Adversary (Attacker)

aw-timeline-platform-icon_w-210706.png

Arctic Wolf's Platform

aw-timeline-triage-icon-210706.png

Arctic Wolf Triage Team

aw-timeline-customer-icon_w-210706.png

Arctic Wolf Customer

aw-timeline-cst-icon_w-210706.png

Arctic Wolf Concierge Security Team

Adversary (Attacker)

aw-timeline-platform-icon_w-210706.png

Arctic Wolf Platform

aw-timeline-triage-icon-210706.png

Arctic Wolf Triage Team

aw-timeline-customer-icon_w-210706.png

Arctic Wolf Customer

aw-timeline-cst-icon_w-210706.png

Arctic Wolf Concierge Security Team

Business Email Compromise

Incident Response Timeline TIME TO DETECT: 19 MINUTES

Join us for our latest real-world incident timeline launch as we walk you through an email account takeover on a customer in the manufacturing industry, how the Arctic Wolf team detected the attacker in only 19 minutes with the dedicated team of security experts investigating and alerting the customer in less than 10 minutes.
SOURCE:

Adversary 12:57pm

Attack begins on [CUSTOMER] with attacker leveraging previously stolen [USER1] credentials acquired via phishing email. Attacker pushes a Duo multifactor authentication request to [User1].
Not aware of the consequences, [User1] accepts the Duo multifactor push from attacker.
The attacker uses the successful login to establish
ActiveSync synchronizes emails, calendar, contacts and tasks between a server, desktop, or mobile device.
ActiveSync with [User1]’s mailbox.

The impact of Email Account Takeover

Organizations rely on email to conduct business, communicate, share information and set meetings on a daily basis. Email account compromise is an unsettlingly common method of attack for attackers and can have a huge impact on your business. 
Business e-mail compromise attacks have already cost U.S. businesses at least $1.6 billion in losses from 2013 to the present. According to the *Federal Bureau of Investigation, that number could easily be as high as $5.3 billion around the world. 
*FBI.gov
  • 12:57pm

SOURCE:

DUO 12:57pm

The Arctic Wolf Platform logs MFA successful for [USER1] with
Cisco's Duo provides multi-factor authentication but relies on the end user to only accept legitimate authentication events.
Duo as the source.
  • 12:57pm

Account takeover incidents as a share of fraudulent activity in the financial services industry alone rose by 19 percentage points in 2020 compared with 2019, according to new figures from *Kaspersky. *usa.kaspersky.com