Account takeover attacks (ATO) involving cyber criminals stealing email credentials continue to grow. And, attackers are developing new techniques to help skirt traditional spam and malware filters. One such approach is lateral phishing, and recent research from Barracuda Networks indicates that the threat is increasing.

In a lateral phishing scheme, attackers use compromised email accounts to send phishing emails to the victim’s close contacts or other potential targets in the organization or business.

Like other ATO attacks, lateral phishing leverages the use of a real email address; the fact that the email is coming from a trusted domain and sender causes the attack to spread. Recently, Barracuda teamed up with UC Berkeley and UC San Diego to discover this new and growing type of account takeover attack.

As part of this study, the researchers looked a recent attack on a higher education institution. During the attack, a student clicked on a fake security incident email. This allowed the attackers to determine the student’s email and password, providing access to the student’s Office 365 Outlook account. The attackers sent hundreds of internal phishing emails to other students, faculty and staff, which resulted in the theft of passwords of dozens of different accounts. The attackers used those accounts to send phishing campaigns to thousands of recipients in external organizations, including banks, healthcare companies and government institutions.

Because the email came from the school’s domain, it was viewed as trusted by the third-party email providers. According to researchers, it was also because of this that e-mail was not flagged as spam or phishing, and it was presumed that this led to even more compromised accounts.

An Expanding Phishing Threat

As part of its study with UC Berkeley and UC San Diego, Barracuda also found that one in seven organizations has experienced a lateral phishing attack during the past seven months. Of those, more than 60% had multiple compromised accounts. Others had dozens of compromised accounts that sent additional lateral phishing attacks to other employees and other businesses. According to the Barracuda report, “Researchers identified 154 hijacked accounts that sent hundreds of lateral phishing emails to more than 100,000 unique recipients.”

A particularly alarming aspect of lateral phishing is the scale of potential victims. While roughly 40% of the 100,000 recipients noted above were employees at the same company as the compromised account, the other 60% were business associates or employees at different organizations.

Because the account is known to the next set of potential victims, the likelihood of a successful phish increases significantly. Attackers may send hundreds of additional phishing emails to other organizations to spread the attack. The pool of potential victims thus increases, enabling these attacks to do an ever-expanding degree of damage to the reputation of the initial victim’s organization.

Lateral Phishing Defense

As is the case with other types of ATO attacks, there are several key strategies to follow to prevent these types of phishing attacks from spreading.

First, make sure your customer’s security awareness training content is up to date so that employees have all of the information they need about these new types of attacks. These attacks are more difficult to spot because they use a real email address rather than a fake or forged address. That means checking sender properties or email headers to detect fake or spoofed addresses won’t be of much help.

Individuals also need to think more critically about the emails they are getting. Would the person sending that email really ask for this information? If they believe the email is uncharacteristic of the sender, they should follow up with a phone call or in-person verification, if possible.

Second, employ advanced threat detection techniques and services that leverage artificial intelligence (AI) and machine learning (ML) to identify lateral phishing emails without relying on users’ detection skills alone.

Humans are fallible, sometimes gullible, and often busy. Indeed, they are often busy enough that they may not always spend the time to place each and every communication under the appropriate scrutiny. AI solutions can identify these attacks even when they use a legitimate email by analyzing the sender’s email usage patterns and other indicators that would be too challenging for a user to identify.

Finally, organizations must use strong two-factor authentication (2FA) to help reduce the risks of lateral phishing. This approach may use a two-factor authentication application or a hardware-based token. Although non-hardware-based solutions are still vulnerable to some phishing schemes, they do act as a bulwark against the attacker accessing compromised accounts.

Nathan Bradbury is Manager of Systems Engineering for Barracuda MSP, a provider of security and data protection solutions for managed services providers.

This guest blog is part of a Channel Futures sponsorship.