DamienMiller McAndrews

[Music] okay hi everybody thank you for coming to my talk um it's called the million dooll CEO fraud anatomy of a business email compromise we're just gonna have to get right into it starting with a little bit of selfpromo so as I said on the top my name is Damien but you can find me online generally under some form of the username sign I work at a local so Edmonton and Calgary based managed service provider called Acura Network Services I put my water bottle down but that's fine we have my nice logo water bottle I need this that's okay um I'm a two-time Nate grad with a diploma and it systems Administration as well as a post-

diploma certificate in cyber security um very impressive I uh that was the next slide um I'm a member of ISC with my certified in cyber security which I is the definitely the most impressive ISC certification um I have like my SC300 and I just got my Security Plus so I I have the fundamentals down at least within cyber security specifically my areas of Interest are infinite response friendsit Cloud security ENT um basically anything that would make me a good uh the one my best skill is just based on that is investigating business email compromise that's just what you need I think um I have a a Blog very professional and serious cyber corner. Tech I publish articles about random

things like finding malware via showan and malicious Azure app so there's also the article version of this talk on my blog and then other random social medias um you can I don't have time for the demo today but the demo if it's not on my YouTube it will be on my YouTube I have three YouTube subscribers it would be really cool to get to five can we get me guys to five YouTube subscribers that would that would make this whole thing worth it I think oh can we do 10 I think 10 is reason actually I think everybody here if we we smash that like button and press subscribe ring that Bell for notifications I believe they all

say all right um thing again so table of cont because I do Powerpoints the way I was taught in school um first I'll go over the incident that this top got its name from then I'll cover the miter attack a little bit I'll cover um indicators of compromise and malicious activity that generally happens during a business email compromise I'll go over some controls for managing the risk around business email compromise I have a little preachy section where I shout out the Privacy commissioner's office and try to scare all of the uh the executives in the room and then we have time for questions keep that in mind questions at the end please I'm already so so off topic naturally on

my own I don't need your guys's help with that and finally I should preface this by saying that this is not a hypothetical incident that I made up for this talk um this was a real incident that I discovered completely by accident as I do and uh handled it on my own um and I should also mention that when actually look up what Co fraud is this is not Co fraud but it sounded really cool and sounding cool is more important in cyber security than actually being correct I think we we're unhinged right now um that's what we get for putting me at the end of the conference so first I will cover Discovery I had a really I um

the guy who did the first keynote was at Michael Spalding he talked about PowerPoint um writer block this slide killed me I could not think of what to put here and then I just so I put this like Noir graphic and it's actually very lightly playing sound even CU sometimes when I talk about this incident I kind of imagine myself almost you know in my head you think you're cooler than you are I'm like a cool detective I'm in my chair talking about this incident but the incident was basically how do I how do I start this was January 10th 2023 it was a day like any other I mean I was doing an audit specifically I was

doing a security audit for customer which we have anonymized as company X part of my job at accurate is to do security audits for our customers generally based roughly on the CIS baselines um it's in an Excel spreadsheet and I honestly find it just because it could be automated but there're uh it's low low on the low on the I think automation Priority

One

for pretty much the entire week at this point I believe it was a Wednesday and um with that in mind and knowing that I maybe like to go maybe like to go looking for trouble could you really blame me I mean an audit is a really good time to do a threat hunt and checking for a couple indicators of compromise wouldn't actually take me that long right so I check the most common indicator compromise spoiler alert in Microsoft 365 for business email compromise which is suspicious signin I just do this by exporting the all user signning login azer open it in Excel and filter out the known good IP addresses and locations it's really accurate MSP for SMB so if you're

like oh this sounds like really really rudimentary yes trust me I know Excel I know trust me but I do that I clean it up in Excel and I'm left with one specific account that had some signin irregularities I would say one minute it's signing in from Edmonton the next it's signing in from Los Angeles I resolve the IPS and and I look them up and it's sketchy proxy servers and vpns generally my uh my email compromise senses are tingling at this point but company X does have an internal type person and it's always best in this situation to get them involved as soon as possible um so I send the internal IP person the sign and logs for this

specific user and I ask him hey is this expected Behavior he gets back to me considering this this internal it person really surprisingly quickly um and and tells me that this is not expected behavior and asks that I provide a record of file and email access I say oh absolutely and then because I I think he didn't quite understand understand maybe what was going on I was like we Al should also secure this account right and so we obviously reset password revoke sessions all the normal account securing steps so great now I am no longer bored I have an email compromise to investigate and I've got exactly what I've wished for you know nothing nothing's going wrong at this point

right so all that's left for me now as basically to investigate complete my RCA put it together in a document Rec analysis put it together in a document send it to the client sell them improvements essentially is my process so what actually happened during this incident and then how did I reach my conclusion so it wasn't until I had actually began my investigation that I realized that the affected user was the CEO of company X I had been reviewing the the file access records from from the audit of SharePoint access and I saw a lot of access to what was the executive SharePoint site so this um I was no longer really at this point glad

to be dealing with an email compromise I think you can imagine the slowly slow uh sense of dread I I had sinking in over the next two days I supposed probably the next week actually so how did I actually do my investigation well first I requested 90 days of the inbound and outbound message Trace this gave me just over 3,000 records I then exported 90 days of user activity from the U giving me 17 and a half thousand records now to me this is basically nothing I regularly see 50 or 100,000 records but important thing to mention at the time I was investigating this I barely investigated a dozen email compromises so this was a lot of records

and I was a little overwhelmed to say the least um I knew I needed something to make that investigation a little easier so I did some research and I started using a tool called the Haw tool for investigating a Microsoft 365 business em all compromise basically just a power to module free and open source and the guy doesn't update it enough and everything constantly breaks em uh Ms online deprecation did not they everything broke but um I rather than complain I should learn how to WR but I don't want to do that so Hawk is actually still even though I I complain about it a lot um it provides me with some really great things such as a fully cleaned up

without having to do it uh record of exchange audit so that's like email and like specific email access which was about 11 and a half thousand it also gave me what I think the best feature of talk which is the converted authentication log it uses an IP address lookup API to match IP addresses from various logs to cities countries before I had talk doing it I would take an IP address from any of the logs I would paste it into have what is my IP address.com and I would transfer that to a spreadsheet 875 I I don't want to do that 875 time so thank you hot for making it so I don't have to do that oh it also tells

me if it's Microsoft or not which is nice so I also just grabbed some other random logs user audit in Azure eventually he discovered some emails just basically any sort of information that I could grab the user at the time did not have E5 they had um azuread P1 not even P2 so I was really limited with my tools within Microsoft that I could use to investigate unfortunately so if you've ever investigated an email compromise you know that pretty much the next step is to just I I just squish everything together in multiple Excel spreadsheets three monitors three Excel spreadsheets I'm just transferring things between them trying to build out uh a bit of a

timeline I I consider it something like just putting together a puzzle so let's build that puzzle and look at it in a timeline so after some investigation I was able to determine that November 7th 2022 was the date of initial access I was able to determine this because well I had sign in records back to I believe about October 12th but this was the first subsp sign in generally a month of unsuspicious signin means there was no uned access during that month I also found a Defender alert which is kind of Microsoft cloud security protection email filtering endpoint protection garbage whoever does everything saying that the Coo's email or CO's account had clicked on a malicious link that was not

known by Microsoft to be malicious at this time but later Microsoft is like oh that was a bad link sent an alert alert was missed I know trust me I know um so Fender alert triggered Miss um alert fatigue about that day about 40 other alerts in the global admin mailbox configure your alerting rules correctly please internal it then if you remember January 10th 2023 was the start or was when I discovered the compromise and started my investigation that's about two months and trust me a lot can happen in two months so the next account access was actually November 11th and this was when a lot of emails and files specifically pertaining to company X's

dealings with a specific kind of financial or investment firm or access um it was there was very obviously a plan developed pretty soon after this because an inbox rule was created to redirect email from the financial company's domain to the RSS subscriptions folder absolute classic RS subscriptions archive conversation history three classic folders so after this inbox was created there was actually a period of several weeks when there wasn't any specific noteworthy actions on the account it was mostly just email and file access um a lot of stuff about again company X's dealings with this financial company but also just internal documents contracts templates um just information about how company actually runs keep in mind access to the executive SharePoint

he had access to everything [Music] um so November 30th actually is when things start to pick up the threat actor emails the financial company with a request to add a new authorized signer to their financial account asking what information is required the financial company responds providing some documents that need to be filled out and signed as well as some personal information about the new signer that is needed on December 2nd the St actor responds with the signed documents and the personal information and the financial company are actually they at the time CC this supposed new Treasurer which is what they were claiming the new signer was they were using a custom domain name that was the type of domain

that a independent CPA would use which is what they were claiming this Treasure's background was fun fact this was a stolen identity of a retired CPA from Quebec spoiler later the rcmt did find the Gentleman and he had no idea about any of this so I'm sure that was a a surprise to him but again identity cyber crime ecosystem love it so what was okay after that can you please there we go December 5th the financial company responds and they provide some more documents that need to be signed December 7th the threat actor provides signed copies of more documents trust me there was like at least 10 documents but the financial company sees a problem

with one of the documents and it needs to be resigned December 12th the thread actor provides the proper signed copies of the documents they also at this time register kind of a copycat or typo squat of company X's main domain they also similarly create inbox rules to redirect email from the copycat domain and actually ated time surprisingly the custom CPA domain for some reason to the RSS subscriptions and it's from then on that they use the kind of typo squat domain for communication with between the treasur and the financial company after this there is another period of several weeks where there's nothing really specific that happens it's mainly a lot of back and forth between company X and the financial

company financial company asks a bunch of clarifying questions oh is so and so still a signer on the account you actually actually says that you already have a Treasurer are they no longer the treasurer um and also every couple days the threat actor is emailing the financial company asking when the new signer is going to be added they were uh very pushy and impatient so nov or sorry December 21st the thread actor once again emails asking to when the new signer is going to be added it's at this point that the financial company advises that the nbin or the national banking independent network has gotten involved to my understanding they're like a overseer for small portfolio and Investment

Management firms their compliance Department requests some more information which is provided this actually made its way through both companies both the NB and financial companies compliance Department that's what took so long um um so this is all still generally the CEO's account C seeing the typo squat domain but when the typo squat domain does email the financial EO thankfully or El I'd be missing a lot of information but yeah nobody noticed the typo Squad domain or anything like that then finally December 30 oh sorry December 23rd a new this new treasur was added as a signer on the financial accounts so if you've noticed I haven't said something um which is I haven't said that anybody has called

anybody on the phone which nobody has um nobody at the financial company has even emailed any other signer on the account there was about four other signers on the account or CC them or anything like that so make that what you will but now unfortunately it's get serious so the thread actor took a break for Christmas and New Year's it seems because the next activity was actually on January 4th um the threat actor initiated a wire transfer with the CEO's account advising to coordinate with the fake Treasurer um and they also asked what information was required after a little bit of back and forth the threat actor sent a wire transfer request from company X's bank account to a bank

account in Hong Kong for what do I have here $710,000 USD which at the time with the exchange rate was $950,000 Canadian not quite a million but a million doll CEO fraud sounded better than $950,000 CEO fraud I think so I can be forgiven for that um on January 6 the wire transfer was Final p on January 9th we threat actor emails to say hey we didn't actually receive the wire transfer they then resend the transfer and this time the transfer does actually go through so if you remember January 10th was the date of discovery and the start of my investigation but I wasn't actually able to complete my investigation on this day I was in class

at Nate that day actually I I had to leave work and go do class so you can imagine I didn't pay attention very well in class that day um and also told all my co-workers what was going on but I didn't say the name of the company I promise um I continued my investigation the next day on January 11th um l um so I literally it says scam they are they really are um I get the CH I get the Chinese one where it tells me I'm going to person I think is the rough translation I get those all the time T and square it hasn't made them go away um that's kind of mean actually I've

heard you're not supposed to do that so I continued my investigation like I was saying before interrupted by a Chinese at literally I looked on my time sheet I found the ticket um 11:50 a.m. on January 11th also or also on January 11th at 10:36 a.m. the threat actor sent another wire transfer request to a different bank account in Hong Kong they sent this one from the typ squ domain CC the CEO um and this second transfer request was for $1.3 million Canadian so I had actually discovered the January 4th wire transfer first and I knew at this point it had already gone through wasn't wasn't worth calling the CEO having a 20 minute conversation

continuing my investigation so I said all right the money's gone I'm G to finish my investigations I am so close to the C about 20 minutes later when I discovered that the second wire transfer had been sent at this point about two hours before I discovered it I really hoped that there was still time to stop this so I called the CEO and asked him if he was aware that a wire transfer actually that two wire transfers had been made from company X's bank account to a bank in Hong Kong one of those transfers roughly two hours ago for $1.3 million and that a new authorized signer by the name name had been added to the

account as a new signer um he obviously was not and he also didn't seem to believe me at first um he he asked me a lot of questions that I how are you how do you know about this I was like oh my God so with as much literally I I call this um professional urgency in my voice as I could muster because I'm not used to being commanding I told him I said I strongly advise you to call the financial company and ask them if I am if I am correct and he did I I uh i' actually called internal it who was in the CO's office put me on speaker phone the COO called the financial company

confirmed that what I was saying was true and canel the second transfer so after this I just kind of had to uh continue on I completed my investigation and put together my incident RCA document I sent that incident RCA document and all of the logs and and exported records to company X and eventually at their request law enforcement like I believe it was the RCMP and EPS as well um a couple weeks after the incident I got more information from company X account manager at acurate who told me that company or sorry that the financial company did not follow their internal process um for adding new signers to the accounts nor making large fund transfers

because of this the financial company refunded company X for the money that was stol let's be honest it was refund or lawsuit and I think they they realized one one would be a lot less uh damaging to their publicity than than the other I think they made the right choice so to hack company X um I currently don't have an idea the RCMP has actually not began their investigation fun fact it's in Q so make of that what you will yeah um EPS I've heard nothing from but that's okay um I don't think we'll really ever know who did it um I'm not certain if it was an advanced persistent threat but this was not a simple Heist

like changing an employees direct deposit details this was admittedly like I said there was like at least 10 documents back and forth um this was definitely multiple people um you needed to be probably a little smarter than than I am because I could not figure out a lot of that Financial lingo that they were that they were doing um this was not somebody working alone like I mentioned but you know we'll never know but all we can really do is learn from this incident and improve our own security posture and that of our customers and clients so that we and them don't become this threat actor's next victim so now from that we're going to

Pivot 100 like 180 and talk about miter so if you're not aware miter is a framework for classifying malicious activity around an incident it was originally developed for use in a it caused incidents but I mean you can use it for your you can use it for a child you know with packing your Wi-Fi network with a with a Wi-Fi pineapple I suppose that is something you can probably use miter for um using the Matrix we can view specific techniques and tactics in s categories as well as this is very helpful suggested mitigations we can also use the miter navigator to or sorry the miter attack navigator to visualize an incident so miter has actually a

couple of Matrix C's and there're specifically a cloud Matrix which contains techniques from General SAS and is incidence as well as Office 365 Google workspace and Azure ad I found that the cloud Matrix is a little lacking um but I still I still appreciate what it tries to do and I I hope maybe that mitter will add more stuff to it because it is you you'll see it's it's doesn't doesn't catch everything unfortunately so we will begin with initial access this was via a fishing link because as I mentioned I did find that Defender alert in the global administrator mailbox initial access can also be categorized as specifically what account was used so because the account

used for initial access was an account that existed and was legitimate it's a valid account sub technique cloud account so next we have persistence this is a common question I get MFA was enabled on the account unfortunately but it or sorry fortunately but it was bypassed unfortunately um incident was too historical I couldn't tell how it was bypassed um once they were in the account they added an additional MFA method for assist so next we have defense evasion so we have the technique of hiding artifacts and the sub technique email hiding rules also known as filters those were those inbox rules I mentioned that redirect email so for defense evasion we also have indicator removal and clear

mailbox data emails were frequently deleted but um surprisingly I didn't do this I have no idea who did this the CO's account uh was on a legal hold but it saved me from having to find the emails uh in our email FAS backup which can be a pain to go through but um I don't actually think I ever removed the Doo's account from illegal fold actually so very helpful for the incident I should probably look at that again um and then finally we have collection it's the technique of collecting data from information repository specifically SharePoint as I mentioned a lot of sensitive company dat was accessed from SharePoint used during the fraud Fraud's a legal term but I'm going to call it

fraud I actually call it wire fraud generally because it was over wires that's definitely the the definition of wire fraud we also have the technique of email collection specifically remote email collection my record showed email access over various protocols and based on my now probably semi-extensive as many emails as they can if not the entire inbox so miter isn't perfect I think that this Matrix is still missing a lot but um I just have fun with it sometimes because I uh have have very life outside of what I do that what was that other the keynote I think it was Michael faling who was like have a life outside of cyber really I was trying really hard to

think of what my interest outside of cyber security was and I uh I could maybe a half interest so last section we went over some of the activity that a threat actor will do on a compromised account but I want to discuss indicators of compromise ioc and activity further to assist with this I have a bunch of graphs that I made via pivot tables from just under 70 uh incidents that I threw into the tape um and that I I love graphs just I love graphs and and I love looking at graphs I think it's neat and we're going to look at the graphs so overwhelmingly the most common indicator of comp compromis for business Emil

compromis is theous authentication when looking at logins or I suppose other activity so when a user who only accesses the system from Edmonton suddenly starts using a sketchy proxy server from China or a user who only accesses from a specific Windows device suddenly starts using C Linux you know that something strange is probably going on so once they're actually in the account what do thread actors do well according to my experience and my it tables and charts email rules and filters are one of the most common forms of malicious activity on an account it generally will say hey if an email is received from this domain or sender or contains these keywords Market is read

and redirected or it'll say hey Mark all incoming email as read or and delete it and that second one is used exclusively in the case where an email is sending out spam um emails unexpectedly being read or moved around or deleted is another common indicator of compromise um another one is specifically sensitive access during email compromise you will find records of sensitive access um generally the the tools used by thread actors during an email compromise have the ability to automatically search email and Cloud file storage for specific file types and keywords invoice contract credit Debit Visa password sometimes this is defined invoices so they can make their own copies and send them out in a fishing

email other times they find lists of every single company password in SharePoint and you say I told talked to you about the SharePoint password list a week ago now um we're going to have to change all these passwords and and we're gonna have another discussion about this that's happened about five times now by the way yeah it's 2023 and people people keep passwords in SharePoint and Excel but I only I have access to it so it's really secure yeah is it um and then finally finally finally um this is one I've seen in increasing frequency at least it's second usage never seen the first which is Olaf application usage in a malicious context this is either Olaf fishing by the user

themselves unknowingly consenting to a malicious Olaf application that allows for malicious activity or account takeover or this is this is the one I see most often the threat actor themselves consenting to the application which is used for something like Auto send or persistence or exfiltration purposes I hate this one uming older folks in my family get it at that point I probably shouldn't be in control of my identity um it's an unfortunate fact uh assuming that every actor and I'm going to argue that there are many actors uh if you've got a mental condition if you're ill if you're in a coma uh everybody's data gone so how common are some of these activities I'll show you really quick

I'm sorry this coloring is really bad um this is just the theme I wanted to go with for some reason but blue sorry shows incidence where my it was I classified it as high severity spam because um my incident classification doesn't follow any known standards I made it up completely on my own which um if things don't make sense then that's why makes sense to me so you can see at first the span mass mailing was the most common incident type the last time I saw it for a long time was in March I got it again in October when the compromised account sent several of accurates employees fishing email which is always the funniest way to learn about an

incident in my opinion um starting from January onward I saw large increase not only incidents but incidents where specifically sensitive my records at least when it comes to the Chart I remove records from clients who are no longer with us January should be at 11 actually we called it hack apocalypse one we called July hack apocalypse 2 and I think um a lot it's a lot of compromises but that's okay um so blue on its own shows incidents where there was very little actual access or activity on the account after it was compromised this was generally because some form of alerting tool caught the compromise and I was able to remediate it before it escalated any

further all right this chart's also really bad application usage off applications I mentioned at first it was mainly a auto sending application this far represents one I cut off the the table of how many you things represent I'm very sorry about that so at first it was the auto sender and then I saw my favorite application got me um got my me I think about 2,000 views on my blog of article about perfect data software mailbox exfiltration admin account consents the perfect data software every single inbox in your tenant exported to PST and gone so turn that off as well please turn off application consents but that's in the July I had both perfect date of

software twice and then in an application specifically registered in Azure which allowed for I believe persistence or tion that was really great I only learned about it because Microsoft disabled it because they figured out it was was created in about 2third of incidents and then spammy Mills were sent in about a quarter this this pie chart tends to fluctuate month by month I find based on Trends um I don't have enough data to fully map Trends but someday I I think I will I hate this chart this is incident and compromised accounts MFA status so ignore um February because like I mentioned offboard CLI no more records August was the first month where I've had more

accounts with MFA compromised than without and when um it isn't a dig on accurate sales this is a dig on on everybody's sales and technicians um everybody was constantly told MFA protects your accounts from from compromise MFA will secure your account yeah sorry um turns out that's not really but um no people don't like this graph I don't like this graph my leadership doesn't like this graphs I'm working on it though I'm I have solutions to to this internally at least the rest of you are are kind of on your own I mean blog I blog uh I have like five articles uh drafted and one of them is about uh preventing MFA bypass but

it's a long ways coming I have 20 hours of video to edit as as well about various things such as that and just because I thought it was neat this is infent status and its source at first it was a report so either um user count user notices something strange tells us or user account sends a Spam that was the most common one and then eventually it became a specific alerting tool called BL Mir I um I really love blue mirror I'm constantly uh Shilling for blue miror it is a free Cloud alerting Sim solution tailored for smbs and msps 360 monitoring completely free they let us abuse their free fear a lot and so if

anybody ever looks that lumir and uh happens to get any any sort of give them any money please say acurate sent you so they will allow us to continue abusing their free tier because they almost took it away but um we'll pay for it if they need because it's been very very valuable so I did have a demo I don't have time for the demo demo details um MFA token theft and how in five minutes I can go from initial access to an account to persistence um to persistence indicator removal and um mailbox exfiltration via malicious app consent in like I mentioned five minut which is faster than most um Microsoft logs will even take to register any of those

events so um yeah that's sorry about that bad news that is definitely if it's not available on my YouTube already it will

be I love it so when it comes to technical controls one of the best ones I find is fishing resistant MFA this is MFA that is resistant to token theft or social engineering uh PH2 Hardware tokens are a great example of this like I mentioned preventing MFA PH2 and windows flow for business if you're on Azure I don't know about Google I don't do Google somebody who does Google uh pass pass keys I believe yes probably so another control I like is stricter authentication controls and requirements conditional access within 365 context who are access in Google things such as Geo fening to the company Network or requiring devices to be company company owned or compliant or secure to access

sensitive resources so both Azure and Google allow you to place restrictions on third party app access to data like I mentioned even even ner allowed you to control I can't really stress to any 365 admin fair enough like write that down and do it please because um trust me you don't you don't want a mass privacy breach because an admin account stole 50 psts um hasn't happened yet but you know please um another control that I like and I think is actually really simple but important is a good email filtering solution pardon the one that comes with your email program do a thirdparty one as long as you are preventing fishing emails from reaching the inbox you're

already going to be mitigating your risk and finally for technical the one I think is the most important right below fishing resistant MFA is alerting there are native alerting Solutions available for most cloud email providers may or may not be lost behind a minor or massive pay wall Microsoft but uh there's also third party Solutions work for SMB Enterprise MSP internal it and you can even build something out yourself if you really want to but alerting very very important as we saw on couple slides ago animations so this was originally administrative controls then when I was reviewing for security plus I was like oh operational controls totally exist and the first one is actually technically an operational control

security awareness training I think it's one of the most important operational controls as long as you do it correctly as long as your employees don't think that it's this boring thing that they're forced to do and they just play the video on one Monitor and do their work and then just do all the questions until they get 100% And and they're like I'm done for this year especially difficult with technical employees to keep them engaged trust me I I manage our internal security awareness training I I have experienced this um you have to make it really interesting for them and you also need to regularly run fishing simulations to actually test that whatever offering or product you have is

effective and you need to try to tailor those simulations to the threats actually facing your organization such as when I'm sure we were all getting a flood of QR code fishing emails a while ago having some education and then some fishing simulations involving QR code codes is really useful for telling which of your employees actually read emails and don't just blindly go about their day-to-day life then there's everybody's favorite which is policies and procedures ideally you would have policies for things such as storage of sensitive data email security changes to financial information this will help avoid cases where a vendor compromised vendor account changes the account where you send payments to um or an employee

emails you from uh personal Gmail and changes direct direct deposit information and then finally you need to ensure that the companies you partner with will actually take your financial security seriously will your bank call you to confirm large changes such as adding a new authorized signer do they have to follow any compliance standards and do they actually follow them so all of these and more unfortunately quite a a decent amount more are just things to consider when thinking about how to protect your organization or your client from a potentially company ruining incident okay so I know some of you might be thinking that's probably probably not many or more likely you know somebody who thinks this way or

this is just a strawman argument I made up for this but why should I somebody's email gets packed and they view a couple invoices or they send some spam you know uh maybe we lose some money well large company or small company nonprofit or Law Firm The Fallout from a business email compromise could still be highly damaging to your organization I want to highlight this if the second wire transfer had gone through company X would not have been able to make payroll which was in two days so if your company one of your accounts is hacked and a customer pays to a wrong Bank the wrong bank account um do you think they're going to be very

happy about that especially if it was your fault in the first place do you think I feel safe doing business with a company that had a hacked email send me a fishing email no I'm sending that to the Privacy commissioner right so speaking of the Privacy commissioner do you think an email compromise with the Privacy breeds well we don't store any personal information in our emails so it's not a so we should be fine well I swear I'm definitely not a lawyer if you can't tell but according to the Alberta privacy commissioner you might not be offside if there is anybody from the oipc here um please talk to me afterwards I have something really

interesting and cool and if all of you are like oh I want to know I have to make sure I haven't done anything illegal I swear so maybe next year's bsides I'll talk about I'll talk about that but I need I need somebody I can't get past reception honestly with the oipc they're not they're not being helpful um so a decision from the oipc in January 2023 details an incident where a employee from the Calgary Urban project Society cupf was fished and their accounts sent out just 150 spam emails so the oipc determined and I quote there is a real risk of significant harm to the individuals affected by this incident so cups had to

do breach notifications and in this case they weren't required to do credit monitoring but sometimes they are Equifax others I'm not sure the last one who had to do credit monitoring in Canada surprisingly not the Dental Association hack I would have I would have thought that would have required a um it wasn't a dental association some of you probably also got the same letter I did and know what I'm talking about so here is a picture of their summary decision but I want to quote what they said on harm in their more in-depth analysis so to quote in my view a reasonable person would consider that the contact and identity information at is issue could be used to cause the

harms of identity theft and fraud email addresses could be used for the purposes of fishing increasing vulnerability to identity theft and fraud these are all significant harms and trust me you keep that link that this is far from the only decision saying essentially the same thing in the last even six months I think there's two this month even so current legislation around privacy breaches and specifically breach reporting are um in in my uneducated opinion maybe a little toothless but a new bill which is currently making its way through uh whatever bills do in Canada I didn't pass social studies sorry um it it failed the first time it's making its way through the second time it's the Canadian privacy

protection act it proposes stronger penalties for both the negligence causing the breach as well as failing to report the breach so yes your customer sends out 100 spam emails and doesn't report it as a privacy breach um I believe right now in the bill they could go to prison but uh they'll probably take that out so hopefully this specific section is enough for some of you to perhaps convince your bosses or clients to move to fishing resistant MFA okay summary time what did we learn well having an email compromise can turn out really badly shocking I know um they are generally predictable their goal is to just keep compromising accounts hopping from account to account until

one with the correct access or level of administrative ability is found that for whatever their plan is um that really helps with and there's actually only generally looking back at milit activity a handful of actions that are actually done on an account in a traditionally email compromise this hasn't covered administrative accounts compromises that's maybe another two bides from now um but the fact that there's only a handful of actions that actually take place on account are is really helpful for the next point which is that they are preventable is or at least you can mitigate a lot of the risk around them alerting unknown malicious actions or suspicious activity is still one of the best controls I recommend and finally

um I I think this I'm not sure if this thinking is more prevalent just an SMB or also Enterprise or all over the world but they are more serious than a lot of people seem to think I'm going to guess there is still a decent chunk of people in this room who had no idea that the oipc considers an account just sending out 150 spam emails to be a privacy Bri so um beautiful I'm a I'm a big supporter of um slide transitions I love them and I think that PowerPoints need to be cool and fun so before we get questions website blogs safe to scan I promise I'm right here and I'm I'm afraid of Confrontation if

they're not so I promise um that is everything thank

you that's that's that's one more all right um I don't know if we have time for questions but we're gonna say technically I think we do so any questions that's

tonight oh and I if just in case um because I spent $35 on Vista Print I have very very serious and professional business cards I'm going to dump them on this desk I totally didn't get these how do I make the desk though

please just just so I could put them in draws for prizes at at vendor boost and and because people kept asking me what my web blog URL was um

questions by me okay thank you

[Music]