You would think that with all the money pouring into technology these days, we would figure out a way to stem the flood of hacking attempts, but it seems the tech bros are more focused on figuring out how replace humans with AI than keeping humans safe. And sadly, email compromises, and even more importantly, business email compromises are big business for cybercrime, so they are pouring just as much money, humans and AI into stealing their way into your email.
What this means for you
First off, you may be wondering how it is, with all the existing tools and money aimed at security, we can’t do a better job filtering out all the myriad of ways hackers keep inventing to steal our passwords, and why multi-factor doesn’t seem to make any difference in stopping them. Lately a popular method of getting access to your 2FA-protected accounts is by cloning the cookie that is created when you authenticate with your multifactor, and this is accomplished by sending you links from actual legitimate websites, like Docusign for example, where the authentication process is expected. Most people, even hardened internet warriors, aren’t trained to spot when an authentication request is “out of context” – in this case, using your Microsoft credentials to log into the Docusign website, and may also be thinking, “Even if this isn’t legit, I have 2FA so the password being stolen doesn’t matter.” Normally they would be right, but the hacker is actually counting on that 2FA prompt to print them out a fake ID that gets them past the bouncer who is only trained to check ID’s and not whether the holder presenting them is legitimate. That’s an oversimplification of what happens, but the point is that the process they use to fake you out is actually a legitimate service (and hence ignored or passed through by usual malware checks) and even the documents you might actually be granted access to are harmless, because it was all a distraction to mask the real crime of bypassing your multifactor and gaining access to your email account undetected. And from there, the mayhem begins.
How do you combat this? Aside from being ultravigilent and deeply cautious to the point of paranoia, this particular type of attack is difficult to defend against, especially for personal email accounts. As a company, there are services that can be implemented that can detect certain types of unauthorized access once they have already occurred, but as many of you probably realize, the horse is already out of the barn, and this is damage control, not prevention. This type of unauthorized access detection is only one layer of a multilayered approach to security that all companies should have to keep their employees and themselves safe.