Baddies just need one email account with clout to unleash phishing hell

Outsiders realised uni was hacked before uni did

A single account compromise at an unnamed "major university" in the UK led to a large-scale phishing attack against third parties, according to data protection outfit Barracuda Networks.

With one account in their pocket, the attackers used it to compromise modest numbers at the same institution, after which they were turned into slave relays for the phishing flood, usually pushing an invitation to links from web services such as OneDrive or Docusign.

The incident contains a curious irony: third parties seem to have recognised the malicious campaign before the infected organisation, or at least before it reacted to block it.

What's hard to argue with is the simple mathematics of email compromise – one account can generate thousands of new phishing emails that are suddenly more likely to beat the recipient's filters because they come from a high-reputation domain.

The campaign wasn't even that flattering, according to Asaf Cidon, Barracuda's vice president of email security. "This university was simply being used as a platform for a phishing campaign against other companies. Universities are good targets for email compromise because they have a lot of email accounts and a lot are dormant," Cidon told The Reg.

A new Barracuda study has suggested the university's experience is not unusual, with a third of a random sample of 50 organisations questioned admitting they'd suffered one or more email compromises in the three months to the end of June.


Cidon said companies only know accounts have been compromised when someone in IT notices the resulting email blast, or an employee reports it to them. The average number of accounts compromised was a surprisingly low three – almost certainly an underestimate, Cidon believed.

It would be a mistake to assume attacks are highly targeted with only 6 per cent of the compromised employees falling into this category. Far from targeting executives – a tactic for the spooks and nation-staters – anyone will do. What matters most is the domain reputation of the compromised organisation.

And it's almost as if the compromised organisations have resigned themselves to living with it due to a lack of easy solutions. "There's a spectrum of reactions. Some of the customers we've spoken to are in panic mode with the IT team pulling their hair out. At the other end, there are some companies who are not worried about it."

There's an obvious need to start monitoring internal email traffic. For anyone that's built their messaging security around the idea of perimeter filtering, that'll sound like a bit of a radical upgrade. Since the beginning of email time, the bad stuff has been on the outside, kept out by a gateway model that no longer works. Now vendors turn up with the new wheeze of watching the traffic sent within their domain.

For now, the only alternative is layers of unpopular and expensive authentication to protect accounts or signing up for Office 365 or G-Suite's cloud AI email security, which has started making big if untested claims for the ability to block and claw back phishing emails. ®

Similar topics

Broader topics

Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading

Biting the hand that feeds IT © 1998–2022