The Dark Ages
According to the FBI’s 2019 IC3 report, the IC3 unit received 23,775 business email compromise (BEC) complaints with losses of over $1.7 billion (FBI IC3 Report[1]). We have found that, first and foremost, threat actors are trying to leverage compromised email accounts to perpetrate financial fraud. Though perhaps unintentional, a fraudster will likely access other content in the compromised account while searching for information needed to perpetuate the fraudulent transaction, which could lead to the potential exposure of sensitive or protected information, such as personal health information (PHI), personally identifiable information (PII) or payment card information (PCI). Beyond financial transactions, threat actors target specific types of information, such as employee Form W-2 Wage and Tax Statements from HR personnel. An employee’s Form W-2 information can be used to e-file fraudulent tax returns for the purpose of stealing refunds.
If threat actors access protected or sensitive information during an attack, data review may have to be undertaken. Data review is typically a two-step process conducted under the direction of cyber counsel to develop appropriate review parameters and protocols. First, a compromised account is data mined using advanced automated processing with keyword and pattern searches to identify responsive items potentially containing protected or sensitive information. Second, that subset of items is manually reviewed by a document review team, and a final report is generated that identifies impacted individuals and associated data elements that may have been accessed during an attack (e.g., a Social Security number or medical information). The data review process can often result in a substantial five- or six-figure expense depending on the volume of data to be mined and the number of messages and attachments requiring manual review and the density of protected information contained therein. If personal information is accessed, consumer notification and regulatory reporting may be required. The cost of consumer notification and remediation will depend upon the number of individuals to be notified, but it is often a necessary expense that victims of the compromise must be prepared to incur.
It’s Magic Time
Above and beyond the direct financial loss, the total impact to the victim can include investigation costs, engaging cyber counsel to help fulfill notification and reporting obligations, and potential regulatory fines and penalties. Fortunately, one method exists that can help us understand what a threat actor did while having access to a compromised email account, thereby helping to reduce the additional financial burden a victim may encounter. So how does one do that? It’s time to queue up the magic logs!
Prior to the discovery of magic logs, Microsoft Office 365 investigations were in the metaphoric dark ages, as there was limited visibility into what an intruder did (or perhaps, more importantly, did not do) while accessing a compromised account. Between 2017 and 2018, several forensic firms identified an undocumented Microsoft application programming interface that used Exchange Web Services, which allowed them to obtain extremely detailed Office 365 logs, fondly referred to as “magic logs.”
Bad actors were unwittingly dropping forensic bread crumbs, and investigators were able to use these detailed logs that allow them to obtain very specific information, such as which email messages were accessed and what searches were being performed. In many cases, investigators were even able to recover those accessed messages from the mailbox.
While there are many factors that go into an analysis, the ability to specifically identify data accessed by an intruder can minimize the volume of data to be reviewed, allowing for a more tailored investigation identifying individuals who actually may be at risk. This can mitigate other risks associated with consumer and regulatory notification, such as fines and penalties assessed, and eliminate the need
to inform individuals about a data security incident that did not affect them.
In 2018, Microsoft revoked all access to the logs, and the ability to perform this extremely in-depth analysis disappeared, again requiring the review of massive volumes of email account data to locate protected or sensitive data that may have been exposed to a threat actor. An illustration noting the difference between the two workflows is shown below:
Here Comes The Sun
However, there is renewed hope. On March 2, 2020, Microsoft issued a notice regarding the rollout of mail items accessed logs (https://docs.microsoft.com/en-us/microsoft-365/compliance/mailitemsaccessed-forensics-investigations?view=o365-worldwide#use-mailitemsaccessed-audit-records-for-forensic-investigations). This permitted the review of mailbox audit and unified audit activity, which revealed mail items accessed events soon after their initial release. The first instance of these new mail items accessed logs is shown below:
While the underlying log functionality is now officially supported by Microsoft, there is a catch: only businesses with an E5 premium license have access to these “magic log” entries. This means clients with an E5 license will likely incur reduced overall investigative and analysis costs from start to finish by being able to identify specific messages accessed by a threat actor.
Conclusion
While Microsoft didn’t give everyone the keys to the kingdom, additional logging through an E5 license is certainly a step in the right direction for the incident response community and all businesses affected by BEC within Office 365. With E5, investigators once again have a better view of a threat actor’s unauthorized activity and can help identify specific email messages accessed for review without requiring data mining an entire mailbox to identify all PHI, PII and/or PCI data. What seems like such an inconspicuous difference to most proves to be a substantial benefit to victims of an Office 365 attack.