Email Hijacking – Protect Yourself From Supply Chain Attack
What is the digital supply chain, and why is it risky?
The digital supply chain refers to the chain of third-party digital tools, services and infrastructure that your company depends on for a particular first-party service (such as your website or SaaS platform). In an ever-changing digital landscape, supply chains can be brittle with many unseen risks.
The nature of supply chain risk is transitive; any part of the often long and complicated digital supply chain can be compromised, causing all components downstream of it to also be compromised. This means the whole system is only as secure as its weakest link.
Some examples of significant digital supply risks are web skimming, asset hijacking, mail hijacking and nameserver hijacking. In this article we will go into the details of mail hijacking and how compromised mail servers can be abused to obtain sensitive information and send phishing emails.
What is mail hijacking?
Mail hijacking is the abuse of a compromised email server or service to further attack other victims. It most commonly occurs when first-party email servers are compromised (such as an unpatched on-premise Outlook server), or an account on a shared third party infrastructure (such as an email service platform) is hijacked via credential harvesting or phishing.
Attackers then abuse the hijacked asset to conduct more legitimate phishing attacks, bypass spam filtering, read sensitive emails and conduct more credible social engineering.
Examples of mail hijacking
Third-party email services
It’s becoming a more common practice for organizations to use shared cloud infrastructure with other companies to meet specific needs. Email is one of those examples: third party email sending services such as Mailgun and Sendgrid are used by many organizations.
Attackers are also following that trend and they are using third party email infrastructure to send phishing emails and hide their tracks. In one instance, Chipotle’s marketing email was hijacked via a hacked Mailgun account and used to dish out phishing emails impersonating Microsoft 365 and USAA (United Services Automobile Association) from mail.chipotle[.]com.
Business email compromise
One of the most prevalent and impactful attacks over email is BEC (Business Email Compromise), which sends legitimate-looking fake invoices to trick victims into paying a large amount of money to the attacker. The success rate of BEC largely depends on the legitimacy of the email, and there is nothing more realistic than using a hijacked mail system to deliver it straight from the trusted source.
In 2022, Microsoft uncovered a sophisticated financial fraud campaign in which attackers used a technique known as AiTM (Attacker-in-The-Middle) to bypass MFA (Multi-Factor Authentication) and compromise Office 365 email accounts. Having compromised the email account, the attackers quickly started reading emails in the inbox for sensitive information as well as legitimately sent invoices with existing third parties; then they proceed to modify the invoices with their own payment details, and use the same legitimate inbox to send the BEC email.
To the receiver of the invoice email, nothing would have changed but the payment details; it would not end up in spam or be flagged as phishing, since the email address is real and so are the rest of the email signatures, as the email was not spoofed. By hijacking an existing, legitimate email service and account, the attackers optimized the legitimacy of the BEC campaign to external recipients.
Mitigation: locking down email
While setting up and auditing your SPF, DKIM and DMARC headers for email security can thwart attackers spoofing fake emails using your organization’s domain, those controls go out the window once the attacker has compromised the account or service you use to send legitimate email. In this case, locking down any email-related service and infrastructure is paramount. If your email sending server is self hosted infrastructure exposed to the internet, ensure that it is patched promptly.
For locking down email accounts, implementing not just MFA, but phishing resistant MFA (such as FIDO authentication with physical tokens or virtual passkeys) is the only way to prevent the type of AiTM phishing attack used to take over mailboxes described above.
Conclusion
Email is an extremely important aspect of the digital supply chain, and knowing where and what your organization and its various departments use to send emails can help you track down risky first and third party assets. You can leverage attack surface management platforms like IONIX, which takes a proactive approach to identifying and mitigating risks posed by assets vulnerable to hijacking. To see IONIX in action, request a scan today.