Protect Your Business from Email Compromise with Real-Time Detection and Prevention

Stay One Step Ahead

Microsoft 365 business email compromise incidents and observed threat actor tactics

 

When investigating recent business email compromise (BEC) incidents we’ve seen a big rise in third-party mail clients being granted permission to access compromised user accounts. 

Read on to learn more about the potential implications if your organisation is affected, how to stop that happening, and what to do if you discover it already has.
 
What is a third-party mail client?
 
A third-party mail client is an email application developed by a company or individual other than your main email service provider. Many organisation use these mail clients to access and manage emails from multiple providers, including Gmail, Outlook, Yahoo, in a single interface.
 
What are examples of third-party mail clients?
 
You have probably heard of third-party mail applications like Thunderbird, Apple Mail and Spark. But there are many others.
  
What are the benefits of using a third-party mail client?
 
As well as allowing users to manage multiple email accounts all in one place, they often provide additional features like enhanced security or integrations with other applications. They also tend to be more customisable, allowing users to tailor how they work to suit their particular requirements.
 
How do threat actors maliciously exploit these applications?
 
Threat actors are increasingly providing consent within a compromised user’s Microsoft 365 (M365) for external mail clients to access the user’s mailbox. Once they’ve done this, they can install the application on their own device and use it to log into the victim’s M365 account whenever they like.
 
Typically, this will synchronise a copy of the user’s entire mailbox to the threat actor’s device, making its contents visible through the mail application.
 
There are many reasons why threat actors would want to do this:

  • They can use the application to view and manage multiple compromised accounts from a variety of organisations in one place
  • They can hide their malicious activity from the rightful user of a compromised account
  • If a compromise is discovered and remediated, the threat actor will still have access to the contents of that mailbox from the time before it was last synchronised. They can continue to use this information, for example, to propagate targeted phishing campaigns or to set up spoof domains in an attempt to hijack email conversations
  • Depending on the nature of the data contained within the affected mailbox, the threat actor could sell it on a criminal forum or use it to demand payment from the affected organisation.
     
    How can this be detected?
  • Azure sign-in logs will show the name of the email client in the Application field if it has been used to sign in to a particular user’s account
  • Azure audit logging will report the use of third-party mail applications that have been granted consent to access a user’s mailbox, with the name of the email client appearing in the Target(s) field.
  • Microsoft Enterprise Application logs will detail third-party mail applications in use within the tenant. These logs can be reviewed to identify any suspicious or unexpected applications.
  • Use a security solution backed by a managed detection and response (MDR) service like Solis MDR for M365 to ensure detections for this and other suspicious behaviours are promptly investigated and remediated before they can become a more significant cyber security incident.
     
    Two applications we commonly see utilised by threat actors are eM Client and PERFECTDATA SOFTWARE. But we would recommend auditing all activity and addressing any applications that don’t appear to have a legitimate business purpose.
     
Microsoft 365 Blog Resources Blog Image 756X300px

How you stop this happening?
 
It is a good idea to require additional approval for request to grant consent to third-party applications. Restricting this activity to administrators ensures that threat actors can’t conduct this type of activity simply by compromising a regular user account.   
 
This article explains more about admin consent requests

Conditional access policies can also be configured to control access to third-party applications. This article can help you create an appropriate conditional access policy.
  
What should you do if you identify third-party mail clients being used?
 
First confirm, with the user(s) concerned, whether the activity is indeed suspicious. If they don’t have restricted permissions, users will often use third-party applications as a matter of personal preference, or to support a particular aspect of their professional duties.
 
Blocking consent to a suspicious application ensures that users won’t be able to request consent to the same application in future.
 
If you’ve identified this type of activity and you have concerns about a potential compromised account or unauthorised access to sensitive or personal data, please get in touch and we’ll be happy to help.