FireEye M-Trends 2019: Hidden Phishing Risks During Mergers and Acquisitions

Partner, FireEye has released their most recent M-Trends report which looks at some of the significant trends and shifts of 2019, including the Hidden Phishing Risks During Mergers and Acquisitions. FireEye had previously discussed the risks of integrating a compromised organization into a parent organization back in their M-Trends 2012 report and this issue remains a large threat to organizations today. During a merger or acquisition, tight deadlines are in place to meet business objectives sometimes leading the organizations to integrate the computer networks without resolving security objectives – reducing the security of the combined company. In some cases, a single email account that has been attacked could be used to increase the attacker’s access to the entire network.

“We observed an increase in phishing attacks where a compromised email account was used to send phishing emails to additional users in the organization. This is particularly effective in M&A situations, since employees expect communication, sometimes unsolicited, between the organizations. Phishing emails sent within an organization are more likely to bypass checks by email gateways, which are often configured to inspect email entering or leaving an organization’s network. The natural development of relationships between individuals or organizations means the target is more likely to trust such content and enable macros, open attachments, and navigate to a URL using links .”

Attackers also accessed compromised email accounts to bypass multi-factor authentication, used services such as PowerShell, Exchange control Panel and Exchange Web Services to forward or redirect emails to maintain their access without being discovered, and changed the victims Outlook configuration to redirect the system to the attacker’s web page compromised with malware, allowing the attacker to stay inside the network.

“We expect unauthorized access to email, particularly during M&A, to remain a common source of attack for threat actors of varying intent and sophistication. We also expect that the TTPs will evolve with security tools and monitoring. Threat actors will continue to increase the effectiveness of subsequent stages of the targeted attack lifecycle (such as maintaining persistence or data exfiltration).”

So what can you do to protect yourself and your organization?

Organizations will need to protect themselves by adapting their email defenses and monitor attacker techniques. This will require the organization to implement the appropriate email security solutions that are used to detect malicious links and attachments.

In addition to email security, FireEye made a few mitigation and detection strategy recommendations for those organizations who are looking at the M&A process in the future:

1. Conduct a compromise assessment of the acquisition to attempt to identify any current or previous compromises.
2. Conduct a proactive review searching for evidence of potential attacker activity within the acquiring and acquired networks before integrating them.
3. Audit rights to identify accounts with access to other users’ email.
4. Disallow the automatic forwarding of email outside the organizations or regularly audit the forwarding rules on their organization’s mail servers to detect evidence of this technique.
5. Enable audit logging on O365.
6. Enable multi-factor authentication on O365,

Read FireEye’s full report here: M-Trends 2019

As FireEye mentioned in their trend report, phishing tactics have remained a serious cybersecurity issue for years. Attackers are creating more innovative and convincing ways to take advantage of employees in your organization. To learn more about how you can protect yourself and your business from a phishing attack, check out our blog here:

1. Do Employees Really Fall Victim to Phishing Attacks?
2. Hackers Shooting for World Cup Success with New Phishing Attack
3. 6 Things to Watch Out for in Phishing Attacks
4. Phishing Testing: Building Your Human Firewall

---

FireEye offers a single platform that blends innovative security technologies, nation-state grade threat intelligence, and world-renowned Mandiant consulting. If you’re interested in learning more about the FireEye solution, please contact Secure Sense here.

FireEye is a valued sponsor of Camp Secure Sense 2019. Over the past five years, Camp Secure Sense has been the central hub for our community to get together and talk security. We take real world security problems, and provide the answers you’re looking for in a fun, educational focused environment.

Interested in attending? We’re raffling a CIO Suite to those that register before March 15th here.

Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions, want to learn more about our services or just want to chat security please give us a shout. If you’re looking to guest blog, please send an email here.

You can also find us on Twitter, Facebook,  LinkedIn.