Cutting cost of investigations as business email hacks persist

New tool eliminates need to sort through thousands of potentially exposed messages

Cutting cost of investigations as business email hacks persist


By Alicja Grzadkowska

If you’re sending emails at work, there’s a high probability that you’re doing it through Office 365, which bodes well for hackers. Beazley reported in its latest Breach Insights report that cyberattacks on business email accounts continued to rise in the second quarter of 2018, with Office 365 inboxes especially at-risk because of the software’s widespread use in offices.

Investigations of email accounts can be expensive since targeted companies have to rake through years of messages to determine whether personally identifiable information or protected health information was compromised, according to Beazley, though one firm is leveling the playing field.

“Under normal circumstances or the way those investigations worked in the past, you would go into the portal and you could see a particular IP address that was suspicious logging on to a mailbox, but there wasn’t much granularity into what the actor did while he was in that mailbox,” said Ben Demonte, US cyber head for Kroll, a corporate investigation and risk consulting company. “Kroll has developed a capability in which we can see exactly what the actor did while he was in that mailbox. That allows for the investigation to be much more efficient and instead of engaging through a document review of an entire mailbox, we can do it now for only specific messages that we know were accessed.”

A hacker might have clicked on an email by mistake or viewed it because it contained information they found interesting and potentially profitable, but they likely didn’t look at every single email, so being able to narrow down a search from an entire inbox to, comparatively, a handful of emails reduces the cost and time of running an investigation. With Kroll’s tool, you could see that the malicious actor looked for the word ‘payment’ or ‘invoice’ – a common search for cyber criminals – and clicked into a particular set of emails with that information.

“There are two large groups that are accessing Office 365 – [one is] the group that is trying to get in the middle of a wire transfer and trick someone into wiring them money,” said Demonte. “The other actor group [is] trying to send out additional spam because they’re trying to continue to perpetrate the phishing email. You’re more likely to click on an email that comes from a trusted domain or email account rather than if it just came from a random domain or a free email service - you would find that much more suspicious.”

The fact that Office 365 uses cloud computing also makes it a popular choice for businesses and cyber attackers.

“That’s where the data is. Office 365 in and of itself is no more or less secure than any other email program. As it’s adopted more in the community, it just becomes a natural place to go,” said Demonte. “Because it’s all in one place, it’s easier for the actor to know where to go, so they could just go to [the Office 365 website] and if they have a set of credentials, they can log into the mailbox.”

While it’s impossible for an organization to avoid using email, there is a simple mitigation measure that employees at companies of any size should implement to help deter hackers.

“We’ve seen it hit a five-person accounting company to a national company where it’s hundreds of mailboxes that have been accessed,” explained Demonte. “We always advise and recommend to our clients that they should turn on two-factor authentication because then the actor or the unauthorized person would not have access to that mailbox since they don’t have the second factor.”



Keep up with the latest news and events

Join our mailing list, it’s free!