Lateral Phishing: When Your “Colleague” is Actually an Attacker

As ever, phishing remains one of the most lucrative income paths for hackers, enabling them to install profit-making ransomware and similar malware to rip off victims. But thanks to growing awareness, there are many safety plans in place to help employees avoid phishing attacks. For example, many companies run educational programs on how to identify suspicious messages.

Hackers know that we know what they're up to, so to regain their advantage, they've turned to lateral phishing, a new kind of scam that entails taking over an account from within the organization. Unlike a “regular” phishing message that may appear to be from a colleague or an individual that an employee may be working with on a project in another organization – where social engineering techniques succeed in prompting action – a lateral phishing attack entails actually taking over an account in the organization and using it as a springboard for attacks.

The account may be compromised for just a short time, but hackers can use it to send out hundreds or thousands of malware-laced messages to members of the organization, potential customers or partners, etc. A report by Barracuda, along with UC Berkeley and San Diego, lays out some of the tactics lateral fishers use to lure in their victims. “Among the incidents studied, 63 percent of the attacks used commonplace variants of the 'shared document' and 'account problem' messages (e.g., 'You have a new shared document'),” the report said.

But the tactics could be even more sophisticated. According to the report, “30 percent of the incidents used more refined messages, modifying the language to target enterprise organizations (e.g., 'Updated work schedule. Please distribute to your teams'). In the most sophisticated approach, 7 percent of the attacks involved highly targeted content that was specific to the hijacked account’s organization.” The report said that researchers identified 154 hijacked accounts that collectively sent hundreds of lateral phishing emails to more than 100,000 unique recipients, with one in seven organizations experiencing lateral phishing attacks in recent months.

How can organizations defend themselves against such attacks? The usual methods – educating users not to click on links, better filters on the email server, rules regarding how attachments can be sent in a message, constant updating of antivirus software – are of course relevant, and organizations should be bolstering all those efforts throughout the organization. However, more is needed. There are two main problems:

Unmonitored activity: Internal emails are not typically scanned for advanced threats. By compromising accounts within the organization, hackers can try any method of tactics to carry out their attacks without being blocked. If links to sites that will remotely install malware won't work, hackers can send attachments that, when opened, install trojans on recipients' computers – and if that doesn't work, they can send those trojans via macros in the attachments, which no anti-virus system can detect.

Employee awareness: Employees will be less likely to scrutinize an email from a colleague, and especially a superior in the organization. By taking over accounts within the organization, hackers are able to overcome a major defense that organizations rely on to keep malware out – the ongoing adjuration of employees against opening attachments or clicking on links from suspicious email addresses.

Clearly, these are formidable challenges, but organizations are not helpless. Here are some ideas on how they can protect themselves:

1. Scanning internal email traffic for advanced threats: Most organizations will already have email filters that keep out suspicious or junk messages that may contain malware, or come from email addresses in suspect domains. That works fine for messages from the outside, but what about internal threats of the lateral phishing type?

For that, organizations need advanced systems that can more deeply examine communications and activities from within. Systems that can analyze attachments that are sent within the organization, or workstation-based sandboxes that check attachments, documents, and other external material before it can be opened could go a long way to stripping hackers of their lateral phishing “powers.”

2. Security solutions equipped with business email compromise (BEC) or impersonation prevention: When hackers take over an account within an organization, they don't use it in the standard manner that regular employees would. The links they send victims are to sites that can download malware or ransomware, and the documents they send are not company-issue, but a poison doc with roots, and links, from outside the organization. 

In either case, there's an element of identity fraud or misdirection – activities that are not standard in the organization, more typical of a BEC attack than a regular message exchange. Savvy BEC security systems will be able to pick up on this, supplying an additional layer of organizational protection.

3. Zero trust policy: Zero trust is exactly what it sounds like: You can't trust anyone's digital identity today, including colleagues or customers you may have worked with for years. Just the opposite - it's those people that hackers will target if they want to get at your sensitive information.

Everything and anything that is sent to an email inbox, whether from outside or inside the organization, must be treated as a potential threat – and only when it is found clean by the security systems listed here, as well as the other standard systems organizations have, should an employee be able to engage with that communication. Carving out a protected surface of data, assets, applications and services, and creating a microperimeter or segmentation gateway around it – and around those who use that protected DAAS – will ensure that lateral phishers remain unsuccessful and leave your organization alone, trying their luck elsewhere.

It's essential that organizations take action to stem this latest threat. Unfortunately, the tactics they've been using to prevent email attacks are not going to be fully effective with lateral phishing attacks. Unlike with “normal” threats, the danger here comes from the inside. To protect themselves, organizations will need to significantly upgrade their protection.