51

We hired a new Sales Ops member 1 week ago. Within a week he's getting emails similar to the below:

Email

I did some research on the sender and it is a valid email, valid person, SPF/DKIM checks come through fine. I reached out to my CEO to check to see if he knew the sender.

  1. I know I can stop this by rejecting messages spoofing an employee, the problem is I'd be rejecting their personal emails due to the name part. Is there a way in Office 365 to detect these and stop them more intelligently?
  2. What are the ways some of these scammers get this data so easily so that they can send emails like this? They're always hitting my sales teams and not my operations or tech team. My team is running BitDefender with the latest updates, and running behind some strong firewalls and gateways that also scan incoming and outgoing data.
Ryan Ternier
  • 581
  • 4
  • 9
  • 10
    Is all your employee information including positions available on your website open source? if so, theres the answer to the "Why" – john doe Aug 19 '20 at 19:07
  • 1
    @johndoe Names, emails, etc. are not on our website. I would never let a personal email address be public on our site. – Ryan Ternier Aug 19 '20 at 21:46
  • 2
    Can you web search their email, or their name + company? – domen Aug 21 '20 at 15:13

5 Answers5

84

Presumably, your MX record is suffering from a directory harvest attack (DHA). There are lots of ways to do this and unless you're very savvy at pouring through your mail logs, most of them are (by design) hard to detect.

The simplest form of DHA involves SMTP vrfy and expn commands. You can block these entirely. More sophisticated attacks can involve composing emails and then never completing them (the trailing . marking the end of a data command, or even just rset or quit or dropping the connection before issuing a data command).

If you're using o365 exclusively, harvesting from the MX is less likely a concern (I assume Microsoft is savvy enough to block most DHA attempts, though they may not provide enough forensic data to determine if a DHA was attempted or how successful it was before it was cut off). Perhaps attackers have found another source of this data, like a list of your users or a compromised user system or account that attackers can access to read mail or the address book.

If your usernames are predictable, e.g. Firstname.Lastname@company.tld, an attacker can determine users by scraping a company employee listing or a site like LinkedIn. Another source of addresses is public mailing list archives.

One thing you can do is to set up a spamtrap (aka a honeypot). Just make a new account for a fictional user and never tell anybody. Wait for a while to see if it starts getting mail and you'll know there was a DHA. If you don't get any bites, then your trap wasn't listed in the place(s) attackers harvest. Try to come up with what those might be and spin up new dedicated addresses (or, if you have to pay per account, add new seeding techniques to the single trap account one by one, with a few weeks between each addition so you can identify it).

Adam Katz
  • 9,718
  • 2
  • 22
  • 44
  • 43
    I would suggest using a different fictional account for each possible leak. – Stig Hemmer Aug 20 '20 at 07:21
  • 2
    @StigHemmer – Good point. If it's easy to create new accounts, make each unique to the seeding technique. If you actually have to jump through lots of hurdles (e.g. to pay) per account, space them out by a few weeks. – Adam Katz Aug 20 '20 at 13:41
  • We get similar. Somehow scammers are able to get employee's personal cellphone numbers. I'm working on setting up a honeypot to see if I can identify the source. – Shahid Syed Aug 18 '22 at 23:27
15

An easy way would be to monitor LinkedIn using a script to look for new hire and target them based on their job description.

In no time, I found that Hayden was hired 2 months ago as a "Sales Operation Manager".

Depending on your Office 365 subscription there are multiple features to fight phishing: Anti-phishing protection in Microsoft 365

Malady
  • 109
  • 4
null
  • 1,193
  • 6
  • 16
  • There are also specific Office/Microsoft 365 Spoof protection tools. The docs can be found at https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/learn-about-spoof-intelligence?view=o365-worldwide – Steve Aug 20 '20 at 20:57
12

What are the ways some of these scammers get this data so easily so that they can send emails like this?

It's hard to tell, but my guess is that your Sales Ops people get subscribed to various websites (in order to do their job), which may either leak addresses or be outright built to collect data.

Next time you hire someone in that team, tell them NOT to subscribe to anything for a while and see what happens. Or just set up an email address and then use it to subscribe to the same websites Sales Ops people use, and again see what happens.

A. Darwin
  • 3,562
  • 2
  • 15
  • 26
  • Combining a pair of answers, perhaps create a series of fake sales accounts to [bisect](https://en.wikipedia.org/wiki/Bisection_(software_engineering)) the vendors – ti7 Aug 21 '20 at 15:37
11

First of all, if the SPF and DKIM do show that the email was indeed sent from gmail (note that gmail only has a SOFTFAIL spf), you want to outright block this address. Or better yet, have any email from that sender automatically create a ticket to your internal IT security, as the next guy may not detect it is fraudulent.

Let's assume that the CEO is Alice CeoSE alice.ceose@stackexchange.com and the new hire is Hayden Sales hayden.sales@stackexchange.com, with the fake from being alice.ceose@gmail.com

This means that alice.ceose@gmail.com was created and is controlled by someone with the sole purpose of performing a CEO Fraud on your company.

It'll be trivial for them to create a new gmail address after you block it, but it'd be silly not to. Make them take the extra effort to open a new account (plus, they don't know whether you detected it or not. Also, check who else received mail from this account). The next guy may not detect it is fraudulent and fail for it.

Additionally, I would take advantage of this attack to send a general reminder of Business Email Compromise / CEO Fraud, what it is, what is people expected to do (no matter the supposed "CEO" asking them not to say anything!), and that your company is being attacked right now (obviously, you might need approval from higher-ups but, unless this is an exercise, this is a clear case of why some things are important).

I would try to add rules to catch it on content, too, as the is a temporal measure. Maybe the "Chief Executive Officer " text, if she doesn't use that exact phrase?

You mention that you would miss personal emails. However, if this is an account created to impersonate your CEO, you never want anything from there to reach your employees (other than the security team).

If your issue is that you would lose emails when the CEO did send emails from her personal account, I'd take that loss. An employee SHOULD NEVER need to send work-related emails from a personal account.(*) It may not be practical company-wide, but surely worth for the C-level executives. This will mean that they must only contact their company with their company-provided email, this will require an order from the top (such as the CEO) and must include the CEO herself.

I would recommend implementing it such that any email coming with such condition automatically creates a security incident ticket:

On XX YYYY ZZZZ, an email from Alice Ceose alice.ceose@gmail.com was sent to poor.underling@stackexchange.com. This purports to come from the CEO, but is not using her company email which is the only one allowed to be used for internal communication, per the CEO memo dated 8/22/2020, after there were attempts to impersonate our executives on 8/19/2020 and defraud the company of multiple millions.

And notify the impersonated one to the company email address (so that if it was indeed sent by that person, can't claim that you silently filtered the email, and being automatic, no person needs to step up calling them for their wrongdoings). For practical reasons, I would recommend also including a per-user whitelist (where you could the actual personal address of those executives that continuously forget about this rule).

(*) Obvious exceptions would be before being assigned an email address, or with COVID work-from-home measures, communicating with the helpdesk if they block their account (with the obvious danger that the helpdesk must not fall on impersonation attempts to an employee). Your lawyers will probably give you thousand-one reasons not to share company information with accounts outside your control.

As for the second question, the new hire could have leaked:

  • Predictable email naming patterns
  • The employee social networks, such as LinkedIn (as noted by null)
  • Publications of the company on their web page, social media, etc. ("our team", "please welcome our new hire Hayden"...)
  • Newsletters, conferences, etc.
  • Compromised account of an employee (leaking the address list of he people they emailed... or of the whole company)
Ángel
  • 17,578
  • 3
  • 25
  • 60
6

I assume your company is sufficiently clean of any viruses (I may be wrong). If your employee communicates by email with people outside the company, then it is likely he sent messages to people that read their mail on an infected machine. Malicious programs on the computers of such persons may collect address books to build email databases to send SPAM and do all sort of nasty things.

Employees with lots of links to outside world are therefore more exposed.

I don't know Office 365 well, so I cannot tell you how to stop this. However, it may actually be good that your employees receive a few emails that are obviously phishing. This helps them remain alert and apply common sense checks on each message before acting. One day, your company may be subject to an elaborate phishing attempt with no easy way to distinguish automatically good from bad emails. If that happens, the best barrier would be the employee not clicking on the link nor replying.

Finally, I can add some "personal data" regarding fresh new emails: For over a decade, I have been using about 1000 personal email addresses, registered each to a unique web service. On the vast majority of those, I received only legitimate mail. On the others, I could identify two cases:

  • In the first case, the email was used to create an account for a legitimate website managed by a company that is sufficiently big to assume that handling of your personal data is pretty much all automated. IN ALL CASES, when I started to receive SPAM, a Google search pointed to news articles that the website was hacked weeks or months before the SPAM started. IN MOST OF THE CASES, the company also informed me of the data leak after they discovered the issue, but in one or two occurrences they did not...

  • In the second case, and similarly to the above, I generated the email to create an account or request a service on a legitimate website. However, it is here likely my email may have been stored on someone's personal computer (small website, service for which you can expect to receive a personal email from a human, etc). In particular, I have many addresses that got leaked when used to register for a one-time event such as a show. In that case, I assume organizers just created the website for the event with a form so that they can collect the list of participants. They then send manually legitimate messages, but unfortunately from a computer with a malicious software that can collect my data. Here, NEVER, have I found news articles about the leak, nor got informed by the organizers of any hack.

Tony
  • 391
  • 1
  • 3