
Adversary (Attacker)

Arctic Wolf's Platform

Arctic Wolf Triage Team

Arctic Wolf Customer

Arctic Wolf Concierge Security Team

Adversary (Attacker)

Arctic Wolf Platform

Arctic Wolf Triage Team

Arctic Wolf Customer

Arctic Wolf Concierge Security Team
Business Email Compromise
Incident Response Timeline TIME TO DETECT: 19 MINUTES
Join us for our latest real-world incident timeline launch as we walk you through an email account takeover on a customer in the manufacturing industry, how the Arctic Wolf team detected the attacker in only 19 minutes with the dedicated team of security experts investigating and alerting the customer in less than 10 minutes.
SOURCE:
Adversary 12:57
Attack begins on [CUSTOMER] with attacker leveraging previously stolen [USER1] credentials acquired via phishing email. Attacker pushes a Duo multifactor authentication request to [User1].
Not aware of the consequences, [User1] accepts the Duo multifactor push from attacker.
The attacker uses the successful login to establish
ActiveSync with [User1]’s mailbox.
ActiveSync synchronizes emails, calendar, contacts and tasks between a server, desktop, or mobile device.
The impact of Email Account Takeover
Organiaations rely on email to conduct business, communicate, share information and set meetings on a daily basis. Email account compromise is an unsettlingly common method of attack for attackers and can have a huge impact on your business.
Business e-mail compromise attacks have already cost U.S. businesses at least $1.6 billion in losses from 2013 to the present. According to the *Federal Bureau of Investigation, that number could easily be as high as $5.3 billion around the world.
*FBI.gov-
12:57
SOURCE:
DUO 12:57
The Arctic Wolf Platform logs MFA successful for [USER1] with
Duo as the source.
Cisco's Duo provides multi-factor authentication but relies on the end user to only accept legitimate authentication events.
Account takeover incidents as a share of fraudulent activity in the financial services industry alone rose by 19 percentage points in 2020 compared with 2019, according to new figures from *Kaspersky.
*usa.kaspersky.com
-
12:57
19 minutes since initial activity:
Attacker ACTIVE 13:16
Attacker opens existing calendar event for “Best Practises Training” and updates with their own information.
Attacker begins adding forward and delete rules to [User1] inbox.
-
13:16
The FBI defines 5 major types of BEC scams:
CEO Fraud
Attackers position themselves as the CEO or executive of a company and typically email an individual within the finance department, requesting funds to be transferred to an account controlled by the attacker.
*FBI.govAccount Compromise
An employee’s email account is hacked and is used to request payments to vendors.
*FBI.govFalse Invoice Scheme:
Attackers acts as if they are the supplier and request fund transfers to fraudulent accounts.
*FBI.govAttorney Impersonation:
Attacker impersonates a lawyer or legal representative. Lower level employees are commonly targeted through these attacks.
*FBI.govData Theft:
Attacks targeting HR employees in an attempt to obtain personal or sensitive information about individuals within the company such as CEOs and executives. This data can then be leveraged for future attacks such as CEO Fraud.
*FBI.govSOURCE:
Office 365 Logs 13:16
Platform escalates incident after seeing rules being added and deleted on [User1] account
-
13:16
Triage Team Takes action:
Investigation Begins 13:18
The
Arctic Wolf Triage Team begins investigation into [User1] activity
The Arctic Wolf Triage Team provides 24x7 alert triage and investigation. When an alert is generated by the Arctic Wolf Platform, the Triage Team responds in priority order.
-
13:18
Active Attack:
Ongoing Investigation 13:22
Attacker uploads phishing PDFs to OneDrive with intent to distribute emails to calendar invite attendees.
Attacker's Motive
Once attackers gain legitimate access to their target’s email account, the amount of information they have access to can be dangerous: email, calendar, key meetings with suppliers or customers, corporate directories, and shared files.
Attacker's Access
Attackers maintain access by creating email forwarding rules or changing account permissions, so they can closely monitor the target to create convincing attacks that mimic the standard business.
-
13:22
- Arctic Wolf
- Attack Begins
- Arctic Wolf Platform
- Attacker Active
- Office 365 Logs
- Investigation Begins
- Ongoing Investigation
- Escalation
- Remediation

Security journey
with our concierge security team
Concierge Security Team works with customer to check log data for any customer users accessing phishing PDF. CST confirms remediation took place before any users accessed the PDF. CST assists customer in remediating actions taken by the adversary.
With a complete understanding of your unique IT environment, the
With a complete understanding of your unique IT environment, the Arctic Wolf® Concierge Security® Team (CST) provides your team with coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.
Arctic Wolf Concierge Team (CST) provides your team with coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.
With a complete understanding of your unique IT environment, the Arctic Wolf® Concierge Security® Team (CST) provides your team with coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.