Anatomy of an Account Takeover

Normally, I would use this first paragraph to describe the problem at the heart of the article—in this case, the damage done by a single instance of email account compromise.

But I’ll level with you: I don’t think I need to do that. I think if you’re reading this—whether you work in cybersecurity or not—you’re familiar with the concept of an account takeover and are aware that even the average breach caused by stolen credentials costs organizations $4.62M.

You may have even recently investigated a potentially compromised email account at your organization—that is, if you were able to detect it on your own, which 67% of organizations are not.

While these stats are illuminating, the mystery, and the problem I aim to solve in this writing, is how these account takeovers occur in the first place and why they often go undetected—with IBM’s 2023 Cost of a Data Breach Report noting it took an average of 11 months to resolve a breach caused by stolen credentials.

There is no singular method that leads to account compromise, but there are a variety of common tactics attackers will employ to gain access.

Session Hijacking

Purchasing, forging, or otherwise stealing session cookies is a popular method attackers have used in multiple recent high-profile breaches. Those attackers take aim at collaboration apps or email sessions, gaining access to a user’s account and bypassing MFA without needing to interact with the user at all.

This tactic, as the attacker never touches a sign-in page, can be difficult to detect. The trade-off for the attacker, though, is that this access is ephemeral unless secondary steps are taken. A user closing out of all active sessions can ultimately boot the interloping bad actor. This is why session hijacking is often coupled with targeted social engineering—aiming to convince internal IT support to reset the account login information to give the attacker more permanent control.

Traditional Phishing

When you think about how an email account takeover might begin, phishing links are usually the first cause that comes to mind. While business email compromise (BEC) and ransomware have surpassed traditional phishing links in terms of email attack frequency, the tried-and-true method—the attacker sends a link, the user clicks the link, and they are taken to a fake authentication page that captures that user’s credentials—is still prevalent.

Often, it’s amateur attackers or mass spray-and-pray campaigns that make use of this tactic, but there has also been a marked increase in targeted attacks on the personal email inboxes of executives—and while many of these attacks employ social engineering techniques, many are also relying on malware.

Social Engineering

Social engineering is an interesting tactic since it is typically a component of every successful account takeover, whether at the initial point of compromise, as a means to breach other areas of the business, compromise additional accounts, or establish persistence.

As a means of initial compromise, social engineering can be as simple as an email ostensibly sent by the IT department requesting a user’s login credentials—or if the attacker has already stolen that user’s credentials through other means, social engineering can be used to manipulate a user into sharing an MFA one-time passcode (OTP) to authorize access.

Brute Force/Credential Stuffing

Another “traditional” tactic that remains a useful tool in an attacker’s toolbox is simply guessing credentials or guessing MFA passcodes through a brute-force attack. While this method has largely been mitigated by limiting the number of guesses a user can make before authentication providers lock access, attackers have pivoted to the similar act of credential stuffing.

Credential stuffing makes use of stolen credentials attackers already own for a given user or group of users, but those credentials are for a different application or platform. Attackers will “stuff” these credentials into the authentication page for a target platform with the hope that at least one of the users has used the same credentials.

SMS or Voice Phishing

One of the core reasons it can be so difficult to detect account takeover is, along with others in this list as additional evidence, attackers are looking beyond the inbox to compromise user accounts.

Have you ever gotten a text from your “CEO” asking you to click a link? Has your “bank” informed you via text or automated phone call of an “unauthorized transaction,” but there is no evidence of this transaction when you check your account? You’re not alone.

47% of organizations experienced a voice phishing (or “vishing”) attack in 2022. Similarly, 55 billion spam texts were sent in just the US in the first 9 months of 2022.

All of these methods are usable at scale, and attackers will only continue to innovate in an attempt to gain unauthorized access. But before we talk about how to stop them—considering the aforementioned 67% of organizations that are not detecting account compromise on their own—it is important that we explore not only the initial compromise but what comes next.

Once inside the organization, the attack must continue. Whether the attacker plans to move laterally into other platforms, attempt to access and exfiltrate data, or compromise (or even create) additional accounts, there are, again, a myriad of tactics that may be used.

Lateral Phishing via Email and Collaboration Apps

East-West email traffic—that is to say, email traffic occurring internally—is notoriously difficult for traditional email security solutions to monitor compared to North-South traffic. Similarly, with thousands of messages being sent in SaaS collaboration apps like Slack and Microsoft Teams, it can be near-impossible for organizations to monitor for malicious chat threads.

Attackers know this and exploit this, using compromised email and collaboration app accounts to send messages to other internal employees. As the email or chat has been crafted to appear legitimate, both from a content and sender standpoint, those internal recipients often comply with requests to send the attacker money, interact with a malicious link, or share sensitive data. Without a reliable way to monitor for lateral phishing or detect compromised accounts, these internal campaigns can continue until a recipient reports suspicious behavior.

Platform Configuration and Policy Changes

After the initial breach, attack longevity is on the minds of many attackers. How can control of an account be maintained? How can additional accounts be compromised and additional data be accessed?

To answer the first question, attackers often resort to changing configurations on the target platform—in this article, we’re focused on the cloud email platform. For example, mail tenant conditional access can be reconfigured to remove or otherwise modify MFA, making it easier for attackers to maintain account access.

But even on the compromised accounts themselves, attackers can configure mail filter rules to delete all incoming emails or redirect incoming email to an external account owned by the attacker, so even when an account takeover is remediated, threat actors may still have access to sensitive communications and data.

Privilege Escalation and Malicious App Integration

Speaking of sensitive data, privilege escalation or abuse is not uncommon with an account takeover. While attackers often target VIPs, many times a compromised account is just an unfortunate regular employee.

Through social engineering or exploiting existing misconfigurations, attackers can elevate a compromised email account to global admin status. From there, of course, anything is possible, as attackers will have largely unfettered access to email platform or collaboration app configurations, user account settings, identity policies, and other sensitive settings and data.

The next step is often data access and exfiltration, attempting to compromise additional user accounts, creating entirely new accounts with elevated privileges, or using this privileged status to integrate and grant excessive permissions to malicious applications in an effort to establish persistence.

We’ve covered a lot of material thus far, but are these tactics actually being utilized by attackers, or is it hypothetical?

It is worth noting that any organization, any agency, can fall victim to account takeover. The examples listed here are not an indictment on the victims but an illustration of how attackers have already targeted organizations that may be similar to your own.

EA

The EA breach is unique as it is one of the highest profile and recent instances of session hijacking.

The threat actor in this incident purchased stolen session cookies for an active Slack session on EA Games’ Slack tenant. These cookies were $10. That is not a high barrier to entry for even the most amateur threat actor.

After hijacking the session, the attacker needed to establish a stronger foothold by fully compromising the hijacked account. The attacker sent a Slack message to EA's IT team asking to reset MFA for the compromised user as they had “lost their MFA device.” IT complied, allowing the attacker to eventually download EA source code.

Uber

In the case of Uber, the attack was predominantly social engineering, as the attacker claims to have pretended to be a member of Uber’s IT department. A user was convinced by this faux IT employee to approve an MFA request that was generated by the attacker when they attempted to access the Uber employee’s account by way of a stolen password and MFA fatigue.

Once the MFA request was approved, the attacker moved unnoticed through Uber’s network, eventually finding high-privileged credentials on an internal file share. These credentials were the key to Uber’s critical internal systems, and the attacker eventually claimed victory by announcing the breach on Slack.

The US Government

This attack, perpetrated by a presumed Chinese threat group dubbed Storm-0558, was carried out against US Department of Commerce and State Department officials—as well as members of various Western European government bodies.

Unlike the EA and Uber hacks, this appears to be a sophisticated attack executed by nation-state actors. These actors exploited a vulnerability in Microsoft’s authentication process, forging authentication tokens to compromise official email accounts. From there, the attackers hid for up to a month, likely viewing and stealing sensitive information exchanged by those accounts.

Twilio, Okta, and Rockstar Games, among other organizations, have also fallen victim to similar tactics as those detailed above. This furthers the notion that regardless of industry, company size, or security measures and expertise, the risk of account takeover is always present—often a result of human error. Therefore, when an account takeover occurs, it can be challenging to bring to light, but there are solutions that can and do detect and remediate compromise quickly and efficiently.

As our own CISO, Mike Britton, points out in a recent article he penned for SC Media, “today’s cybercriminals are only getting savvier and it’s much more likely than not that you will experience a compromised account at some point.”

He goes on to say that “security teams should consider behavior-based anomaly detection that leverages artificial intelligence, especially when focused on the identity and behavior of the account holder.”

In the case of Abnormal, we do just that, determining a baseline of behavior for all employees in your organization, analyzing tens of thousands of signals—from typical devices and IP addresses to login locations and communication patterns across email and collaboration apps like Slack, Microsoft Teams, and Zoom. This data is used to build comprehensive behavioral case timelines and automatically remediate when an account takeover is detected.

To further enrich account takeover cases and aid in investigation, Abnormal also surfaces changes to email platform configurations such as changes to user privileges, when a user modifies mail tenant conditional access policies, and when new mail filter rules are created.

Through this extensive detection and automated remediation, Abnormal can identify the initial signs of compromise, help determine when an attacker is attempting to establish persistence, and can immediately block access to the compromised account.

While an account takeover may be a rare event, it is one that roughly half of all organizations will face. Do you want to leave the integrity of your cloud email and collaboration platforms to a coin flip?

Learn more about how you can bring Abnormal on your security journey, and request a demo today.