When a Mailbox Breach Hits Home

Like many others, I spend most of my work time at home. But I recently had a very different experience of work and home merging.

Last week, I shut down my laptop and made the commute from my basement to the kitchen where my kids were eating dinner. I sifted through a pile of letters and opened one from our healthcare provider that was addressed “to the personal representative of” my six year old. The letter was informing us of an incident that may have exposed her personal and health information.

I consider myself relatively unflappable, but the irony and ridiculousness of the situation were surreal. The letter outlined an incident that is both frustratingly common as well as precisely the reason Material Security exists. As a marketer, I don’t think I could have written up a better use case for Material than the piece of mail sitting in front of me. Of course, my excitement was slightly buffeted by the fact that my six year old daughter’s personal and health information may already be leaked online. 

Not to worry though, her credit and bank account numbers “were not involved” but “diagnostic and treatment information” may have been…

So what happened?

According to the letter:

“On July 30, 2024, a [redacted] employee email account was compromised due to a cyberattack. The employee accepted an unsolicited multifactor authentication prompt, which enabled the cyber-attacker to access the employee’s email account. As soon as [redacted] learned that the email account was compromised on August 7, 2024, the attacker’s IP address was blocked, and immediate password changes were made so no further access could take place.”

The tactics and timeline of an attack generally grab headlines, but these kinds of forensics are much easier to ascertain in a case such as this. How well understood is the extent of the potential damage? What exactly was extricated or otherwise exposed? What happened over the course of those nine days?

“No evidence was uncovered during our investigation to suggest that the aim of the attack was to obtain patient health information from the compromised email account, but data theft could not be ruled out. As a result, the email account and its contents were presumed compromised.  Thus, all the emails and any attachments to them required a detailed, thorough review to determine if sensitive data about one or more patients was potentially impacted. “

Not particularly comforting. As is often the case when an email account is breached, the specifics of what was done during that time and the extent to which confidential, proprietary or otherwise sensitive information may have been compromised is largely unknown. This puts the organization, our healthcare provider in this case, in a position where they must assume anything in the mailbox may have been accessed. And it puts the victims, in this case a six year old that doesn’t even know what email is, in a position where they too must assume that some of their most personal information is available now and in perpetuity somewhere on the web.

Tell me if you’ve heard this before

1. Despite standard security measures, such as strong MFA, an email account is compromised.
2. It takes days, weeks, and sometimes even months for the compromise to be discovered.
3. During that time, it is unclear what precisely was accessed, read or otherwise extricated.

It’s become so obvious that traditional email security controls are insufficient, specifically inbound detections meant to thwart phishing attempts and outbound DLP that relies on emails being sent out of the mailbox. In this case, there was even strong authentication in place, courtesy of my former employer Duo Security. Unfortunately, these types of incidents are often followed by more of the same approaches that proved inadequate - more training, tighter access controls, and stricter email retention policies.

What if, rather than more of the same, we took an inside-out approach to the problem and deployed a defense-in-depth approach to the problem of email security and email account takeovers more specifically? At Material, we believe that a complete email security solution has to consider not just email as a communication protocol, but to understand that the email account is inextricably linked to the broader productivity suite and therefore represents:

1. A communication (email) and collaboration (files) platform that is used by every employee in an organization.
2. The de facto identity for most SaaS applications.
3. A storage system for communications and files.

All of these are reasons why the email account is such a common and valuable target. These accounts can also become vectors for further attacks via lateral movement, BEC, and more.

The pitch

I wouldn’t be doing my job if I didn’t point out that Material Security was conceived for all of the reasons outlined above. In the most basic sense, Material protects against email-based attacks, monitors and reduces risk in Google Workspace and Microsoft 365, and limits the blast radius of a compromised account.