‹  Back

January 24, 2024 · 5m read

How to Use Email Behavior as Account Compromise Signals

Ivan Dwyer 


In a previous blog post, I made the case that the typical approach to email threat detection and response is missing a critical element – containment. Simply relying on surface-level detections that monitor incoming and outgoing traffic isn't enough to safeguard the resources and data accessible via an email account. In this post, we'll focus on a few practical examples of email behaviors that Material has a unique ability to pinpoint that may indicate an account compromise.

In light of two recent incidents at Microsoft, where nation state attackers compromised email accounts, there’s a heightened interest in examining protections across your entire cloud email infrastructure. The first event, from a Chinese group dubbed Storm-0558, was a sophisticated attack that took advantage of a unique sequence of events to forge a valid access token for an Outlook email account. The more recent attack this week, from a Russian group named Midnight Blizzard, was a persistent attack that took advantage of weak authentication controls on a number of test email accounts then used as a pivot point to gain access to a number of high-profile executive email accounts. Both scenarios highlight that the sophistication of modern attacks lies in the ability to remain obscured from common detections for as long as possible.

Monitoring for account takeovers is a fickle beast given that a compromised account effectively operates as an insider. It’s difficult for systems to distinguish between normal business tasks, irregular use, and malicious activities. The inherent risk and potential consequences of elevated access and unwanted data exposure make it tempting to implement restrictive controls across all systems, however, one may find pushback from the business and an overwhelming number of low-risk alerts from normal workforce use. 

Striking the right balance between security and productivity is an ongoing effort where the right set of tradeoffs isn't always obvious. The following examples are intended to highlight potential account takeover scenarios that are worthy of attention, and how Material helps address them.

Email Auto-Forwarding

Auto-forwarding is a common tactic used by attackers to discreetly monitor communications and steal sensitive information after gaining access to an email account. This is done by setting up a rule that automatically forwards emails to an external account. The insidious nature of this method lies in its ability to go unnoticed for extended periods. The forwarding rule operates silently, allowing the attacker to maintain a persistent presence in the compromised account.

Material offers advanced monitoring capabilities specifically designed to detect changes in email settings, including the creation of new auto-forwarding rules. By setting up an event subscription with Material, administrators can be instantly alerted about any modifications to forwarding rules. These alerts can be configured to be delivered via Slack, email, or webhook.

When an unauthorized forwarding rule is detected, incident response teams can quickly investigate and take appropriate action, such as revoking the rule and locking the account. This proactive approach not only stops data exfiltration in its tracks but also minimizes further lateral movement.

Subscribe to events in the Material dashboard

Failed Message Retrieval Events

Multi-Factor Authentication (MFA) is a crucial security measure, but it also serves as a valuable indicator of potential account breaches. When there are multiple failed attempts to bypass MFA, it often signals that an unauthorized user is trying to gain access. 

Material’s novel approach to data protection applies MFA directly to email messages containing sensitive data, such as Personally Identifiable Information (PII), Protected Health Information (PHI), and Payment Card Information (PCI). This targeted approach ensures that emails with critical data require additional verification – valid users can still access the messages they need with a simple auth flow, but attackers are significantly slowed down.

Material logs all attempts to access these protected messages, and can be configured to fire off an alert for any failed retrieval attempts. Such failed attempts are significant red flags, indicating that someone may be trying to access sensitive information without proper authorization.

Access Requests in the Material Dashboard

Password Reset Attempts

Email accounts are a form of identification, and attackers frequently target them to gain elevated access to downstream systems and applications. Once an attacker compromises an email account, a typical strategy is to change passwords for as many services as possible linked to that account. This tactic not only grants them broader unauthorized access but also effectively locks out the legitimate owner of the account. 

In this context, password reset attempts are a signal for an account compromise. Material addresses this scenario proactively, detecting emails from service providers that indicate email confirmation. As we do with emails that contain sensitive data, we apply a layer of authentication to follow through with the request. This extra layer of security means that any attempt to reset a password via a compromised email account will require additional verification, which an attacker is less likely to bypass.

This strategy effectively adds a significant speedbump for attackers. If an unauthorized user tries to reset passwords, the MFA requirement on the confirmation email can serve as an immediate red flag. It not only prevents the attacker from easily continuing their malicious activities but also alerts the user and the security team of the suspicious activity.

Password Reset attempt caught in the Material dashboard


These examples further stress the importance of an effective containment strategy around email accounts. Detecting suspicious behaviors is as important as detecting suspicious contents in the constant effort to stay ahead of attackers. In each of these cases, Material signals that there may be a compromise to investigate and applies an added layer of authentication, both accelerating incident response and slowing down attackers – the best of both worlds.

Want to see Material for yourself? Schedule a demo.

Slowing down the attacker gives me more time to respond. Those speed bumps are the things that allow us to breathe at night.