Cloud-based email, most notably Microsoft Office 365, has changed the way organizations implement email services, offering much needed flexibility to businesses enduring today’s disruptive pandemic. Cloud-based email is available for employees from outside the corporate network, requires no patching and is readily scalable. But the convenience of email everywhere comes at a price: access is also convenient to today’s crafty hackers — anywhere, anytime.
The fact that attackers need only credentials to compromise email accounts has given rise to large-scale business email compromise (BEC) attacks. After compromising a single business email account through credential harvesting websites, credential stuffing or password spray attacks, attackers can exploit the trust and familiarity of colleagues and supply chain partners to harvest additional credentials or request fraudulent transactions. Beware. Attackers have become extremely creative, utilizing mailbox rules and scripted searches to streamline their quest for new targets and exploitation opportunities.
Key steps to help foil attackers
The most common cloud-based email services come with a suite of authentication and monitoring capabilities as add-ons, which can help security teams to be equally creative in foiling attackers. Monitoring rules can effectively detect malicious activity. However, they should be carefully maintained to limit false positives.
Set up, monitor and respond to suspicious activity alerts. These can include alerts for impossible travel (a user logging in from two geographic areas within an impossible timeframe); new inbox rules created on a user’s account; and excessive failed log ins indicating a potential brute force attempt.
The excerpt was taken from KPMG Thought Leadership, Securing the cloud — the next chapter