How to Respond and Recover from an Email Account Takeover
An email account takeover is a cyber attack where criminals gain access to your email account or system. Access can be gained by social engineering, malware, credential stuffing, cross-site breaches or a multitude of other methods. If you are reading this response plan, the cyber-attack has likely already been successful, and you may have a compromised email account within your organization. This guide is a walk-through of how to respond and recover from an Email Account Takeover (ATO) cyber-attack.
Take the following actions immediately after an Email Account Takeover.
1. Change your passwords
Any compromised email account should immediately have its password changed. The new password should be strong and unique to only this email account. Read our guide on NIST recommended password policies and updates.
Using weak passwords or reusing the same passwords with multiple accounts opens the door for future ATOs. If the criminal already changed your password and locked you out of the account, immediately contact your IT department or Managed Service Provider (MSP) for recovery and password reset next steps.
2. Enable multi-factor authentication
Although you have changed the password, the criminals may have malware on your system that observed and recorded the new password. Setting up multi-factor authentication adds a layer of security that requires individuals to verify their identity with a second physical device. Multi-factor authentication is supported by a variety of cloud providers, including Office 365 and G-Suite.
3. Contact your account provider
Contact organizations you believe may have been affected by this account takeover. If you are receiving communications about wire transfers, bank account password changes, unrecognized social media accounts or vendor-specific accounts, contact the organizations immediately (by phone if possible). It is important to let them know that your email account has been compromised and any communications should not be trusted until you resolve this ATO and notify them.
4. Internal & external communication
Criminals often steal (also known as scraping) your entire contact list and any email addresses that you have previously communicated with, bundle that with a large list of other email addresses they have obtained through other attacks, and blast out malicious emails from your account. We have observed instances where an ATO occurs and within minutes thousands of malicious emails are sent from the account. These malicious emails often contain malware or sophisticated malicious social engineering links designed to cause further damage.
It is important to let all employees within your organization know that your email account has been compromised and to not open any emails (especially attachments) or click on links sent from your account. Likewise, it is important to contact all external individuals and organizations that received an email from your account after it was compromised. Criminals often cover their tracks and remove any record of their communications, thus making identifying the breadth of exposure very difficult. In this case, it is recommended to seek professional cyber security assistance.
Additional recommended steps to take after an Email Account Takeover:
1. Malware discovery
Any systems that have ever interacted with the compromised email account should be scanned for malware. Malware such as remote access tools (RAT), keyloggers and other types of password-stealing malware can make your remediation attempts futile. All systems should be thoroughly scanned for malware with professional tools. System events and logs should be reviewed for signs of tampering and unauthorized access. It is important to note that not all anti-malware tools are created equal. A professional cyber security team has access to a larger set of more effective security tools.
2. Change other account passwords
If any passwords have been reused it is important to change any other online accounts that shared the same password. It is also cheap insurance to change the passwords on all other accounts that used the compromised email address. Once an attacker gains access to an email account they can easily request a password reset to nearly all your other accounts and compromise them as well.
3. Enforce strong password policies going forward
It is recommended to enforce strong password policies within your organization. For more information about recommended password policies and procedures check out our team’s blog post.
4. Disable auto-forwarding
We have observed that once cyber criminals gain access to an account, they will usually set up an auto-forwarding rule to siphon copies of all incoming and outgoing emails to an account they control. While there are some legitimate reasons where a company may wish to allow auto-forwarding of business email, the vast majority of the time the best course of action is to simply disable email auto-forwarding functionality for additional security.
5. Use automation to detect future ATOs
Our team has created a detailed guide to help your organization detect if any email accounts are currently compromised. The process only takes a few moments and can highlight any indicators of current and past ATOs that may have occurred.
Read our step-by-step guide on Using Automation to Check for Signs of Email Account Takeover in Office 365
ABOUT DELAP CYBER
For over 25 years, Delap has provided cyber security expertise to organizations across the world, ranging from small businesses to Fortune 100 corporations. We leverage our collective experience to craft a comprehensive service with the goal of significantly reducing your company’s risk of attack or breach. Delap Cyber provides consulting, assurance services, forensic investigations, breach response, and managed cyber security services to businesses throughout the United States. Our solutions are designed to provide peace of mind by implementing multiple layers of controls through specifically selected, implemented, managed, and monitored tools by security professionals. You’ve spent your life building your business, let us help you protect it.
Read more articles by Brandon Walcott | Cyber Security Associate
Brandon provides cybersecurity consulting and support services to managed security service clients at Delap Cyber. He brings nearly a decade of small business technology consulting to Delap, joining the team in February 2017. He works with small businesses in the Pacific Northwest to provide cyber assessments and defense in depth solutions to clients. Brandon enjoys passionately serving clients with creative solutions and the most innovative security technology on the market today.