Network Security, Email security

Protecting against cross-platform account takeover

The worst type of email attack: account takeover

Email continues on as the biggest threat vector organizations face today, offering cybercriminals a broad attack surface to target for phishing, fraud, and social engineering schemes, as well as what’s arguably the most dangerous type of email attack: account takeover.

A compromised account can open up a number of risks: from exposing sensitive company or customer data, creating a launchpad for additional attacks or fraudulent transactions, and letting hackers move laterally across additional applications and connected platforms. The downstream impact of these attacks are often devastating, not only incurring disruption to the business, but also potentially leading to significant financial loss or a jeopardized customer experience.

Security leaders are waking up to this threat. Some of our recent research shows that nearly 70% of security leaders view account takeover attacks as the greatest concern to their organizations—even ahead of news headlining threats like ransomware and phishing. Unfortunately, their concerns are valid. Eighty-three percent of these security leaders reported that their organization had been directly impacted by an account takeover attack within the past year, and nearly one-fifth have been impacted more than 10 times. 

The dangers of cross-platform account takeover

For many security stakeholders, the phrase “account takeover” usually brings to mind a compromised email account, but these attacks are no longer limited to just the inbox. Today’s cloud application ecosystems are increasingly broad, interdependent, and complex. And as these apps proliferate, they create additional points of entry, each with their own distinct risks if compromised. For example:

  • File storage and sharing services such as Dropbox and Box, as well as contract management applications like DocuSign, could enable immediate access to (and exfiltration of) sensitive, regulated, or proprietary data—a treasure trove for launching additional attacks.
  • The compromise of cloud infrastructure accounts such as AWS, Microsoft Azure, or Google Cloud Platform could allow for lateral movement across the corporate network.
  • Threat actors could target collaboration apps like Slack or Zoom in multi-channel attacks coordinated across email and its connected applications.
  • Other popular enterprise software apps like Workday and Salesforce create access to payment and bank account information as well as personal data belonging to employees or customers, leaving them vulnerable to identity theft.

Compromised accounts have been the culprit behind several well-known breaches in recent years. A single compromised password reportedly resulted in the Colonial Pipeline ransomware attack, where attackers gained access to the corporate network through an inactive VPN account. The login credentials belonging to the employee who owned the account were likely reused from another website that was previously compromised.

Electronic Arts also experienced a damaging account compromise, leading to a breach that resulted in the loss of highly valuable intellectual property, including the source code for FIFA 21. This attack began when attackers gained access to an internal Slack channel using stolen session cookies. Once inside Slack, the attackers messaged IT support, asking for a multi-factor authentication token that they claimed they needed because of a lost mobile device. With this token, they could infiltrate the corporate network, and then download data and source code.

These are just a couple of the most infamous account takeover examples, but it’s not just major brands that are at risk. Any company that uses cloud-based applications—whether for email, collaboration, identity, or cloud infrastructure—is under threat.

The challenge of detecting cross-platform account takeover

There are two characteristics about cross-platform account takeover attacks that make them difficult to detect.

First, there’s a visibility challenge. It’s one thing to monitor for suspicious activity across the cloud email environment; scaling this across dozens of other apps becomes exponentially more challenging. Maintaining centralized visibility and unified control across diverse collections of cloud services has become especially difficult when different business units are individually responsible for their own apps.

Second, stolen credentials are the precursor to most account compromises, and obtaining those credentials usually takes exploiting a vulnerability that’s notoriously difficult to protect: people. Cybercriminals know that tired, distracted, or careless employees are bound to make mistakes, making them the perfect targets for social engineering attacks that let threat actors phish their account credentials.

The proliferation of generative AI tools over the last year has only made this problem worse, by giving threat actors a tool for creating more authentic-looking phishing emails, faster—greatly improving their ability to harvest credentials and initiate account takeovers.

Proactive protection strategies

There are a number of strategies that organizations are using to mitigate account compromise, including multi-factor authentication (MFA) and encouraging strong password use or implementing secure sign-on (SSO). And while these are important layers of defense that can decrease the risk of account compromise, they won’t eliminate it entirely, and teams shouldn’t treated them as a silver bullet.

We have to remember that today’s criminals are savvy, and can often find ways around standard controls. MFA bypass attacks, for example, have been growing in frequency, with some threat groups now selling MFA bypass-as-a-service kits on the dark web, providing stolen MFA tokens that make it possible to hijack active authentication sessions. MFA bypass has played a role in several high-profile attacks including the SolarWinds breach.

And while SSO can make security monitoring easier by offering a single source of log data and events, plus the convenience of enforcing strong passwords and MFA from one place, this simplicity also represents a downside. Once compromised, attackers can exploit that same ease and accessibility to move laterally across the network.

So what else can security teams do to supplement these measures?

Improving integration among current security tools can create complete visibility across the cloud ecosystem. Account takeover attacks often feature lateral movement across platforms—teams need the ability to see, correlate, and analyze the multiple behavioral signals across these different applications and platforms. By comparing these signals to baseline levels of user behavior and identifying deviations, organizations can improve their ability to detect potential account compromises rapidly and with confidence.

Cloud application ecosystems will only continue to grow, which means account takeovers will likely continue on as a popular attack tactic for threat actors. Ensuring the strongest protection possible against these attacks will require security teams to look at extending their visibility and control beyond email, with a particular focus on protecting their greatest vulnerability: human behavior.

Mike Britton, chief information security officer, Abnormal Security

Mike Britton

Mike Britton, chief information security officer at Abnormal Security, leads the company’s information security and privacy programs. Mike builds and maintains Abnormal Security’s customer trust program, performing vendor risk analysis, and protecting the workforce with proactive monitoring of the multi-cloud infrastructure. Mike brings 25 years of information security, privacy, compliance, and IT experience from multiple Fortune 500 global companies.



Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.