A single account compromise at an unnamed "major university" in the UK led to a large-scale phishing attack against third parties, according to data protection outfit Barracuda Networks.
With one account in their pocket, the attackers used it to compromise modest numbers at the same institution, after which they were turned into slave relays for the phishing flood, usually pushing an invitation to links from web services such as OneDrive or Docusign.
The incident contains a curious irony: third parties seem to have recognised the malicious campaign before the infected organisation, or at least before it reacted to block it.
What's hard to argue with is the simple mathematics of email compromise – one account can generate thousands of new phishing emails that are suddenly more likely to beat the recipient's filters because they come from a high-reputation domain.
The campaign wasn't even that flattering, according to Asaf Cidon, Barracuda's vice president of email security. "This university was simply being used as a platform for a phishing campaign against other companies. Universities are good targets for email compromise because they have a lot of email accounts and a lot are dormant," Cidon told The Reg.
A new Barracuda study has suggested the university's experience is not unusual, with a third of a random sample of 50 organisations questioned admitting they'd suffered one or more email compromises in the three months to the end of June.
Cidon said companies only know accounts have been compromised when someone in IT notices the resulting email blast, or an employee reports it to them. The average number of accounts compromised was a surprisingly low three – almost certainly an underestimate, Cidon believed.
It would be a mistake to assume attacks are highly targeted with only 6 per cent of the compromised employees falling into this category. Far from targeting executives – a tactic for the spooks and nation-staters – anyone will do. What matters most is the domain reputation of the compromised organisation.
And it's almost as if the compromised organisations have resigned themselves to living with it due to a lack of easy solutions. "There's a spectrum of reactions. Some of the customers we've spoken to are in panic mode with the IT team pulling their hair out. At the other end, there are some companies who are not worried about it."
There's an obvious need to start monitoring internal email traffic. For anyone that's built their messaging security around the idea of perimeter filtering, that'll sound like a bit of a radical upgrade. Since the beginning of email time, the bad stuff has been on the outside, kept out by a gateway model that no longer works. Now vendors turn up with the new wheeze of watching the traffic sent within their domain.
For now, the only alternative is layers of unpopular and expensive authentication to protect accounts or signing up for Office 365 or G-Suite's cloud AI email security, which has started making big if untested claims for the ability to block and claw back phishing emails. ®