Apr 29

Project Lead From – Email Produced during Account Takeover Attack

This post is a review of a recent account takeover attack.
The client contacted me at 9:22 in the morning to notify me that someone had compromised their Google Workspace account. They had become aware of this because they were getting calls and emails from contacts telling them about a suspicious email they had received.

Initial Mitigation Steps

The initial mitigation steps were carried out with the client still on the phone, to gather information and apprise them of the steps that were being taken.

  1. Reset the affected account’s password
  2. Reset sign-in cookies to force active logins to reauthenticate
  3. Suspend account during investigation

Investigation Steps

Immediately after mitigation, an email was sent to the principals in the company to apprise them of the situation and status, to notify them that investigatory steps were being handled immediately, and to reassure them that this was receiving full attention and would not be interrupted by other requests.

Investigation took place without the client on the phone, but multiple phone calls and messages were used to gather additional information and to keep the account holder updated during the investigation.

  1. Reviewed third party apps with permissions to access the affected account
  2. Review User Logs to determine last login
  3. Compared IP addresses against the public IP address obtained from the client during the conversation
  4. Performed a search of known databases for suspicious IP addresses and confirmed that the suspicious IP address had been implicated in other incidents by other people.
  5. Searched the logs for any signs of data being taken from the organization via download or print.
  6. Reviewed email logs to determine the timeline, to compile a list of targeted contacts, and the nature and function of the emails being sent.

Findings

  • The email address mailer-daemon@googlemail.com had been blocked to prevent the user from seeing reports of suspicious activity
  • The contact list for the compromised account was printed/downloaded
  • Emails had been sent out to more than 500 contacts with the sender as the “To” recipient and the target contact as a bcc (blind copy) recipient
  • The subject line of the emails read “Project Lead From <name of affected person sending message>”
  • The body of the message read :
    Good Morning,

    Kindly review and inform me if any modifications are required.
    Thank you,

  • Each email had a PDF file attached that had a unique filename that contained the company name of the target contact
  • Messages had been drafted, then scheduled to be sent, then deleted from sent
  • All messages that were successfully sent by the attacker happened within four minutes of taking control of the account
  • Responses to the sent message were deleted by the attacker, while they still had a presence in the account. Attacker responded to inquiries about the validity of the message and deleted the inquiry and, in some cases, also their response to the inquiry

Further Mitigation Steps

  • A routing rule was created to block any outgoing messages from the affected account
  • A compliance rule was created to quarantine any outbound messages from the affected account with the indicated subject line
  • A compliance rule was created to strip the attachment from any inbound or outbound messages with the indicated subject line with a response to the sender that the attachment had been removed by admin and the subject line modified to indicate that this message had been flagged as suspicious.
  • With the affected account holder on the phone, reset the password and logged into the account holder’s account to :
    • Verify that there were no POP accounts
    • Verify that there were no app passwords
    • Verify that there were no forwarding rules in place
    • Verify that no unauthorized accounts had been delegated permissions to access the account
    • Restored relevant deleted emails
    • Verified that there no pending scheduled messages or drafts that could potentially result in more emails being sent out
    • Reviewed recently opened files as a secondary check to ensure there were no scripts scheduled to run from documents
      • Verified this a second time against admin logs
    • Verified that the identity information was correct
    • Set up Multi-Factor Authentication (which had not been in place prior to the attack)
    • Unblock the email address mailer-daemon@googlemail.com
    • Advised the account holder that all their passwords stored in the Google Password Manager should be considered compromised
    • Set the account holder up with a third party password manager
      • Helped them export their passwords from Google Password Manager and import into new password manager
      • Helped them delete the stored passwords from Google Password Manager
      • Reviewed how to use the new password manager
      • Left the account holder stepping through the process of changing each and every password in the password manager
    • Provided the account holder with a list of contacts who had received the SPAM email, with bouncebacks, rejected and otherwise undeliverable email addresses filtered out

Further Actions

  • Checked the quarantine to allow any replies the account holder had made clarifying the spam status of the message and ensure that there were no new messages appearing in the quarantine
  • Removed the routing and compliance rules that were blocking the affected account from sending outbound messages
  • Downloaded a copy of the PDF document that was attached to the outgoing message and uploaded it to VirusTotal for review
  • Sent a summary of the attack, mitigation steps, findings, current status and recommendations to the principals in the organization and the affected account holder

Final Notes

While reviewing the mailbox with the affected account holder, they began receiving messages from other people with the exact same subject line and PDF, indicating that other people were being affected by this attack. This attack was only possible because the account holder’s password had been compromised (most likely by reusing a password across multiple accounts, one of which had been involved in a breach), and because they also did not have Multi-Factor authentication enabled. The lack of Multi-Factor authentication could have been addressed if MFA had been enforced across the organization.

While this attack was mitigated within 25 minutes of first incursion, twenty minutes went by before the affected user noticed and reached out. The rest of the day was spent researching, mitigating and reporting on the attack.

As of the time of writing, no trojans, droppers or other obvious signs of malware were identified by VirusTotal, but a review of the file is ongoing. It should also be noted that multiple email platforms scanned the email, and the attachment, and allowed it to pass through.

Eclat Tech

Wherever you are, whatever you’re doing, your technology is there. Usually it is helping, but you’re always wondering, can it do more? Can it do better? The answers are closer than you think, and ECLAT Tech, LLC is your Oregon and SW Washington Ally to finding the answers you need.