Let me unravel an example email mystery for you. How did Bob from "Company A" get an email from Pat at "Company B" with bogus payment details?
Let me introduce you to Bob (from "Company A") and Pat ("Company B"). On Wednesday Bob received and email from Pat with a list of invoice reminders and attached PDF containing new payment details. Bob paid the outstanding invoices.
In the following days Pat sends an email to Bob asking about the outstanding invoices. Bob replies that the payments have been made to "Company B". Pat disagrees checks the bank and no payments were made by "Company A".
Bob insists that he followed the new payment instructions in Pat’s email on Wednesday. Pat is a little confused as he sent the email on Tuesday and didn’t attach payment instructions.
Bob reports he only received email on Wednesday and forwards this to Pat. Pat notices the email “From” shows his email address, the content looks similar, but it has an unfamiliar PDF attachment with payment instructions which are not "Company B"’s.
Bob is indignant this is Pat’s fault and Pat’s email systems must have been compromised and needs to do something to rectify this situation.
Pat can see the email Bob received does looks like it came from him and he is concerned that his mail systems have been compromised and asks his IT Support team to take a look at.
IT Support performed the following
Reset the password associated to Pat’s email account
Arrange to run additional security / virus scans. – Nothing found
Check the outbound email logs and note the email sent from Pat to Bob on Tuesday but nothing on Wednesday.
Checked the access / audit logs for Pat account and notice no suspicious access attempts based on IP.
IT Support examined the header of the email Bob received and noticed the following:
“From” value is Pat’s email address
“Reply To” address was not Pat’s email address
The server used to send the email was not that used by "Company B".
Header shows Sender Policy Framework (SPF) lookup being performed against Pat’s "Company B" SPF record and the server sending the email. The results show the value as being an inappropriate source for "Company B" email.
We know there is no suspicious activity on Pat’s account and the email Bob received did not come from Pat, so where did this come from and where or what has been compromise?
Bob’s “Company A” email account has been compromised and in addition "Company A" is not enforcing email filtering. A nefarious individual (we’ll call him Frank) compromised Bob’s email account through a phishing email several days prior to Pat’s email arriving.
Once Frank compromised the Bob’s mailbox he was free to browse all existing email and setup a new inbox rules to forward email containing words such as “Invoice”, “Payment” etc. to another folder in Bob’s mailbox, and send a copy to himself externally so Bob never gets to see these emails.
When Frank sees the email from Pat on Tuesday he logs into Bob’s account and deletes the Inbox rule and amends Pat’s email adding the PDF with the bogus payment details.
Frank sends this altered email to Bob on Wednesday via a poorly secured email server in Uzbekistan which accepts the spoofed email addresses in the header.
Bob views his email on Wednesday believes it is from Pat and pays the value of the outstanding invoices to the banking / payment details provided by Frank.
The above is one variation of fraud using email as a medium we see quite frequently. When considering the security of email, sending, receiving and general access to mailboxes should be considered. We have seen examples where emails were captured altered and placed back into a mailbox and marked as unread without further sending. Where possible Multi Factor Authentication helps a great deal in securing mailboxes.