Dangers of the Supply Chain - Zero Trust Mindset

Description of zero-trust phishing attacks

In recent weeks, the Information Security Team have noted a significant increase in email supply chain attacks targeting the University.

These attacks are a dangerous form of phishing whereby an attacker will either impersonate or compromise the email account of a known supplier or associate.

For example, you receive an email from a known service provider with the usual invoice attached. However, the account has been compromised and the invoice has been edited with fraudulent payment details.

In addition to financial fraud, the goal of these attacks can include account theft, unauthorised access to data, or deployment of ransomware.

The consequences to organisations and individuals can be devastating.

Below we explore some of the techniques used by attackers and what you can do to help stop them.

 How the attack works:

Email supply chain attacks are generally carried out in one of two ways:

• Impersonation – The attacker conducts research on the target organisation to identify relationships between business or individuals.

These can be relationships with suppliers or internal relationships such as employee/line manager or members of the same team.

Once a relationship is identified, the attacker will create a free email account, set the display name to match the person they are impersonating, and email the target. The content of the initial email will usually be vague, such as asking if the recipient is free.

If a response is received, the attacker knows the recipient has not noticed the spoof and can now conduct their attack.

This type of attack is known as “Spoofing”. You can read more on this in our previous article here. 

• Account Compromise – Exploiting compromised accounts belonging to smaller businesses or individuals (who may not have the budget or ability to use advanced cyber defence tools), can allow attackers to circumvent the defences of larger organisations.

The attacker may not immediately have a plan for the compromised account, however, once inside they can access all historical email conversations and related attachments. This allows them to research any significant email chains.

In particular, they will be looking for anything related to payments or billing, potentially with attached invoices. Once an appropriate email chain is found, they can amend payment details on genuine invoices and reply directly to existing email chains, as a known and trusted previous contact of the recipient.

This trust can also be exploited in other ways, such as convincing the recipient to provide information/data or to download malware.

Attackers will hide their presence in the compromised mailbox by creating inbox rules to hide any replies from the genuine mailbox owner. 

How you can help prevent an attack: 

• Trust no one!
  • Be extremely cautious of any emails requesting payments of any kind, even if they are from colleagues or other previous contacts.
  • Be particularly wary if the sender tries to create a sense of urgency, even if the email is from an authority figure.
  • Look out for any old email conversations being resurrected, this may be an attempt to abuse trust. 

• Report phishing:
  • If you receive a suspicious email, report it immediately by clicking the “Report Phishing” button in Outlook. The Information Security team check every report.
  • You can find detailed instructions on this here: https://www.abdn.ac.uk/staffnet/working-here/it-services/security.php#panel7228 

• Use the official Microsoft Authenticator App for MFA:
  • Several 2^nd factor authentication methods are available, including phone call and SMS message codes. However, using the official Microsoft Authenticator app affords greater protection by providing detailed information on the person attempting to access your account, including location. This allows account owners to verify or deny login attempts with greater confidence.
  • It also provides number matching, which requires you to enter a number displayed on the login screen into the application. This helps to prevent attackers exploiting MFA fatigue.
  • Never accept an unexpected MFA prompt. 

• Report any suspected compromise immediately:
  • This will help us prevent the situation escalating further. 

See out previous article on the Anatomy of a Phish, detailing a successful phishing attack against the University.

For further guidance, see our previous news bulletins on Phishing, Social Engineering, Malware, and Passwords.