Over the past few months we’ve seen a new security attack gain popularity: Account Takeover (ATO). Account Takeover is when an attacker steals a user’s username and password for their email account, most often an Office 365 account. The attacker tricks a user in to giving up their username and password, usually via a file sharing email with a link that takes the user to a page which asks them to log in to their account to see the file. The log in page provides the user’s credentials to the attacker. The attacker then uses those credentials to gain access to the user’s account and take further action. These actions can include:
– Forwarding all the users’s email to an account the attacker controls, while still delivering email to the user’s mailbox. This allows the attacker to not only read all the email, but also to determine a) who the user communicates with on a regular basis, b) what other user’s might be susceptible to an attack, and c) what users might be susceptible to a money wiring request
– Sending attacks via email to more users. Since the account is a “trusted” account, the attack emails are more likely to pass through spam filters without being caught.
– Sending wire requests to members of the finance team at the compromised user’s company. Since the email is coming from a member of the company, it is more likely to be trusted.
There are layers of security that can help minimize Account Takeover attacks, but the number one defense against something like this is user education. Helping users to understand what to look for when reading an email is the first step to preventing Account Takeover attacks. There are several ways to help educate users, from simple checklists all the way to fully managed educational programs. If you are interested in learning more, contact us today.