanced detection techniques and services that use artificial intelligence and machine learning to automatically identify phishing emails: and two-factor authentication or a hardware-based token if available.