Freely subscribe to our NEWSLETTER

New methods highlight growing sophistication of compromises targeting corporate email systems such as Office 365, Microsoft Exchange, and Google Workspace

CardinalOps, the detection posture management company, today announced it contributed updates to the latest version of MITRE ATT&CK describing new ways in which adversary groups like LAPSUS$ hijack corporate email systems such as Office 365, Microsoft Exchange, and Google Workspace.

As the industry-standard framework for understanding adversary playbooks and behavior, MITRE ATT&CK now contains over 600 techniques and sub-techniques employed by both cybercriminal and nation-state threat groups. The latest version, MITRE ATT&CK v13, was released on April 25th.

The updated methods contributed by CardinalOps are used by adversaries to abuse email transport rules. These are the administrative rules that control how messages flow through corporate email systems. Adversaries employ these methods to:
• Perform reconnaissance by automatically forwarding sensitive emails to mailboxes controlled by attackers.
• Launch internal spear phishing attacks in order to steal privileged credentials for ransomware campaigns.
• Send spam emails from compromised Exchange domains while removing headers that would flag them as suspicious.
• Evade detection by hiding critical emails such as internal security alerts and command-and-control communication (C2) from mailboxes.

Defending Against Email Transport Abuse Attacks
Organizations can protect themselves by ensuring they have the right detections in the SOC to quickly detect and respond to these types of email system compromises.
To support the defender community, CardinalOps has published a technical blog post providing native detection rules covering these ATT&CK techniques for popular SIEM platforms including Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic. Detecting attacks in the SIEM is critical because the SIEM is the last line of defense for detecting attacks missed by other security tools.

CardinalOps’ security research team is constantly working on new ways to detect attacks based on threat actor activity, vulnerabilities, and malware found in the wild. Here are the techniques and sub-techniques that were updated in MITRE ATT&CK v13 based on research performed by Liran Ravich, cybersecurity architect at CardinalOps:
• Hide Artifacts: Email Hiding Rules (T1564.008)
• Indicator Removal: Clear Mailbox Data (T1070.008)
• Email Collection: Email Forwarding Rule (T1114.003)
• Phishing for Information (T1598)
• Phishing (T1566)

Examples of Email Transport Abuse Campaigns
In March 2022, Microsoft published a report describing attacks by DEV-0537, also known as LAPSUS$. In these attacks, the adversary gained access to global admin accounts and later configured a tenant-level transport rule to send all mail in and out of the organization to a newly-created account controlled by the attackers. And in September 2022, Microsoft published a blog post describing how malicious OAuth applications abuse cloud email services to spread spam.

Phishing Attacks Double Year-Over-Year
Phishing attacks have seen rapid growth in popularity and have increased year over year. According to recent Kaspersky research, in 2022 phishing attacks doubled in comparison to the previous year, reaching over 500 million attempts. Phishing is an important tool in the adversary’s arsenal because it’s often used to steal corporate credentials or perform reconnaissance that can be used in later stages of an attack.

"Preventing breaches starts with having the right detections," said Yair Manor, CTO and co-founder of CardinalOps. "We’re honored to be collaborating with MITRE to strengthen ATT&CK in new ways that help the defender community. Our security research team benefits from the nation-state expertise that its members have developed during their careers. We’ll continue to leverage their insights to help organizations continuously assess and improve their detection posture using MITRE ATT&CK as the underlying framework."