CardinalOps Updates Techniques in MITRE ATT&CK v13 Describing New Adversary Methods for Hijacking Corporate Email Systems
Friday, May 19, 2023
New methods highlight growing sophistication of compromises targeting corporate email systems such as Office 365, Microsoft Exchange, and Google Workspace
TEL-AVIV, Israel and BOSTON, May 11, 2023 /PRNewswire/ -- CardinalOps, the detection posture management company, today announced it contributed updates to the latest version of MITRE ATT&CK describing new ways in which adversary groups like LAPSUS$ hijack corporate email systems such as Office 365, Microsoft Exchange, and Google Workspace.
As the industry-standard framework for understanding adversary playbooks and behavior, MITRE ATT&CK now contains over 600 techniques and sub-techniques employed by both cybercriminal and nation-state threat groups. The latest version, MITRE ATT&CK v13, was released on April 25(th).
The updated methods contributed by CardinalOps are used by adversaries to abuse email transport rules. These are the administrative rules that control how messages flow through corporate email systems. Adversaries employ these methods to:
-- Perform reconnaissance by automatically forwarding sensitive emails to
mailboxes controlled by attackers.
-- Launch internal spear phishing attacks in order to steal privileged
credentials for ransomware campaigns.
-- Send spam emails from compromised Exchange domains while removing
headers that would flag them as suspicious.
-- Evade detection by hiding critical emails such as internal security
alerts and command-and-control communication (C2) from mailboxes.
Defending Against Email Transport Abuse Attacks
Organizations can protect themselves by ensuring they have the right detections in the SOC to quickly detect and respond to these types of email system compromises.
To support the defender community, CardinalOps has published a technical blog post providing native detection rules covering these ATT&CK techniques for popular SIEM platforms including Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic. Detecting attacks in the SIEM is critical because the SIEM is the last line of defense for detecting attacks missed by other security tools.
CardinalOps' security research team is constantly working on new ways to detect attacks based on threat actor activity, vulnerabilities, and malware found in the wild. Here are the techniques and sub-techniques that were updated in MITRE ATT&CK v13 based on research performed by Liran Ravich, cybersecurity architect at CardinalOps:
-- Hide Artifacts: Email Hiding Rules (T1564.008)
-- Indicator Removal: Clear Mailbox Data (T1070.008)
-- Email Collection: Email Forwarding Rule (T1114.003)
-- Phishing for Information (T1598)
-- Phishing (T1566)
Examples of Email Transport Abuse Campaigns
In March 2022, Microsoft published a report describing attacks by DEV-0537, also known as LAPSUS$. In these attacks, the adversary gained access to global admin accounts and later configured a tenant-level transport rule to send all mail in and out of the organization to a newly-created account controlled by the attackers. And in September 2022, Microsoft published a blog post describing how malicious OAuth applications abuse cloud email services to spread spam.
Phishing Attacks Double Year-Over-Year
Phishing attacks have seen rapid growth in popularity and have increased year over year. According to recent Kaspersky research, in 2022 phishing attacks doubled in comparison to the previous year, reaching over 500 million attempts. Phishing is an important tool in the adversary's arsenal because it's often used to steal corporate credentials or perform reconnaissance that can be used in later stages of an attack.
"Preventing breaches starts with having the right detections," said Yair Manor, CTO and co-founder of CardinalOps. "We're honored to be collaborating with MITRE to strengthen ATT&CK in new ways that help the defender community. Our security research team benefits from the nation-state expertise that its members have developed during their careers. We'll continue to leverage their insights to help organizations continuously assess and improve their detection posture using MITRE ATT&CK as the underlying framework."
About CardinalOps
Founded by security experts with nation-state expertise and led by executives from industry leaders such as Palo Alto Networks, Microsoft Security, and IBM Security, CardinalOps is focused on maximizing the effectiveness and efficiency of your existing security stack.
Using automation and MITRE ATT&CK, the CardinalOps platform continuously assesses your detection posture and eliminates coverage gaps in your existing SIEM/XDR so you can easily implement a threat-informed defense.
What's more, it improves detection engineering productivity by 10x and drives cost savings by recommending new ways to tune noisy and inefficient queries, reduce logging volume, and eliminate underused tools in your stack. Learn more at cardinalops.com.
Contact
Nathaniel Hawthorne for CardinalOps
Lumina Communications
(661) 965-0407
CardinalOps@luminapr.com
View original content to download multimedia:https://www.prnewswire.com/news-releases/cardinalops-updates-techniques-in-mitre-attck-v13-describing-new-adversary-methods-for-hijacking-corporate-email-systems-301821778.html
SOURCE CardinalOps
|
|
|
|
|
 |
Identiv Completes Thailand Manufacturing Transition, Unlocking Next-Generation Multicomponent Manufacturing for Advanced IoT Solutions | Jan 22, 2026
|
|
Global Cyber Alliance Identifies Five Cybersecurity Forces That Defined 2025 - And Will Shape 2026 | Jan 22, 2026
|
|
pgEdge Announces pgEdge Agentic AI Toolkit for Postgres | Jan 22, 2026
|
|
Android Mobile Adware Surges in Second Half of 2025 | Jan 22, 2026
|
|
Guardz 2025 SMB Cybersecurity Report: Nearly 50% of U.S. Small Businesses Have Been Hit by Cyber Attack | Jan 22, 2026
|
|
New Report Names States Most Vulnerable to Holiday Scams | Jan 22, 2026
|
|
LG ELECTRONICS INTRODUCES 2026 LG GRAM LINEUP ELEVATED BY AEROMINUM | Jan 22, 2026
|
|
Truvista Fiber Acquires SlyTel | Jan 22, 2026
|
|
Breakthrough Progress: METiS TechBio Publishes Consecutive Research Findings in Nature Communications and the Journal for ImmunoTherapy of Cancer | Jan 22, 2026
|
|
Healthcare Industry Executives are Likely to be Personal Targets of Cybercrime | Jan 22, 2026
|
|
|
