Tyler Detect Case File: Account Takeover
Recently, we’ve seen a tremendous increase in Office 365 account takeovers. According to Barracuda Networks1, over 1.5 million malicious and spam emails were sent from thousands of compromised Office 365 accounts in one month alone.
Attackers use a variety of techniques to execute this type of attack, including phishing and brute force attacks. Once credentials are compromised, attackers often wait to execute a secondary attack that will result in a payout. They monitor email, track activity, and learn as much as they can, so they can craft a believable social engineering campaign.
One common campaign is a business email compromise (BEC). Attackers use the stolen credentials to personate a high-level executive within a company, then try get employees to initiate a wire transfer into a fake bank account. BEC and email account compromise scams are very successful. Over $1.2 billion was lost to BEC attacks last year acccording to the FBI’s Internet Crime Report2.
Office 365 Compromise Identified
A Tyler client recently fell victim to an Office 365 account takeover. The client, a mid-sized U.S. city, had deployed Tyler Detect, our managed threat detection service, six months prior to the incident.
Their Tyler Detect analyst initially identified a brute force attack being perpetrated against their network. In a brute force attack, crimimnals use legitimate usernames and passwords to gain unathorized access. Millions of stolen credentials are for sale on the dark web, so this technique is very successful. Especially since people often reuse the same passwords for multiple accounts.
Unlike other threat detection methodologies that focus on known threats and rely on automated alerts, Tyler Detect looks at what has been allowed through your perimeter defenses to identify suspicious activity.
In this case, once the analyst identified the brute force attack, they went to the log files to investigate. At that time, no suspicious logins were found.
Still, the Tyler Detect analyst followed up with the client to review the findings. They let them know to keep a sharp eye out for any suspicious login activity while they worked to get two-factor authentication set up.
Weeks later, while reviewing the logs from the Azure Active Directory Sts Logons and Exchange Items, the Tyler Detect analyst identified that one of their police detectives was logging in from Nigeria.
Of course, the detective wasn’t really in Nigeria. But his account had been compromised and taken over by a criminal who was!
No Damage Done
Tyler notified the client so they could stop the attacker before any damage was done.
Without Tyler Detect monitoring their network, they may not have discovered the compromised credentials in time. They would have been susceptible to the attacker gaining access and control of their network, data, and critical processes.
1 https://blog.barracuda.com/2019/05/02/threat-spotlight-account-takeover/
2 https://pdf.ic3.gov/2018_IC3Report.pdf