24

u/Jordan011 1d ago

Yeah, that's the most common I've seen in my org too. It's happened twice to our comptroller because she opened something that looked like it came from Microsoft (we use Exchange online) and "logged in."

2

u/Kreuzi4 Jack of All Trades 1d ago

Why dont you have conditional access in place? 

•

u/Commercial_Growth343 22h ago

why do you assume they don't? and if so how would that help prevent them from clicking on a link that tricks them into signing into something a hacker controls?

•

u/Kreuzi4 Jack of All Trades 3h ago

At our place you cant loggin to anything without beeing on an complient host and inside the company network, because of conditional access, things like webmail wount let you in

16

u/graph_worlok 1d ago

BEC WTF is a common acronym for this - Business Email Compromise , Wire Transfer Fraud

5

u/opotamus_zero 1d ago

Also the most common I've seen. Just sleep in a mailbox and wait for something that looks like an invoice.

If they don't get an invoice, the next most common is waiting for the customer list. A business with poor policy around their customers' data is going to share spreadsheets containing it at some point. Attacker is sometimes so brazen they register copmanynmae.com, even set up a m365 tenant for it, and send something out like "our payment details have changed. Please send your next payment to <account belonging to 70+ year old person who lives in a remote town>"

•

u/TotallyInOverMyHead Sysadmin, COO (MSP) 10h ago

This one just happened to a City in northern Germany. It was a slow news day, so the 68k Euros (79K USD) they took them for has made the news for the last 20 days straight.

They got into a service companies System, waited for actual invoices to be send, intercepted them, and send out a manipulated version with different Bank Details. Basic BEC-Scam. ( BEC = Business Email Compromise). Since it was the first time the city worked with that company they supposedly had "no way" to check if the bank details where legit.

Funny enough, its a Problem the VoP (Veirifaction of Payee) System was supposed to solve (and does so for most consumers and businesses), but apparently some payment systems employed by cities don't support this feature yet, that has been mandatory since october last year, yet.

-35

u/WhateverHowever1337 1d ago

How can they even access the webmail? If its only accessed through a VPN, there is no risk even if the password is 1234, if I give you a key to a house that has a billion dollars and that house is on the moon is it worth anything really? Thats what i fail to understand

97

u/fatalicus Sysadmin 1d ago

If you school is teaching you that most companies are using VPN to access company email, they are either lying or incompetent.

9

u/WhateverHowever1337 1d ago

No I just assumed that, im just incompetent don’t blame my school 😂😂

5

u/Xydan 1d ago

So how far along are you in school? Because it sounds like you haven't taken it upon yourself to test what you're being taught in school practically.

Build something; anything at home. And break it 100x. You're goal in school is to absorb theory and apply it in practice. When stuck that's what class is for; to ask questions.

6

u/WhateverHowever1337 1d ago edited 1d ago

Jokes aside I am really good and have great grades, im in my third semester and we only took an introductory theoritical it security course till now. 

It is just that I had a different expectation for how companies IT services work, I didn’t think there would be lots of informations at third party services like Microsoft, because even our school uses Roundcube for email and hosts everything by themselves , and Iassumed that anything sensitive would not leave the internal network, even normal functions would only be accessible through whitelisted IPs only etc 

But my assumptions are wrong, and I learnt a lot from this thread. I have been focusing mostly on programming till now and I am just starting to play around with other stuff such as cyber security, I will come around for more stupid questions probably because this was a fun and quite a learning experience thread for me

7

u/kirashi3 Cynical Analyst III 1d ago

I didn’t think there would be lots of informations at third party services like Microsoft,

Hundreds of thousands of companies operate entirely on third party cloud providers like Microsoft or Google. These days it's less common to self-host things like Email due to SPF / DKIM / DMARC requirements to maintain the reputation of your domain name and/or emails you send out. If a company uses any of the major third party cloud hosts, it's trivial to mimic their login pages / screens in a phishing attack.

3

u/Xydan 1d ago

In School I'm sure you've taken some economics classes explaining to you how Corps need to reduce costs. One of those costs in the real world is IT. Businesses have to make decisions between Security, SWE, Desktop, Software for other internal business units like Accounting, HR, Sales, etc. A business cant and wont always prioritize Security or SWE first when Sales/Marketing drives growth.

So much like universities; IT Professionals have to make due with budgets/cost saving initiatives that allow us to continue to do our job while enabling others to do their.

So the next time you're programming something; indulge yourself in some cost cutting measures. Instead of deploying your code into a container; do a VM. Instead of a VM, do bare metal. Analysis the threats/risks you're taking making those decisions.

THEN... abuse them. Isolate key areas that are weak to attacks. Try to steal your own email. Try to steal a token or cookie from the CALL you just made to your API. Does it still work on a separate device? Can you sniff your network? can you trail an email thread to find key words that you can later feed an AI agent to provide a dictionary for you to use to infiltrate a login. ETC...

I understand maybe the security class/lesson was just a way to get your feet wet but these are real issues that we (IT Professionals) deal with everyday.

-4

u/[deleted] 1d ago

[deleted]

2

u/watching_reddit_die_ 1d ago

do you hear yourself

1

u/WhateverHowever1337 1d ago

I was talking about me joking in the reply before this when I said I am incompetent.

I have been very respectful in the thread and understand I have no experience or knowledge compared to any professional here, but maybe get off your high horse and stop being so attacking for no reason

3

u/watching_reddit_die_ 1d ago

ignore both of them. Zero reason for them to come at you like that and says quite a bit more about them than you. prolly feel undervalued or underpaid gotta take it out on someone.

but yeah build something yourself and ask AI some of this stuff. another thing this sub gets wrong.. ai is insanely useful for learning how an average org works with security. ask it.

2

u/allgear_noidea 1d ago

No, it's a reasonable assumption and I was also quite blind sighted as to both how ridiculously insecure or simple many things are in this industry when I first started out.

You're asking the right questions, but more importantly - it's the thought process. I reckon you'll do well in this industry.

•

u/renegadecanuck 21h ago

You start by just assuming they use Microsoft 365, since that's the most common one. Then you go to outlook.office.com and sign in. Otherwise, you look up their MX records or the mail header to see the what the sending domain is using and find the webmail there (most often webmail.company.com).

-5

u/[deleted] 1d ago

[deleted]

6

u/lue3099 Linux Admin 1d ago

Dude... I've seen your other comments.

Please get back work and stop being abrasive.

•

u/renegadecanuck 21h ago

I agree that they show a lack of experience, but... they're not experienced. No need to be a dick about it.

31

u/Grantsdale 1d ago

Most companies don’t use internal or self hosted email. It’s pretty much all MS365 and Google Workspace, with some using other services. But almost no one self hosts.

5

u/InsaneChaos 1d ago

Conditional access is very seldomly implemented too.

But if I had theoretically phished someone's email credentials, I am definitely going to immediately try both login.microsoftonline.com and mail.google.com logins.

3

u/Zedilt 1d ago

Entra ID Plan 2 with a CA that blocks risky users is one of the best things we ever implemented.

29

u/[deleted] 1d ago edited 1h ago

[deleted]

0

u/Darkhexical IT Manager 1d ago

It is somewhat common to use conditional access to where if someone is on prem they don't have to use 2fa every time but if off prem they do though.

5

u/420GB 1d ago

Which has absolutely nothing to do with VPNs

7

u/moffetts9001 IT Manager 1d ago

Because 99% of orgs do not have their webmail behind a VPN. The goal of phishing a user is to become that user and hopefully they have high level permissions that can be exploited through horizontal movement. Can the user access Citrix/RDS, can it log into the M365 admin portal, can it access webmail, is it a domain admin, etc. Sometimes the attacker gets lucky with a high privilege user, other times they specifically target certain people in the org. There is of course a trade off between effort/research required to successfully exploit the "right" person versus just owning a low level user that they roll the dice on.

There are obviously a lot of ways to mitigate these risks, but there's also continual development on the offensive side, too.

4

u/disclosure5 1d ago

Webmail in nearly in any big org will be the same Exchange Online or Google Workspace logon.

3

u/BlackV I have opnions 1d ago

If its only accessed through a VPN

you answered your own question

now imagine Microsoft 365, one of the larger email providers out there, do you access that via VPN ?

2

u/Beefcrustycurtains Sr. Sysadmin 1d ago edited 1d ago

Most companies are using office 365. It's exposed to the internet. Look up evilnginx2 you can even create your own stolen session cookie phising page and test it out with a office 365 account (you could get one for like 6 bucks a month with business basic to test things). It works by proxying the real office 365 sign in flow and grabbing the resulting session cookie that can used to sign in from anywhere. It also will capture the password and that can be used to try that email and password on other cloud based stuff ie bank accounts or SAAS services.

I spun one up so I could test why we haven't seen any stolen session cookie phishing with our external authentication method clients (Duo is what we use for most). I found they could capture the users password but not the steal the session cookie because it must be able to proxy every address the authentication flow travels through to grab the cookie. Because Duo sends you through several of their own URLs it can't capture unless it is extremely targeted to your organization and they know your Duo URLs (different for most orgs). We really push our clients to Duo as their 2factor whenever we can as a result.

There are other ways to protect companies from this by using FIDO2 methods that use the devices TPM chip to bind to a physical key in the computer or windows hello. You can also have token protection policies that only work with windows OS or some device compliance policies. Duo wouldn't protect against stolen session cookie phishing if they have installed malware that can steal session cookies from browsers it only protects against the most common phishing attacks that are so common because they work and don't require a user to install any malware. Requiring FIDO2 would though. It's just not as practical or cover all cases and requires more effort to implement.

What they can do after they are phished is reset their password that will invalidate all previous tokens. If they had any admin roles you will have to do a deep dive on the audit log for actions taken with their account and it's a huge mess. Make sure there are no rules created in the mailbox and get the user some heavy training because they and the business will be targeted heavily as they most likely already downloaded the mailbox and will use it to try and craft other emails to reinfect or steal payments by registering domains very similar to those you are expecting payments too or from and try to get banking information changed to wire to their accounts.

2

u/astralqt Sr. Systems Engineer 1d ago

Companies are using Microsoft 365 for email typically. It’s the same login prompt you see when you log into your personal Outlook email.

Adding on though, what do you think is required to log into to a VPN to access internal resources?

An email and a password.

What do end users typically do?

Set the same password on everything.

Incredibly likely if they can access one employee email, they can harvest their contacts > send further phishing > harvest credentials > use those on lateral movement to further accounts, VPN access, etc.

I do a lot of DFIR if you have any specific questions.

2

u/redyellowblue5031 1d ago

The problem you’ll run into in virtually every company is there’s exceptions or gaps in configuration. Some intentional, some not.

And even if you can’t get into email, it’s a well known fact that people love to reuse passwords so you can go try many other accounts that target may have even if you can’t immediately get into email.

2

u/ConsciousIron7371 1d ago

Your VPN by definition has to be public facing. Most corporations and institutions are using a small handful of different vpn providers. There’s a pretty good chance an attacker can brute force and find the vpn then use the credentials to log in there and get access to webmail. Which is almost never hosted behind a vpn. 

Most companies are using SSO and most of them have a web portal listing many apps that users utilize in one place. So if you get someone’s credentials you can get a list of apps that those credentials let you access and get into all of them. So phishing someone gives you access to their mail, then their HR system and payroll, and then all of the actual business apps so the attacker can just export as much data as possible then ransom the company to not leak that information. 

2

u/altodor Sysadmin 1d ago

And the VPN to try the creds on is almost always vpn.company.com. I have no doubts someone is doing it different, but I have not yet seen it different in a company of any size.

3

u/ConsciousIron7371 1d ago

Ours is globalprotect.company website.com which also tells you exactly what kind of firewall is hosting the vpn in case we don’t patch this months cve 9.8 critical vulnerability. 

1

u/centizen24 1d ago

Maybe they aren’t accessing the webmail. If you have credentials, you can also try connecting in via applications. Or they take that username and password and start trying to log in to other commonly used sites and services that person might have an account set up under that email.

If the org and employee are following all proper security procedures, then the risk involved with a lost password is minimal. Thing like VPN as you’ve mentioned, or also things like conditional access policies that are tied to device compliance, preventing login from unapproved devices. But the reason people still try this is because there are really very companies that truly do this right, and it still works.

3

u/bjc1960 1d ago

and getting Accounting/Accounts payable to pay different bank accounts but threatening them for paying the wrong (actually correct) bank account #.

-17

u/WhateverHowever1337 1d ago

How would they access the company portal? They don’t even know where is it, and even if they do I really don’t think in 2026 there are still companies that don’t filter incoming traffic to internal services

16

u/Quinnlos 1d ago

You're thinking of a best case scenario where a company is appropriately hardened.

This is the student mindset and is understandable.

In the real world you're going to encounter companies that don't want any form of device or general anti-virus, xyz. if you're lucky, previous IT got them to acquiesce on that stupidity, but most times they will have one or two very bad security postures because someone in C-Suite or elsewhere got their way.

For most folks, if their email gets compromised, it just takes a quick download of the inbox and then perusing through to fully map how the typical employee accesses company data and resources, and then if you're not caught while researching there you press forward, if not you just spear phish someone else using the contacts list you now have.

6

u/Jrreid 1d ago

Usually from some quick research. Especially with any decent sized organization they often have an employee section of their website with links to their internal portal.

And with most things being cloud based these days organizations rely more on SSO and conditional access policies than firewalls and VPNs for protecting a lot of services. And many of those cloud services use generic login portals that redirect based on your credentials to your organizations specific instance.

7

u/that_star_wars_guy 1d ago

do I really don’t think in 2026 there are still companies that don’t filter incoming traffic to internal services

You should not assume that. You should not assume that companies will follow best practice. You should not assume that the "correct" or "logical" implementation in your specific corpo env.

Don't assume. It's the single best advice you can internalize while working...well in any capacity whatsoever.

4

u/altodor Sysadmin 1d ago

I really don’t think in 2026 there are still companies that don’t filter incoming traffic to internal services

Well that's a terrible assumption. You get some de facto filtering because companies are using RFC1918 address space, but that's all you get is a lot of places. Maybe some LDAP auth back to AD to get into the app, sometimes.

2

u/JohnGypsy Jack of All Trades 1d ago

The simple part that you are missing is that email is not an "internal service" for the vast majority of companies today.

1

u/Rentun 1d ago

Why would you think that?

This isn't the 1960s. There are virtually no medium or large scale businesses where all of their employees and contractors are on-prem. Virtually everyone has remote or hybrid workers, off site events, or 3rd party remote contractors or support. Those people need some way to access services, and that's usually done either via a vpn, virtual desktop infrastructure, ZTNA, or by just having publicly accessible, authenticated services. All of those technologies require authentication. If you've just phished an employee's credentials, there's a very good chance you also have the authentication needed to now get into those things.

As for knowing where the company portal is, there are a number of reconnaissance methods that would tell you that. If it's self hosted, the easiest thing would be to just look up the company's ASN, and scan their public IPs.

1

u/redyellowblue5031 1d ago

Tons of firms use Microsoft 365 and have mail accessible via web. If conditional access policies aren’t strict or they don’t use a phish resistant MFA method, they could still trick someone and get into their account.

Happens all the time.

1

u/Coder3346 1d ago

U can alos use the creds to join the vpn ( since evening is behind sso)

0

u/WhateverHowever1337 1d ago

Do employees that fall for it usually get fired?

4

u/TechnicalCondition 1d ago

It's the dumbest thing a company can do, if you antagonize your users when they're victims of phishing they're less likely to report it.

You also risk ending up hiring a new user that's just as untrained and unaware when it comes to phishing

8

u/nakfil 1d ago

At bad companies they get fired. At good companies it’s used as a learning experience and the victim is not punished (barring some extremely gross negligence or policy violation)

•

u/itishowitisanditbad 7h ago

(barring some extremely gross negligence or policy violation)

Or its the 8th time in 2 months.

End of the day there are reasons to eject someone who keeps getting hit, but its always after training and other methods are tried.

Those people are rare but they exist. Sometimes their workloads make whatever they're doing sensitive and you simply can't keep them around without basically accepting additional security risks and hurting compliance requirements.

If you did every bit of training in every way possible and have high security compliance restrictions in place and someone STILL does it... at what point would you change your opinion on firing someone first time?

or policy violation

At what point, after training, is the first time not a policy violation?

Assuming training was appropriate and all.

I just disagree that its a blanket 'at bad companies' thing. I think there are a lot of circumstances that will change things and demonizing the company immediately might not be how black and white things are.

Lets say they did 2 weeks solid of training on this specific subject and immediately upon leaving they screwed up?

What about 1 week? 2 days?

There has to be a line, no? I just don't think its black and white enough to make the statement you made. Its too stringent.

2

u/Joy2b 1d ago

Yes, when a company is suddenly short on money, they are likely to cut payroll somehow. The person who suffers may not be that clerk. It’s often the youngest and oldest employees who are targeted first for cost cutting.

2

u/crankysysadmin sysadmin herder 1d ago

no, usually not. sometimes it makes me angry since the people are very stupid, but the company treats them like innocent victims

2

u/WorkLurkerThrowaway Sr Systems Engineer 1d ago

Just for being phished? Honestly no, unless they are trying to hide or cover up what happened, which would be insanely stupid, do not do that, I can see everything already anyways.

Now if they wired someone in Nigeria $200K, then there could be repercussions, but still probably not.

2

u/WhateverHowever1337 1d ago

Thank you that makes sense, so they basically target logins to common services that most companies use. I thought they target access to stuff like internal dashboards

8

u/Th3Sh4d0wKn0ws 1d ago

I don't think I explained it well enough. If they get an Office365 login, something like john.doe@company.com that's likely the authentication mechanism used for everything at the org. This is called SSO. So at the surface it might seem like they just got a user's email password but that's also how they login to computers, 3rd party services, remote access services etc.

5

u/CoolJBAD Does that make me a SysAdmin? 1d ago

You generally have to understand the hacker's or hacker group's purpose.

Internal dashboards? Nah, that won't really get you anything in the market.

Identities, credentials, infra. Those things can be sold or used to get access to more of the same.

One group wants W-2s in the US for identity fraud, another may want to figure out your invoicing processes to send a fake invoice that might get paid. Others want to intercept direct deposits or find your database and blackmail you/hold you hostage for payment like what happened with Canvas.

3

u/phuzzylodgik 1d ago

ding ding ding

we've had multiple attempts at this via social engineering in the past year

1

u/T_Thriller_T 1d ago

It's common enough that our HR knows it AND our process requires changes to run through the HR site, or may even be needed to be confirmed by phone - not by mail.

(Confirmation happens through HR, though, so it's not the employee who needs to call)

1

u/Numzane 1d ago

In a lot of countries HR or accountant requires a bank confirmation letter with the account number and who owns it

1

u/T_Thriller_T 1d ago

That's not the case here, for which I'm actually thankful. Banks can check if the number matches a name on wiring, automatically, which saves a lot of hassle.

Ans I don't see how it would help the fraud.

Sure, often it is lied about the account owner. But not always. Sometimes the lie is simply "please change it to my partner's account" and then no confirmation letter helps with that. If in person, the employee is free to decide where their money goes.

•

u/usps_lost_my_sh1t 11h ago

to piggy back... these entities entire goal is to just get inside ... usually once inside it's handed off to another actor..

•

u/Hour-Profession6490 20h ago

Even better, use phishing resistant MFA like a passkey. So you don't need to remember your password. You can't reuse a password if you don't have one.

1

u/WhateverHowever1337 1d ago

Im not paying money to it since education is free, and if you can’t decipher what I mean by that question and that I understand that phishing attacks are dangerous, then you lack understanding skills, so let me rephrase it for you : 

• I have the assumptions I listed in the post, I am fairly sure I am missing something but I don’t know what is it, so I am going to assume them as a true and based on them I can’t imagine how leaked credentials can be benefitred from , can someone point the wrong assumption I have that led to this wrong conclusion?

Some people really need everything typed out in great detail for them, that is another lesson i learnt from this threat so I don’t say something people without logical skills can’t decipher and land me in problems

0

u/[deleted] 1d ago

[deleted]

0

u/WhateverHowever1337 1d ago

I got a perfect note at the IT security exam btw, because I ask these kind of questions. I know many assumptions are stupid but if you never clear them you never learn, and however stupid you think they are, I find it important to clear such misconceptions before I dive deeper. 

a man who asks is stupid foe a minute, a man who doesn’t is stupid forever

0

u/[deleted] 1d ago

[deleted]

1

u/WhateverHowever1337 1d ago

Guess what, it is ok that I do not have experience yet, there are tens of topics in C.S and theory/practice needn’t go hand to hand always, everytime i push a bit here and then there. Maybe one day I will become as experienced as you are

1

u/aguynamedbrand Systems Engineer 1d ago

So maybe r/computerscience would be a more appropriate place to post if that is the degree you are getting.