Fighting CEO Fraud

One of the perks of my job as a cloud architect and consultant at ProAct is that I get to see a lot of different environments at different clients. Most of them have one thing in common, tho: they have seen an attempted, or even succesfull, case of CEO fraud in the last one or two years.
The impact of such a security breach can be big, with fraudulent transactions of up to hundreds of thousands of euros as a result. Since i’ve seen an increasing amount of these cases the past few months, I’ve decided to write up some pointers on how to stop these attacks, or at least minimize the impact.

Anatomy of CEO Fraud

The anatomy of CEO Fraud is fairly simple: an attacker starts with getting control over the mailbox of a high-placed (C-level) executive in the company. That’s where the name CEO fraud comes from, but it doesn’t mean only the CEO can be the target of these attacks. Any person in your organization with the rights to clear (big) payments is a potential target.
Once the attacker takes over the mailbox of his target, he uses this control to send an email to one of the finance employees in the organization, asking him/her to pay a (large) amount of money to some company or account, stating that this is an important payment that needs to be done immediately. Of course, the bank account to which this payment must be done belongs to the attacker (or a money mule recruited by the attacker).
The finance person making the paymnet might reply to the email to ask for clarfication on the details or confirm the payment. Howver, because the attacker has control over the mailbox the answer to this email will be fraudulent as well and the finance employee might be persuaded to make the payment.

No we know how the attack is performed, we can identitfy some steps in which we can improve security to prevent these attacks, and minimize the impact.

Building intelligence

The first step for the attacker will be to build intelligence on the company he (or she, of course) will be targetting. He will be interested in the names and/or email addresses of people in interesting positions in the company. An important source of this information might be LinkedIn. Do you have you position in the company visible on LinkedIn or other social media for people not directly connected to you? It might be wise to change this. The same goes for your email address: if this is listed on social media (or perhapse even your corporate website?) it’s easy for an attacker to build intelligence on your account.
Listing email addresses on you corporate website might be a bad idea, except for general, non-personal, email addresses. If you do list personal email addresses, for example for non C-level accounts, an attacker can use this information (like the formatting of the address) to extrapolate the email address of highly placed persons in your company. If every person mentioned on your website has an email address based on ‘’, it’s likely your CEO will have one as well. To work around this, you could consider handling a different policy for formatting the address of sensitive accounts within your organisation.

Harvesting credentials

Once intelligence on the company and the users has been built, the attacker will start actively targetting the account. One of the first steps will propably be to search for known passwords from previous breaches. You can use a service like Have I been Pwned to check if accounts in your organiation are known from previous breaches. Of course, the best way to make sure a breach from some other website or service doesn’t impact the security of your work account, would be to never reuse your password accross services. Create a strong, generated password that’s unique for each site or service you use, and store them in password manager. I prefer OnePassword, but you can choose any password manager that fits your needs.
Another way of harvesting credetials can be a phishing mail that persuades the user to enter their credentials on a malicient site. Techniques like anti-phishing and safe links can secure your Office 365 organisation from these kinds of attacks.
Sometimes the account of a different user in your organisation will be used. If this account has a password that has been leaked this breached account might be used to send a phishing mail directly to the account the attacker wants to take over. Becasue this mail will then originate from inside the company, the attackee might be tricked into clicking a link and filling out his or hers credentials sooner, because an email from inside the company will be trusted. Of course, you can adjust your anti-phishing and safe links policies accordingly.

Account take-over

If the account has been breached, the attacker will log on to the account with the credentials that were leaked. There is one simple way to prevent the attacker from logging in with these credentials: Use MFA.
I cannot state this enough: the use of multi-factor authentication is not optional anymore. MFA will prevent attacks like these in 99,9% of the cases, because the attacker will move on to attacking some other company that doesn’t have MFA enabled.
You can enable MFA in multiple ways. I prefer to use Conditional Access to make sure MFA is required for all logons to Office 365 related services, such as Exchange Online, Sharepoint or Teams. When doing this using Conditional Access, as opposed to enabling MFA on a per user basis, you make sure MFA is alway applied to all services and accounts you require it for. Haven’t enabled MFA yet for your organisation? Do so know. Even if your credentials get stolen, the attacker will not be able to log on to your account because he doesn’t have the second factor and the attack will stop right there, before any actual damage can be done.

Managing the mailbox

Once that attacker has access to the account (have I mentioned that you should enable MFA?), the next action will be to hide his actions from the actual account owner. The main reason will be to make sure that any replies to payment request the attacker will send out, will not be noticed by the account owner.
In my experience, there are two possible techniques being used here.

The first will be to set an automatic forward on the mailbox to some external (Gmail) address. While this will not hide the emails from the recipient (unless the forward is set to just forward and not leave the original mail in place), this will give the attacker insights in all incoming emails to this account, even if they lose access to the mailbox because the breach was detected.
You can block these kinds of forwards. It’s a good idea to do so, even if it might impact existing forwards that users have legitimately placed on their mailbox. What would be good reason for a user to forward his or her email to for example a Gmail address? Hint: there isn’t any. Some users might argument that they use it to do some work at home, because they have access to their emails that way. That might be a good moment to educate them on the use of Outlook for the Web, for example. To stop sensitive information from leaving your company’s control, you should just block automatic external forwarding. Microsoft has some good information on how to set this up. And they see this as a potential risk too, so soon this will be enabled by default.

Another option is the use of Inbox Rules: the attacker creates a rule on the compromised mailbox, setting it to target emails from the other person in the conversation on the fraudulent payment and/or emails containing (part) of the subject for this mail thread. These emails will then be marked as ‘read’ upon a arrival and moved to subfolder of the inbox; mostly the RSS-Feeds folder that would propably never be checked by the user.
In most cases you don’t want to block these inbox rules. There are some pretty good legitimate use cases for them. You can however monitor the creation of these rules and set up to be alerted every time a rule gets created. This way, you can quickly investigate if this is a legitimate rule, or one created by an attacker and quickly identify that an account has been breached so you can take appropiate action. To this, you can use the alert policies from the compliance center in Office 365.

Social interaction

This is the one that stopped the most attacks I’ve been asked to investigate: the finance employee being triggered to check with his or her superior (or the CEO itself) if the request to make the payment is actually correct. And not by just sending an email, but by just walking up to them or, if that’s not possible, picking up the phone and giving them a call.
This is something that should come with your company culture and the awareness of your users. It’s a good idea to train them on this and communicate this regularly.

Summing up

Preventing or mitigating these attacks comes down to a few steps: prevent attackers to build to much intelligence on your company. Use MFA. Keep your credentials safe by not reusing them and choosing strong passwords. Use MFA. Prevent phishing attacks by using anti-phising and safe links policies withing Office 365. Use MFA. Block or monitor the creation of forwarding rules or inbox rules on your mailboxes. Oh, and have I mentioned you should enable MFA?

Get started with these steps today. Must of them your can activate for free with your Office 365 subscription, and don’t cost must time to implement, but give you a better security posture against CEO fraud like attacks!