E-mail compromise

Understanding the implications and options for remediation

Cyber-attacks targeting email accounts for businesses continue to rise, particularly for organizations using cloud email systems. More specifically, these compromises can lead to wire fraud, phishing of other internal employees or vendors, and most importantly exposure of sensitive data within the email environment.

And with the recent adoption of new privacy regulations like GDPR, time is of the essence when it comes to responding to these types of incidents. In addition to GDPR, managing the cost of an investigation can be a burden to an organization given the amount of unknown parts of an investigation.

In response to the many challenges that organizations are facing, KPMG has developed a platform that streamlines the collection, analysis and reporting for these investigations. This approach enables organizations to gain important insight quickly and at more predictable costs.

Let’s take a look at a common scenario...

Andrea received a company email that appeared to be a link to download a file from SharePoint. After clicking the link, and entering her credentials, Andrea quickly realized she had been phished and her credentials had been stolen. Andrea contacted the help desk and they quickly reset her password helping remediate the situation.

What sounds like a minor issue poses significant risks:

  • Did other users in the company also receive a similar phishing email? If so, how do you determine which individuals actually clicked on the link?
  • What files and emails did the attacker access or was the entire mailbox downloaded?
  • Did the attacker send any emails or create any malicious rules?

How can KPMG help you?

  • Upon being given access to a company’s email environment, KPMG will collect all available logs.
  • These logs are then automatically indexed and enriched using Elasticsearch®.
  • This enables the examiner with the ability to search or create visualizations of specific indicators of compromise within the Elasticsearch® database.
  • After processing has been completed, a report is automatically generated that summarizes common data points such as:
    • Successful, failed and suspicious logins
    • How users are logging in (e.g. from the web or using Outlook)
    • New Rules created
    • Files accessed/viewed/downloaded in SharePoint
    • Files accessed/viewed/downloaded in Yammer
    • Search and compliance activity (eDiscovery searches)
    • Admin activity (user accounts created, permissions/role changes)
    • Messages/folders opened

This information can help answer questions like how the compromise occurred, what users were impacted, and what data was potentially at risk.

E-mail compromise