📑
The first step is to confirm the nature of the incident and the email accounts that have been compromised, then assess the severity of the incident, its scope and impact on your organization, and its criticality. Here’s some practical advice from InterCERT France’s response guidelines.
Assessing the compromise of an email account
An organization must call on internal and possibly external resources to assess the security incident. The people involved then need access to the administration and monitoring of the information system and security equipment, and they must also be aware of the organization’s business priorities and the list of emergency contacts.
The organization must further open a logbook and store it outside the compromised information system (for example, on an external medium, a shared file in the cloud, or even in paper format). The actions taken in response to the incident must be recorded in this log.
This log will be used to compile a timeline of how the incident was handled, track the remediation process, and measure its effectiveness. It must include:
- The date and time of the action or event
- The name of the person or department that detected or reported the event
- A detailed description of the action or event
And now, how can you confirm that an email account has been compromised? How can you assess the scope of the incident, its impact, and its criticality?
Compromised email account: incident assessment method
Identify the suspected email account
An account suspected of having been compromised can be detected by security tools or reported by a member of the organization.
Here are some examples that may indicate that an email account has been compromised:
- Reports of suspicious emails being received or sent (e.g. a reply to an email that was never sent, messages disappearing from the inbox), notification of leaked credentials, the presence of email rules that were not created by the user or administrators, unauthorized password changes, etc.
- Detection of a brute force attack followed by successful authentication on an email account, unusual activity on the email account, notification of unauthorized login attempts, etc.
To identify the scope of the incident, it is then necessary to check for any delegated rights from other accounts on this inbox, and from the account itself on other inboxes.
Confirm the compromised email report
Note that other kind of actions may also be signs of compromise, such as the automatic transfer or deletion of messages, actions at unusual times, suspicious permissions, the fraudulent installation of third-party applications, and the reset of trusted devices.
If one or more of these events are detected, the email account may be compromised and containment actions can be taken.
If the compromise is not confirmed, it is still advisable to force a password and MFA reset as a precautionary measure. Better safe than sorry!
Assess the scope of the incident in the event of compromised email
Defining the scope of the incident involves checking whether the incident is limited to email, whether one or more email accounts are affected and which ones, and tracing back to the initial access (phishing, brute force attack, malicious code, infostealer, etc.).
Standard user, sensitive user, or administrative account: the type of email account affected is also important in assessing the criticality of the incident.
Furthermore, does this account have access to shared files, a VPN, cloud services, applications, or an extranet? Are other accounts compromised in the same way?
To answer these questions, detection tools such as EDR or EPP can be used to determine whether other workstations are affected and, if so, which ones (e.g. through the presence of malicious files or messages containing suspicious elements).
Regarding initial access, it is important to note that phishing or data theft may have enabled attackers to retrieve a single username and password combination that can be used for different applications. In addition, an infostealer may have enabled them to extract not only a single username and password combination, but also active session tokens. The consequences may therefore extend beyond the email account itself.
Compromised email account: assessing the impact of the incident
To further assess the impact of an email account compromise, other questions must be addressed: could data have been exfiltrated, and is this sensitive data? Could the compromise have given access to another account, system, or application? What are the business impacts? And what is the regulatory impact if the account stores sensitive data?
Compromised email account: how urgent is it?
After confirming the report or detection and assessing the scope and impact of the email account compromise, how urgent is it to take action? Is the malicious activity recent, could it evolve, and what would be the consequences? Or is it, on the contrary, old and stable? If the risk of propagation to the rest of the information system is significant and could have critical consequences for the organization, urgent action is required. The impact on the organization’s activity and financial losses should also be a decisive factor.
The compromise can then be classified as a common anomaly, minor incident, major incident, or possibly a cyber crisis. To carry out containment and remediation actions, external resources may be required with the help of a CERT or a CSIRT.
More specifically, what containment actions should be taken in the event of an email account compromise?
Containment of a security incident following a compromised email account
After classifying the incident, the containment phase must begin by ensuring that those in charge have access rights to the email administration system, the affected accounts, and the logs of related solutions.
Protect email
This first step in containment aims to regain control of the compromised account and clean up the attacker’s illegitimate access. For example: block the email account until the issue is resolved, reset the compromised account by revoking active sessions, resetting the password, re-registering MFA, cleaning up persistence and illegitimate access to the compromised account, and deleting any illegitimate accounts created by the attacker, if applicable.
It may also be necessary to review email management rules, access to third-party applications, or any other administrative actions to verify their legitimacy.
Protect the environment of the user whose email has been compromised
After protecting the compromised email account, it is also necessary to protect the other access points that the user has within the organization, as well as their workstation.
An antivirus scan is useful, or even a complete uninstallation of the workstation and a reset of the user’s access to other applications within the organization (online applications, VPN, cloud services, etc.).
Prepare the investigation into the compromised email account
Traces are essential for investigations. In this sense, increasing the verbosity and retention of logs, and keeping them, is crucial for investigations.
Furthermore, this evidence is necessary for law enforcement agencies during legal proceedings.
Limit the spread of the compromise to other email accounts
Hindering the attacker is one of the essential containment measures to limit the spread from the compromised email account.
To this end, you must:
- Check the content of messages in the compromised account (fraudulent emails sent, deleted, containing identifiers, or indicating password or trusted device resets, etc.)
- Check sensitive files accessible through the compromised account and whether the attacker was able to access them
- Put suspicious IP addresses under detection (it is better to put these IP addresses under detection to continue collecting information rather than blocking them, knowing that if the attacker regularly changes IP addresses, blocking will be ineffective)
- Investigate the initial access (phishing, infostealer, etc.) and quarantine or block the malicious sender or domain, the types of files identified, web requests from the malicious URL, etc.
In some cases, blocking actions are essential. However, it is important to keep in mind that detection allows for better supervision, for example, to see which other accounts the attacker has obtained and with which they are attempting to log in.
Compromised email account: towards investigation and remediation
Beyond containment, InterCERT France’s reflex sheets propose measures to launch investigations. These initial steps are aimed in particular at detecting anomalies on workstations, as well as:
- Securing the organization as a whole (strengthening password policy, renewing passwords, generalizing the use of MFA, and more)
- Secure the email solution (updating, patching vulnerabilities)
- Raise user awareness, etc.
A security incident must be managed in coordination with all stakeholders, with the support of external experts if necessary, regarding forensic investigation, remediation, communication, filing complaints, reporting, and so on.
Finally, if an organization is likely to transmit fraudulent messages to external parties, these external contacts must also be notified in the event of a compromise, and it may be necessary to consider broader communication if the domain as a whole is compromised.
Find out more about communication during a crisis, both internally and externally,
and how to organize your teams:
More articles
Why should organizations care about TDIR?
TDIR (Threat Detection Investigation Response) is a new approach to enhancing the analysis and action capabilities of SOC Managers.
Cyber resilience: 7 key points for better risk management
In an ever-changing and challenging cyber landscape, cyber resilience will help better navigate and adapt to the dynamic nature of…
Cybersecurity: Offensive vs. Defensive AI
Artificial Intelligence can be used by organizations to guard against and react to threats, but also by attackers to commit…
Cybersecurity: how to optimize false positives
Reacting quickly to security incidents is crucial, but you also need the right information at the right time, with the…