• by Ray Schultz , April 16, 2018

Account-based email attacks have hit almost half of all businesses barely a year after making their first appearance -- and they are spreading rapidly because they are hard to detect, according to a study by Osterman Research sponsored by Agari and other vendors. 

Of 140 organizations surveyed, 44% say they were victimized by an account-based (ATO) email attack in the past 12 months.

In addition, based on internal research, Agari has seen a 126% increase in ATO attacks month-over-month in early 2018.

The study notes that such attacks were virtually nonexistent prior to 2017 -- but they are now the most successful email attack category.

Agari defines an ATO attack as “the process of gaining unauthorized access to a trusted email account, and using this compromise to launch subsequent email attacks for financial gain or to execute a data breach.”

The company reports that 91% of such attacks come from outside organizations, 8% from trusted parties and 1% from employee webmail. However, no insider attacks were observed.

ATO overcomes security solutions likesecure email gateways because they are sent from established email accounts, requiring no spoofing or display name deception.    

In addition, victims are more likely to open them and reveal sensitive data because they have trust relationships with the purported user.

“Account takeover attacks should be considered a very serious risk because they target the highest levels of leadership, but are extremely difficult to detect,” states Michael Osterman, president of Osterman Research.

According to the study, successful attackers take five steps:

1. Gain account access—This is done with a spear phishing or malware-based email attack. Or, the bad actors may purchase email account credentials on the dark web.
2. Establish account control—This can be achieved without alerting the victim or security personnel.
3. Conduct internal reconnaissance—Criminals do this to determine how the account can be exploited.
4. ATO-based attack—The targeted email attack is launched.
5. Complete mission—The attacker “exfiltrates” sensitive information or funds.

Agari recommends these defenses:

• Identity mapping
• Behavioral analytics
• Trust modeling
• Identity intelligence scoring.  

Osterman polled companies with an average of 16,821 email users. In addition, Agari analyzed over 1400 untrusted messages over a two-month period.