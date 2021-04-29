Is an ongoing increase in MFA rollout impacting attack tactics? Several factors have the potential to lead to changes in attack TTPs over time. In addition to MFA, some researchers have pointed to better email security software solutions, underreporting due to COVID-19 and arrests of BEC attackers as additional explanations for attack technique fluctuations X-Force has observed. While all of these explanations have merit, none of them is anchored in supporting data.

Email software security solutions can be a powerful tool against malicious phishing messages seeking to steal credentials and take over business email accounts. X-Force frequently recommends that clients explore this solution to decrease risk exposure to phishing attacks. While software solutions are likely contributing to the decrease in BEC attacks, this explanation has less power when explaining the accompanying drop in the use of stolen credentials and brute-force attacks X-Force has observed in real-world attacks.

There are a variety of methods for obtaining stolen credentials, from purchases on the dark web to watering hole attacks, and brute force or guessing passwords requires few to no additional resources. Yet even these attack types — separate from email compromise — are decreasing, suggesting MFA is the common cause explaining all three.

Other security researchers have suggested that fewer organizations reached out for help with BEC incidents due to resource constraints associated with the COVID-19 pandemic in 2020, thus leading to underreporting last year. However, X-Force, in the first quarter of 2020, saw 60% fewer BEC attacks than in the first quarter of 2019, suggesting that these attacks were decreasing even before the pandemic fully affected organizations worldwide.

Some have speculated that arrests of BEC attackers have contributed to the decrease in this attack type. Publicized arrests in August and November 2020 are encouraging, but the FBI estimates that hundreds of thousands of BEC attackers remain at large.

X-Force incident response data provides the strongest backing for MFA as an explanation for the shift in attacker TTPs. In nearly all of the BEC attacks observed by X-Force in 2019 and 2020 where attackers were successful, MFA was not enabled. In addition, in most of the cases where X-Force has observed attackers attempting to circumvent MFA, the attack is an attempted BEC attack — suggesting that BEC attackers are fighting to find a way around BEC controls.

More than once, BEC attackers have been able to trick users with mobile-based MFA applications to accidentally tap ‘yes’ to provide them access. In other cases where MFA was enabled, an investigation revealed that the attackers used typo-squatted email addresses to masquerade as trusted users rather than compromising accounts directly.