Disasters Your Business Could Face When Not Using MFA and Other Security Measures: Case Studies from Our Experience

Recently, we have seen up close how a business can experience extreme damage when not using MFA and other security measures that we strongly encourage all of our clients to use. Here is a description of what occurred:

What happened when these two companies were hacked?

In both cases, the financial person, who sends out invoices to customers, had their email hacked.  The hacker was able to redirect correspondence about invoices to a folder in Outlook (by setting up a rule in the cloud version of Outlook) that no one uses (RSS Feeds) so the user never noticed the emails were not coming in from a specific customer.  The hacker analyzed how the user worked with the customer and collected details on all the open invoices and then started sending emails from the user’s mailbox to the customers. The hacker requested that the bank information be changed and provided all of the information for doing this. The customer, their largest, made payments as normal but to this new bank account.

The hacker collected over $300,000 from both businesses.

How did this happen?

This was a very basic mistake. In both cases, the business had decided to delay implementing MFA against our advice and warnings.  The hacker was able to get access to the email by tricking the user provide their password, but with no MFA in place, they were then able to use their email in a browser (OWA Outlook Web Access.)

Once the hacker was able to access the email, they didn’t need to be in the user’s Outlook on their desktop, but rather could just use the cloud version. (MFA specifically looks for cloud logins as a risky behavior and requires the user to authenticate.)

How was the problem solved?

Waytek not only quickly implemented MFA, but we also upgraded their Microsoft licensing to what is called P2. This upgrade provides additional protections and alerts and higher level controls for things like:

• Risk-based access (other countries, multiple attempts, etc.)
• A higher level of authentication beyond basic MFA (move from Text based to a full use of an Authenticator APP.)
• Deeper filters for conditional access
• Token protection
• Risk investigation alert (notice of risky activity occurs and deep reporting and tracking to pinpoint the intruder or give details about the intruder.)

What steps are needed to prevent similar disasters?

There is little cost to implementing MFA and the other steps listed above and Microsoft also encourages these implementations. It entails minimal time and training for each user, about ten minutes per user. Most users are familiar with MFA codes from their personal banks, etc., so it’s just helping them set up the Microsoft account. The cost is our labor to help with the set up. It typically requires ten minutes per user times the number of users (i.e. a 40 person company might spend $600 t0 $800 for our assistance.) It  more than pays for itself.

Contact us with any questions. We hope this study of recent hacks provides you with a better understanding of the necessity for these security tools.