Business email compromise (BEC) attacks are on the rise. In 2023, IC3, the Internet Crime Complaint Center, reported receiving approximately 21,000 reports of business email compromises from organizations. The organizations reported $2.9 billion in losses from these attacks. Business email compromises are big business for cyber-criminals, often resulting in hefty losses, whether reputational or financial. So, how are cyber-criminals getting to the business emails?
What to Know About AitM Attacks
A newer acronym has entered the chat in the acronym-happy landscape of cybersecurity: Adversary-in-the-middle, or AitM, for short. Adversary-in-the-middle attacks allow a threat actor to trick users into entering their credentials and multi-factor authentication into a site they control and relay that information to the legitimate email provider in real-time.
This allows the threat actor to steal the session token for the user and log in until that token expires (which is 90 days for refresh by default for Microsoft, by the way). From there, the threat actor can log in as the user and take any actions on behalf of the compromised user. The ease of this attack is compounded by the fact that there are publicly available tools on GitHub that allow a threat actor to quickly spin up the tooling to use. All they need at that point is a registered domain for the landing page.
Standard multi-factor authentication (MFA) implementations (SMS, push notification, number challenge, etc.) are also no match for this threat. If the user enters their password and accepts the push, for example, the threat actor will then have access to their account in real time. Microsoft has posted an excellent article regarding this threat, which can be found here.
How You Can Combat AitM Attacks
An organization can choose from several options to protect itself and its assets from these threats. This should be considered a layered model in which organizations attempt to use as many as possible to provide in-depth defense.
- Utilize phish-resistant MFA. Phish-resistant MFA utilizes certificates or hardware-based tokens (YubiKey, for example) to ensure that even if a threat actor convinced an end user to provide their password, they could not capture the multi-factor prompt and gain a session token for the user. See this article from our catalog for more information on why common MFA methods are not enough to cure all cyber ailments.
- If using Microsoft Entra, utilize conditional access policies to enforce trusted authentication. This means that users can only log in from Entra-joined devices. This ensures that if a threat actor gains access to the session token, they cannot use it because it does not originate from a joined device in the tenant. This is a very effective control to use.
- Leverage end-user awareness training to ensure users are aware of these threats. The biggest indicator is threat actors will often use standard phishing schemes, such as an invoice, to convince the user to click it and enter credentials. Educate users not to trust these emails by default and be mindful of the web page. If the URL appears off when prompting for your credentials, exit the web page and report it to your security team.
- Utilize strong email security filtering to prevent phishing emails from reaching the inbox. A strong email filter will recognize the attempt and, ideally, hold the email in quarantine.
- Utilize security monitoring. Monitor your tenant for suspicious sign-ins and set up alerts to notify people who can respond. Organizations should seek out solutions that can automate these steps. If the solution determines an account to be compromised, alert it, send notifications, and take proactive steps to disable it so that a threat actor cannot begin to conduct nefarious activities. Microsoft refers to this in their platform as Attack Disruption.
All of these steps will help protect your organization from threats. You are the first line of defense for your organization. Be cautious and be cyber-aware. For more information, contact Dean Dorton to help with your security needs.