Email Security

    Email Account Takeover Protection Strategies for Microsoft 365

    by Richard Botley

    Here’s how to extend your email security strategy for rapid detection and remediation of threats inside the perimeter of your Exchange Online cloud-based gateway.

    Email account takeover attacks are hardly new but as cloud services surge in popularity, the risks of a data leak or financial fraud are intensifying.

    This trend led the FBI to issue a stark warning highlighting the growing risk to cloud services as threat actors have realized they are a gold mine of information. Between January 2014 and October 2019, the FBI’s Internet Crime Complaint Center (IC3) received complaints totaling more than $2.1 billion in actual losses from business email compromise (BEC) scams using two popular cloud-based email services.

    In account takeover attacks – a form of business email compromise - adversaries aim to steal or guess login credentials, most commonly a username and password. This is often made easier by poor password policies and lack of security awareness training for employees on password re-use across personal and work accounts.

    For example, once a user’s Microsoft 365 reused credentials are compromised via dark web password cache, the attacker can access the user's Microsoft 365 mailbox, SharePoint folders, or files in OneDrive. The attacker then may begin monitoring email traffic to learn more about the organizational environment looking for opportunities to steal money or confidential data.

    Internal email risks

    According to the fourth annual State of Email Security report by Mimecast, 60% of respondents’ organizations were hit by an attack spread from an infected user to other employees. Infected email attachments were the most common method with 42% of these cases. 30% were via infected links within emails and 17% via instant messaging applications.

    More advanced attacks may also aim to install malware in order to gain persistent access to the device or identify other users for horizontal privilege escalation. Valuable supply chain partners may also become a key target as they extend their attack, particularly for the popular business email compromise ‘invoice fraud’ scams.

    This problem of weak or stolen credentials can be significantly mitigated by use of multi-factor authentication (MFA), however adoption remains sluggish. Meanwhile, advanced attacks using SIM-swapping and man-in-the middle tricks can increasingly circumvent this layer.

    So what can you do?

    Apply the same level of gateway controls and intelligence to emails to traveling between users in the organization. Then, new threats that have evaded the gateway or another security control can be contained and remediated quickly. Speed of action here is important and only via automation can you realistically aim to reduce the dwell times of any attacker in your system.

    The trick is to use Microsoft 365’s Exchange Online journaling feature, more usually used as part of your email retention or archival strategy. Feed this into your email perimeter-level security checks on both internal journaled and outbound email and you can have continuous detection for insider threats.

    Automate to remediate

    Additional direct integrations with Microsoft Exchange and Exchange Online then allows you automatically remove malicious, unwanted, or inappropriate emails that may be traversing internally. Organizations with existing SIEM and SOAR platforms can streamline their email account takeover or malware outbreak responses by using internal email security service APIs to integrate directly into existing playbooks.

    Email security controls inside the perimeter can also apply data loss protection (DLP) content policies and help detect abnormal behaviors using machine learning and graph database technology to build up patterns identifying baseline good communications. Monitoring deviations from these patterns can then help spot impersonation, account takeovers, and misaddressed email errors.

    Human error still lies at the heart of most successful attacks and it’s imperative that every employee has a firm belief that they play an important role in defending the organization. That’s why we should combine these technical controls with regular, up-to-date and measurable security awareness training programs.

    Email remains a critical part of every organization’s communication strategy and is the single easiest route for an attacker to break into your network, whether that be on-premises or in the cloud. An effective account takeover protection strategy can overcome the lack of visibility of internal and outbound email threats, detecting attacks that are underway and take action to stop them before completion, or educate users to prevent compromised accounts in the first place.


    For more information on this strategy, download our latest whitepaper: Danger within: email and security awareness training strategies for effective account takeover protection.

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top