How an Office365 Email Hack Cost Millions (and How You Can Avoid the Same Fate)
Imagine you’ve just made a million-dollar investment in your business. You’ve done your research and are convinced this is the right investment to take your business to the next level. Yet something is bothering you about your last few emails. Why did the investment company change the banking details at the last minute? And why have some of the key people in the deal not weighed in on those changes? It’s a lot of money, and you lose a night’s sleep over this.
The next day, you review your emails with the investment company and discover the email address you’ve been corresponding with changed three days prior to a different domain that has a near-undetectable difference. Have you been hacked? How did they insert themselves into an email chain without being noticed? How did they know all the relevant names, places, and details going months back?
They knew it all, and now you’ve wired a million dollars to a stranger. Could your business survive?
This exact scenario happened to a client of ours. Here’s the story of how it happened, how IMP Solutions helped the client deal with the event, and how to put the proper security procedures in place to prevent a repeat.
How the Hack Happened
IMP Solutions was brought into this story when our client asked us for assistance in tracking down a suspicious wire transfer. They had nearly been the victim of a million-dollar wire transfer fraud scheme, and they only caught it at the last minute. Thankfully, they were able to contact their bank, report the fraud, and have the transfer cancelled. However, it took 24 agonizing hours for the bank to confirm the cancellation and save their business.
They wanted to know how it happened, and our investigation set about uncovering the truth. At some point in the recent past, the president of the company had his Office365 password compromised. The hacker was able to successfully log onto the client’s Office365 and set up a forwarding rule that sent all received email to a Gmail account owned by the hacker. Then, that forwarded message was deleted to hide the trail.
All the hacker had to do was watch the Gmail account for discussions of contract negotiations and a fund transfer. In this case, it just so happened the hacker had hit the mother load with a million-dollar investment in the works. They created a new rule forwarding any emails about the wire transfer, deleted evidence of the forward, and used previous email chains to fake a response. To the client, aside from the slight change in spelling of the email domain, the forgery appeared like an actual reply to an ongoing email conversation they were expecting, and the hacker was able to craft a convincing reply about a last-minute change in banking details. The client thought it odd but proceeded with the wire transfer.
Shortly after, they realized something was wrong and got us involved to help them out. The first thing we did was have the president reset his password. Shortly after, we discovered the forwarding rule on the president’s mailbox. A PowerShell script run on the organization showed no other suspicious forwarding rules in place on any other mailboxes, leading us to conclude that only the president’s mailbox was compromised.
Next we ran a message trace to all emails sent to the offending Gmail account and hit the window of reporting limits for Office365. The offending Gmail account was reported to Google, as was the offending domain account used in the wire transfer fraud reported to the registrar. Local authorities and RCMP were notified, and the client had to send out a notice to their entire customer base notifying them of the compromised mailbox and the potential leaked information.
How to Protect Your Business against Hackers
There were a number of mitigating security policies the client could have implemented that would have prevented or limited damage from this type of compromise. We’ve outlined some of those strategies below and are recommending all our Office365 clients use the recommendations as a guideline for their own strategies.
Additionally, we recommend you talk with IMP Solutions about which strategies at different price points might be most advantageous for your business to implement:
Zero cost mitigation strategies
- Enable two-factor authentication – By creating two-factor authentication, you strengthen your security so only the owner of the token and password can log into Office365. This does require periodic re-authentication so the token and token authentication on every web login remain secure.
- Disable forwarding rules companywide – This strategy prevents compromised accounts from forwarding emails on autopilot outside the organization.
- Implement complex and rotating passwords – Static passwords are easier to crack. Threats to email accounts are lessened if passwords go through more frequent rotations.
- Urge employees to conduct periodic reviews of mail rules and forwards –This empowers employees to be aware of their own settings and improves their ability to recognize if their account has been compromised.
Low cost mitigation strategies
- Use Advanced Threat Protection for Office365 – This solution provides a layer of security from email spoofing and email phishing scams and discourages virus attacks resulting from email and wire transfer/social engineering fraud.
- Train employees on cybersecurity strategies – Employee awareness of email, web, and computer security improves their ability to recognize when anything is amiss and reduce one of the most common cyber threats: employee-caused data breaches.
Higher cost mitigation strategies
- Upgrade to E5 Licensing – This Office365 feature provides behaviour analysis alerting and automatic actions. Those range from automatic account lockouts and forced re-authentication to email and geo-location login alerts. E5 licensing is recommended for high risk employees such as executive team members, those involved in finance, executive assistants, or influencers in financial transactions.
Reduce Your Risk from Cyber Threats
The threat to your business from data breaches is not going away. Whether through your email or a weak point in your network, hackers will find any vulnerability and try to exploit it. The good news is that IMP Solutions’ team of trained cybersecurity professionals can help you prepare for threats and put the proper tools and practices in place to prevent and limit damage.
Schedule a Cyber Threat Assessment today to overcome the challenges facing your business.