It has been said that 80% of the account compromises start with stolen credentials. I read the other day that Microsoft gets 4,000 attacks per second against its cloud accounts!
Threat actors really want to be in your account. AI is helping them increase their odds of getting there.
AI tools can manipulate large amounts of data extremely quickly.
Threat actors are now routinely harvesting all stolen credentials from the dark web and adding them to their account-hacking databases. However, they are now leveraging AI tools to identify password sequences and patterns and incorporate them to extrapolate passwords not already in the database.
For instance, if it sees on the dark web ABCpassword1, ABCpassword2, and ABCpassword3, it will continue the sequence with ABCpassword4, ABCpassword5, etc.
For all those people who just change the number to update their password, you have functionally done nothing to make their account secure. Also, if there is a sequence that you create based on the site name, that can be derived as well.
This is why MFA is so important. This is why passphrases are so important.
Specialty defensive tools like SpecOps Password Auditor are powerful ways to help you visualize these threats. SpecOps has a free version that is pretty eye-opening to run.
If you have a business email compromise (BEC), remember, you need to do a number of steps:
- Log out all sessions
- Change password
- Check for any subscriptions, like the RSS feed (M365)
- Check for any group changes
- Check for any mail filtering rules and delete/disable suspect rules.
- Check for MFA status
- Check for any alternative MFA devices added to the account (a common threat actor technique).
It is a scary world. You need to make sure your account compromise checklist includes these items. You need to ensure threat actors don't have a backdoor MFA device so they can maintain persistence on the account.
It is a lot to process and deal with. If you need help figuring this out, please give us a call. We are happy to help.