Ride the Lightning

FBI Warning: Watch Out for Office 365 and G Suite Scams

March 12, 2020

Naked Security reported on March 10 that the FBI Internet Crime Complaint Center (IC3) has alerted US businesses to ongoing attacks targeting organizations using Microsoft Office 365 and Google G Suite.

Everyone is warned about BEC scams all the time, but this warning refers specifically to those carried out against the two largest hosted email services. The FBI believes that small and medium businesses (SMEs), with their limited IT resources, are most at risk from BECs.

The warning says, "between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting Microsoft Office 365 and Google G Suite."

The truth is that criminals know that we are moving to hosted email and they are following us.

As with all types of BEC, after breaking into the account, criminals look for evidence of financial transactions and then pretend to employees (who can authorize or issue payments) to redirect payments to themselves.

They often also launch phishing attacks on contacts to grab even more credentials, and so the crime provides itself with a steady supply of new victims.

The $100,000 question is why BEC scams continue to be such a problem when it's well understood that they can be defended against using technologies such as multi-factor authentication (MFA).

One answer is that older email systems don't support such technologies, a point Microsoft made recently when the company revealed that legacy protocols such as SMTP and IMAP correlated to a markedly higher chance of compromise.

One lesson is that despite the rise in BEC attacks on hosted email, this type of email is still more secure than the alternatives IF AND ONLY IF admins turn on the security features that come with it.

The FBI offers the following general advice:

• "Enable multi-factor authentication for all email accounts
• Verify all payment changes via a known telephone number or in-person
• And for hosted email admins:
• Prohibit automatic forwarding of email to external addresses
• Add an email banner to messages coming from outside your organization
• Ensure mailbox logon and settings changes are logged and retained for at least 90 days
• Enable alerts for suspicious activity such as foreign logins
• Enable security features that block malicious email such as anti-phishing and anti-spoofing policies
• Configure Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) to prevent spoofing and to validate email."

The FBI also recommends that you prohibit legacy protocols that can be used to circumvent multi-factor authentication, although this needs to be done with care as some older applications might still depend on these.

And if you're stung by a BEC attack, be sure you file a complaint with the IC3 (Internet Crime Complaint Center)!

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson