Hosted email from Microsoft 365 (formerly called Office 365) has grown rapidly in popularity over the past few years. Many companies have moved to it from other email solutions. The benefits of Microsoft 365 can be very attractive because most subscriptions include additional useful applications. Microsoft Teams, for instance, offers video conferencing, virtual meetings, and other communications technologies. OneDrive for cloud storage and file sharing among other great features. Microsoft 365 is a cloud-based service so it can also reduce the cost of expensive hardware to a business.
Despite all the benefits of using Microsoft 365, there are new risks that arise. Being a cloud-based product means it could be accessed from anywhere in the world via the internet. This fact, along with its widespread use by businesses, makes it a prime target for cyber-criminals.
How do criminals hi-jack an email account?
There are countless tactics that a hacker could use to steal login credentials to a cloud-based email account. One approach that our company has witnessed is through phishing emails that contain an attachment. The message in the email explains that the attachment is confidential and had to be sent in this manner to keep it secure. When the recipient attempts to open the attachment, they are required to login to the Microsoft 365 account. This is a clever strategy because many businesses send secure, encrypted emails that require a login of some sort to retrieve the message.
The trick in this case, however, is that when the user enters their Microsoft 365 login credentials, nothing appears to happen. The attachment doesn’t open, and nothing seems to change. What they often don’t realize is that a hacker has just captured the login information to their email account. With this information, they can log in to the account and use it for their own devious purposes.
How could a criminal use a hi-jacked email account?
There are many possible ways for a criminal to benefit from having access to someone’s email account. If they are attempting to collect passwords for as many email accounts as possible, it is likely they are stealing them for resale on the dark web. Anyone can go on the dark web to purchase stolen login information to use however they choose. It is illegal, but also very difficult to trace any transactions that occur there.
A skilled criminal can do a lot of damage when they control a legitimate email account. For instance, if they have control over the email account of a person in a company’s accounting department, they could convince someone to direct receivables to a “new” account. The criminal could set up this account to steal payments from the business. This type of communication could seem routine to the recipient if the business is regularly processing invoices and receiving payments in this manner. This ultimately increases the likelihood of a successful theft.
Consider what someone with bad intentions could do if they had access to your email account. That person can act as you through email. The crook could send requests for money to be wired to an account, send offensive or inappropriate emails to your important contacts, or even use the account to trick others into providing their login or other private information.
Shouldn’t my SPAM filter be catching these?
You may wonder why an email designed to steal email login credentials can get through a SPAM filter. The answer is generally quite simple. These emails almost always come from a hi-jacked email account. This account has had communications with your email account in the past which is how you received the email in the first place.
SPAM filters are designed to look for email that is coming from a server or servers that blast out masses of email. Today’s technology generally does a great job of filtering out these emails. As a matter of fact, it is common for an established email account with a SPAM filter to receive hundreds or even thousands of SPAM messages per day that never reach the user. They are so obviously SPAM that the filter simply blocks them from reaching their intended recipient. Reducing the mass of email clutter is truly the primary function of a SPAM filter.
A SPAM filter, however, will not catch all phishing emails. Spear-phishing email, for instance, is targeted at specific individuals and is often not caught by SPAM filters. With spear-phishing, the criminal is attempting to trick an individual into doing something they want. When the spear-phishing email comes from an email address that has had previous communications, and it does not contain anything malicious like a virus, even the most robust email filters will likely not block it.
How to prevent email hi-jacking crimes
Many of us rely heavily on email communication which leaves us with a greater trust for communicating this way. When an email comes from a familiar email address, particularly if it is from a trusted colleague, friend, or even an authority figure, we tend not to be suspicious of it. However, developing a couple of habits for email security can go a long way towards preventing these crimes.
Always be cautious when receiving an unexpected email with an attachment or link contained in the message. If you receive an unexpected email containing a link or with an attachment, call, text, or ask in person who sent it before clicking on anything. Remember, even if it is coming from a familiar email address doesn’t mean that person sent it to you. Just be sure that you don’t simply reply to the email to ask about it. You could be conversing with the criminal who is attempting to trick you.
Question the legitimacy of any email that is requesting that you act on something or do something. In particular, be cautious when an email is requesting that you make a financial transaction or share sensitive information. Once again, confirm with the apparent sender via call, text, or in-person that they are indeed making the request before acting.
Lastly, if your email service offers multi-factor authentication, I highly suggest implementing it. Multi-factor authentication adds a layer of security to a traditional login where a username or email address along with a password are all it takes to gain access to the email account.
Multi-factor authentication requires the user to enter a code after providing valid login information. The code can be sent to a cell phone or it could be generated by an app on a smartphone. Either method requires the person to know the valid login credentials and to possess the device that generates the code. This security strategy makes stolen login credentials useless without access to the user’s cell phone.