As the prevalence of Software-as-a-Service (SaaS) and multi-factor authentication (MFA) as a primary vector of attack continues across a variety of organizations and of every size in multiple industries, it is more important now than ever for organizations to utilize every tool at their disposal to mitigate account compromise at the earliest possible stage. 

Having incident response is helpful, but when depending on human analysts to react to and appropriately respond to a huge variety of threats there will no doubt be gaps and those gaps can lead to disaster. Having not only an automated response capability, but an intelligent autonomous decision maker which can respond and actively escalate actions as events unfold is paramount to preventing compromise.

In November 2022, Darktrace responded in real time to a threat actor that had gained access to a customer email account and created a new email rule in an attempt to conceal their activity, all while sending their own outbound malicious emails. 

This blog explores how Darktrace uses autonomous response (RESPOND) technology to instantaneously stop the hijacking of a customer SaaS account, without causing any major disruption to their business operations.

Details of Attack Chain

The initial compromise took place when a threat actor logged in from Florida, United States, an unusual location compared to the account holder’s expected login location in the United Arab Emirates. Just over an hour later, a new email rule was created from the same unusual IP address. This rule moved all emails originating from alansari[.]ae, a domain associated with a money transfer service that the account holder had occasionally used, into the “Conversation History” folder and marked them as read. Thereafter, the user began to receive malicious spoof emails purporting to be from alansari[.]ae. This example of social engineering highlights a low effort, high yield method many threat actors employ which relies on the trust of users in known correspondents and services, making it harder to identify and mitigate spoofing in phishing.

This anomalous activity triggered an Enhanced Monitoring model, whereupon the Darktrace SOC team sent a Proactive Threat Notification (PTN) to the customer, alerting the security team to this attempted account compromise. Darktrace RESPOND automatically forced the user to log out and subsequently disabled the account, while the Darktrace SOC team assessed the incident and liaised with the customer. These two actions performed in tandem added immense value for the security team who were given time to further investigate this incident while preventing further abuse of the compromised account. RESPOND was able to analyze the pattern of behavior and escalate its action in accordance with the specifics of the observed attack instantaneously, which could have taken human teams’ hours of analysis.

The Darktrace SOC team determined that the purpose of this email rule creation was to conceal legitimate incoming emails from the money transfer service, while sending spoofed emails to induce the account holder to send money to the threat actor. 

Three days after the initial compromise, Darktrace observed one such spoofed email claiming to be from alansari[.]ae. However, it was immediately placed in the junk folder by Darktrace RESPOND, again demonstrating the effectiveness and immediacy of autonomous RESPOND actions. Given the account holder had a history of receiving emails from the money transfer service, it is likely that without the instant and autonomous actions of Darktrace RESPOND they may have fallen victim to the attacker’s attempt. 

Conclusion

Ultimately, Darktrace RESPOND demonstrated its automated response capabilities and its autonomous decision allowed it to detect and respond to an account compromise at the initial compromise stage, preventing the attacker from stealing funds from the account holder. 

By enabling autonomous response, the human security team was freed up to provide deeper investigation into the incident and mitigation, while ensuring the threat actor was not able to further exploit the privileges of the account.

Although this compromise focused on funds being embezzled from an individual, this intrusion could have easily escalated to a more widespread breach of client data. Safeguarding customer networks requires rapid response and an intelligent decision maker able to respond to ongoing incidents and escalate actions at the earliest stage. 

The Darktrace suite of products, including RESPOND and its dedicated SOC team and services, provides autonomous and instantaneous protection from attackers before they can leverage compromised accounts to further penetrate a network, or exfiltrate sensitive company data. 

Credit to: Brianna Leddy, Director of Analysis and Lydiane-Ashley Belle, Cyber Security Analyst.