Globally, a trend has been identified involving employees using their corporate email accounts to register for personal online accounts or services, which often include the re-use of passwords. But why is this a risky move?

Using initial access brokers, breach forums and data dumps, threat actors are leveraging this type of behaviour and are using it to gain initial access into a network.

Valid account credential abuse has been an established technique for a long time and with the growth of online services and platforms, this type of activity has only increased.

Normally, to access certain sites or resources online, individuals are required to sign up using an email address. The risk faced with this is the potential for threat actors to gain access to these credentials.

Threat actors use a wide range of techniques to collect exposed corporate credentials, with one common way involving scraping for breached credentials from third parties.

This data would normally get displayed on dark web forums, breach data bases or held on to by initial access brokers which would offer the data for monetary sum. These credentials can then be used in later attacks. Access to this information can often be quite easy, requiring little skill, making it an even bigger threat to organisations globally.

There are several benefits to threat actors for using stolen credentials for initial access, one being defence evasion. With valid user credentials, they can bypass security controls and are able to conduct malicious activities. This can then lead to lateral movement and privilege escalation, to achieve the attackers’ goals.

Defending against this type of activity can be challenging, as often there is a lack of visibility on which credentials could have been breached. Without the correct security controls such as MFA, threat actors can easily enter a network undetected.

The best preventative measure for this type of activity is to educate end users of the dangers of using corporate email accounts for third party platforms, as well as the dangers of re-using passwords.

Ensuring MFA is mandatory on accounts will also provide an extra layer of security and detection capability.

• Need to train your staff on some basic cyber awareness? Check out our security awareness training and get in touch to book your session and have your employees trained to become the first barrier against cyber crime.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).