If you have a business email compromise incident and you haven’t deteced it in a timely manner your fist notification might be a bad experiance, the threat actors may have commited fraud, attemped fraud or simply launched a phishing If you have a business email compromise incident and you haven’t detected it in a timely manner your fist notification might be a bad experience, the threat actors may have committed fraud, attempted fraud, or simply launched a phishing campaign from your environment. If you are in this position, there are some steps you can take from a technical point of view to limit impact and reduce risk of a re-occurrence. This blog is a high-level view at some of the tactical and longer-term activities you can conduct.

Suggested Tactical Actions

• Reset users’ passwords
• Enable litigation hold on affected mailboxes
• Run a password audit to identify weak passwords
• Review OAUTH/Apps deployed to mailboxes for backdoors
• Deploy MFA to all users
  • https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
  • Watch out for shared mailboxes (they can have a password too!)
• Deploy Conditional Access Rules
• Hunt Mailboxes for those with “Forwarding” or “suspicious” rules (e.g., move sent items to an archive/deleted item etc.)
• Disable legacy email protocols e.g., SMTP, IMAP, POP for user mailboxes
  • https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication
  • https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#
• Monitor the activity log (UAL)
• Monitor the logs using advanced hunting
• Review alerts and incidents in 365 Defender
• Export evidence for analysis to understand incident timeline and impact so the business can take a risk informed position and notify affected parties including data privacy regulators etc. (e.g., the ICO)
• Conduct e dsicovery on mailboxes
• Review trace and UAL logs to rapidly assess 90 day impact
• Hunt for BIND and SYNC events (SYNC events show full compormise, BIND only may show only webmail access)
• For longer term breaches extract UAL, TRACE and mailbox/pst metdata for message ID analys
• Block risky attachments e.g. ISO, VMDK, VHD, .XLL, .XLM

General guidance from Microsoft:

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide

Short/Medium/Long Term

There are a range of activities that will help reduce the likelihood and impact of an email compromise, some of which could be:

• Ensure staff are trained in how to report phishing incidents
• Deploy NCSC report a phish plugin to Outlook
  • https://www.pwndefend.com/2021/10/04/reporting-an-email-as-phishing-in-office-365-with-ncsc-sers/
• Deploy EDR to client devices
• WHere possible disable macros
• Audit high privilege access
• Ensure logs are shipped to a SIEM
• Ensure alerts are monitored in 365 Defender
• Improve mail threat defence configurations
• Implement SPF/DMARK/DKIM
• Deploy protective DNS
• Plan for incident repsonse
  • Conduct tabletop excercises
  • Conduct simulations (don’t skip this step, this is where you prepare for a technical response and validate controls and processes)

Further Reading

https://www.ncsc.gov.uk/files/Business-email-compromise-infographic.pdf

https://www.ncsc.gov.uk/guidance/phishing

Invest in Security

A breach is never a good thing, however it’s important to find value in incidents and to use them to enable the business to gain greater insight into risks and take steps in the future. Leave no event with a positive outcome!