Based on the latest fraud research from Agari, one in four advanced email attacks exploit a compromised account. In fact, the use of this ATO-based strategy is accelerating faster than any other impersonation technique. This data was observed from Agari Phishing Defense, an advanced email threat solution that filters email traffic after it has been scanned by the Agari Identity Graph. As part of the analysis, Agari analyzed over 232,000 messages within a six-month period.
The reasons are due to two distinct adversary advantages:
However, not all ATO-based email attacks are the same, and the effectiveness will depend on the type of compromised account used in the attack. According to the same research, Agari has categorized ATO-based attacks by their originating source, either external or internal of the corporate network:
Because people are naturally trusting of their coworkers, attacks launched from a known employee webmail or insider business account have the highest chance of success.
The Agari Threat Taxonomy incorporates these Sender Identity Types, which are dependent on the relationship between the perceived sender identity and the recipient.
As attackers become more adept at identifying and compromising specific employees to target their own organizations, the effectiveness of ATO-based email attacks and the real dollars lost associated with these attacks is sure to rise.
Account takeover-based email attack protection should be added to the email security layer. Integrate machine learning models to detect attacks originating from all four compromised account types.
Consider the following example of an email sent from a compromised account:
At first glance, the email does not look malicious. In fact, the email originates from an account of a real user, the recipient is a known contact, the subject matter in the communication is relevant, and the communication between Todd and Steve is expected. There is no way Steve could know that this email is from a cybercriminal using Todd’s compromised account. Making matters worse, traditional security controls predicated on first detecting occurrence of bad behavior simply cannot detect such attacks; after all, this email originates from a legitimate user account of a trusted sender.
To detect this type of attack, a next-generation solution that integrates machine learning models to analyze the three key elements of an email communication must be considered. The Agari Identity Graph uses the following phases to determine when an email goes against expected norms and is thus originating from a compromised account.
Referring back to the example, a simple analysis of one factor would be to determine whether the timeframe that the email was sent is typical of the normal user behavior. Note that the email was sent at 3:15 in the morning. Since Todd Koslowky never sends email at that time, this could be an indicator of an account takeover.
Adding the dimension of trust, the analysis could be further expanded. For example, based on historical communication, Todd and Steve’s communication is expected, but the significant delays in Todd’s responses are not. Given that Todd sent the email at 3:15 AM where the last communication was at 2:00 PM the previous day, this could indicate that an attacker is attempting to hijack the conversation.
Taking these inputs from each dimension, a final score determines whether the attack is indeed an account takeover and allows organizations to enforce policies to block this attack before it makes it into the inbox of the end-user.