Account takeover-based email attacks are on the increase because they are harder to detect than any other type of attack. Your organization’s existing controls may no longer be enough to guard against ATO-driven financial fraud, credential theft, and brand damage.

Download your copy of the white paper now to learn more about:

  • A typical account takeover-based email attack flow
  • Why ATO-based attacks are so effective at targeting your employees
  • How to prevent this type of email attacks—now and in the future

Utilizing Trust to Enable Fraud 
Why ATO-Based Email Attacks Are So Effective

Based on the latest fraud research from Agari, one in four advanced email attacks exploit a compromised account. In fact, the use of this ATO-based strategy is accelerating faster than any other impersonation technique. This data was observed from Agari Phishing Defense, an advanced email threat solution that filters email traffic after it has been scanned by the Agari Identity Graph. As part of the analysis, Agari analyzed over 232,000 messages within a six-month period.

The reasons are due to two distinct adversary advantages:

  1. Legitimate or established email accounts do not need to leverage impersonation techniques such as domain spoofing or display name deception to bypass email security controls. This makes them more difficult to protect against and much harder to spot by the target.
  2. Previously established trust relationships between the original user and their contact makes targeting and convincing the contact to give up sensitive data or release funds a significantly easier task.

However, not all ATO-based email attacks are the same, and the effectiveness will depend on the type of compromised account used in the attack. According to the same research, Agari has categorized ATO-based attacks by their originating source, either external or internal of the corporate network:

  • Stranger: Attacks using any legitimate email account of individuals unknown to the recipient (strangers) to boost reputation and leverage trusted infrastructure.
  • Acquaintance/Brand: Attacks leveraging familiarity to gain trust, while not needing a long history of initial communication.
  • Trusted Customer/Partner/Vendor: Attacks using supply chain vendor accounts of individuals known to the recipient to launch spear-phishing campaigns.
  • Executive/Authoritative Figure or Coworker: Attacks that use employee corporate accounts of individuals known to the recipient to execute business email compromise or invoice scams.

Because people are naturally trusting of their coworkers, attacks launched from a known employee webmail or insider business account have the highest chance of success.

The Agari Threat Taxonomy incorporates these Sender Identity Types, which are dependent on the relationship between the perceived sender identity and the recipient.

As attackers become more adept at identifying and compromising specific employees to target their own organizations, the effectiveness of ATO-based email attacks and the real dollars lost associated with these attacks is sure to rise.

Using the Knowledge of the Agari Identity Graph™
Protecting Your Organization Against ATO-Based Attacks

Account takeover-based email attack protection should be added to the email security layer. Integrate machine learning models to detect attacks originating from all four compromised account types.

Consider the following example of an email sent from a compromised account:

At first glance, the email does not look malicious. In fact, the email originates from an account of a real user, the recipient is a known contact, the subject matter in the communication is relevant, and the communication between Todd and Steve is expected. There is no way Steve could know that this email is from a cybercriminal using Todd’s compromised account. Making matters worse, traditional security controls predicated on first detecting occurrence of bad behavior simply cannot detect such attacks; after all, this email originates from a legitimate user account of a trusted sender.

To detect this type of attack, a next-generation solution that integrates machine learning models to analyze the three key elements of an email communication must be considered. The Agari Identity Graph uses the following phases to determine when an email goes against expected norms and is thus originating from a compromised account.

  1. Identity Mapping: This process determines the perceived identity of the sender. In the simplest view, the process uses the following identity markers to map the message to a previously established identity or organization.

    Based on the mapping, the perceived identity is derived as Todd Koslowsky, CFO of ZYX Inc.
  2. Behavioral Analytics: Given the perceived identity, the message is then evaluated for anomalies relative to the expected sender behavior. Feature classes associated with the behavior include but are not limited to the following:
    –  Tracking the consistency, timing, and volume of messages sent by this identity
    –  Tracking all email addresses and third-party services associated with this identity
    –  Tracking how long this identity has been in existence and sending email
    –  Tracking the types of email artifacts or subject matter commonly sent

    Referring back to the example, a simple analysis of one factor would be to determine whether the timeframe that the email was sent is typical of the normal user behavior. Note that the email was sent at 3:15 in the morning. Since Todd Koslowky never sends email at that time, this could be an indicator of an account takeover.

  3. Trust Modeling: Finally to further ensure accuracy as the identity of the sender is confirmed and behaviors relative to that identity tracked, the next phase determines whether the communication from the sender is expected by the recipient. This modeling is a critical component to determining whether the recipient would actually open and take the requested action within the message. Sources of this modeling could include:
    –  Previous email traffic seen between identities
    –  Frequency of interactions and responsiveness
    –  Historical organization-specific communicationsBelow is an example of the mapping between Todd’s communication relative to Steve and all organizations.

    Adding the dimension of trust, the analysis could be further expanded. For example, based on historical communication, Todd and Steve’s communication is expected, but the significant delays in Todd’s responses are not. Given that Todd sent the email at 3:15 AM where the last communication was at 2:00 PM the previous day, this could indicate that an attacker is attempting to hijack the conversation.

    Taking these inputs from each dimension, a final score determines whether the attack is indeed an account takeover and allows organizations to enforce policies to block this attack before it makes it into the inbox of the end-user.

Close button
Mail Letter

Would you like the confidence to trust your inbox?