Finance teams targeted as ’email hijack attacks’ rise 22%

Finance teams targeted as email hijack attacks rise 22%

The number of phishing attacks which aim to hijack email accounts rose by 22 per cent in the second quarter of the year, according to the latest threat report from bluedog Monitoring.

The figures, which relate to UK companies, show that every business is now being targeted at least once a week and in some cases, employees are receiving five or six such emails a day.

Meanwhile the number of companies subject to brute force attacks against Microsoft 365 accounts rose to 66% during the second quarter – up from 48% in the previous three months.

Tim Thurlings, CTO of bluedog, says cybercriminals are taking advantage of the number of people working from home and the growing use of cloud-based Microsoft 365 system. In particular, they are targeting finance departments and credit collections teams.

“Users are tricked into going to the legitimate Microsoft login page and giving permission to create an app within Azure that allows access to files, emails and mailbox settings.

“They can then set up a ‘forward and delete’ rule, so emails the employee sends are automatically forwarded to the hacker who can then amend the bank account number or insert a request to change the payment details before sending on to the victim. The original email is then deleted from the sender’s mailbox.”

So how can users prevent such attacks? Tim has the following advice:

  1. Stop third-party apps accessing Office 365

“Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts,” says Tim. “IT teams should only allow access to necessary apps that support robust security controls.”

To prevent users from allowing third-party apps to access their Office 365 information, and require future consent operations to be performed by an administrator, go to the Azure Active Directory admin center > Enterprise applications > User settings > Enterprise applications (https://go.microsoft.com/fwlink/?linkid=2119526)

Set the toggle “Users can consent to apps accessing company data on their behalf” to No.

Optionally, you can set up a process for your users to request access to third-party applications. In the Azure portal, configure an admin consent workflow by going to Enterprise applications > User settings (https://go.microsoft.com/fwlink/?linkid=2119526)

Under  “Admin consent requests,” set  “Users can request admin consent to apps they are unable to consent to ” > Yes. Select your preferences for the rest of the Admin consent requests options Select Save. It can take up to an hour for the feature to become enabled.

  1. Adopt multi-factor authentication

Using multi-factor authentication on all M365 accounts will help stop brute force attacks.

  1. Use a monitoring service

“With so many employees now working from home and increased use of Microsoft 365, it is harder to prevent such attacks.” says Tim. “Ultimately companies need to use monitoring to detect where a breach has occurred.

“A Microsoft 365 monitoring service is a cost-effective solution that can activated remotely and will detect warning signs such as a change of settings or permissions, so companies can identify the problem and take action before any real damage is done.”