If you are a business owner or employee that uses Outlook, please take notice. Here is a full text (short) article from the Internet Storm Center (ISC) about how a hacker may use Outlook as a vehicle to steal money from you in a blink of an eye. We have seen this tactic used right here in Lake County.
Recently we’ve started seeing some attacks that utlise OWA. A person in the victim organisation sends an email to one or more of their customers informing them of change in account details. The attacker provides instructions to customers on paying their account utilising the new account details. The email is cc’ed to other internal staff adding a level of legitimacy (also compromised accounts).
How is this achieved. Seemingly through OWA. A user’s userid and password are compromised. The attacker logs in via OWA and monitors emails as well as appointments. When the user is away to a meeting, the attacker logs in, sends the account change email and then deletes the email from OWA (sent items, deleted items and often including the 30 day store outlook uses for deleted emails). The cc’ed emails are similarly deleted. The customer pays funds into the new account which is controlled by the attacker.
The attack is quite subtle. Companies often do not notice until they request payment from the customer who then provides evidence that they have already paid and that they were requested to change the payment account. The internal staff member will deny having sent the emails. Which they did not.
The challenge with OWA is that it often needs to be available via the internet and the userid and passwords used to log in are from Active Directory. So your staff email and your organisation is protected by the passwords your users select, or your service desk issues. Using this avenue brute forcing passwords via OWA is not difficult, neither is accessing email once the password is known it is a waiting game to determine the best approach to transfer funds.
From the protection perspective if you can add multifactor authentication to OWA consider doing so. The usual “use strong passwords” also applies.
Text Source: https://goo.gl/VzbDHW
Pic Source: https://goo.gl/sdZP7d