November 12, 2024

Simulate a Real-World Email Thread Hijacking Attack in Your Next Tabletop Exercise

On March 28, 2024, Krebs on Security published an article titled "Thread Hijacking: Phishes That Prey on Your Curiosity". The article detailed a cybersecurity attack where a journalist's email account was compromised and used to send exploiting emails to their contacts. This article will show you how to plan and execute an effective tabletop simulation based on this real-world incident.

This is a perfect use case for:

  • IT security teams across all industries
  • Incident response teams
  • Executives responsible for cybersecurity strategy
  • Organizations using Microsoft Outlook and Office 365

Simulation Start Points

Choosing an interesting start point is key to an engaging tabletop exercise. Some ideas for this scenario:

  • A user reports receiving a suspicious email from a known contact that contains an attachment
  • IT notices an account sending an unusually high volume of external emails
  • A security alert detects multiple failed login attempts on executive email accounts
  • The PR team receives media inquiries about a potential email breach

Tabletop Simulation Phases

Walk through each phase of the NIST incident response process:

  1. Detection and Analysis
    • Analyze header information and email metadata
    • Identify other potentially compromised accounts
    • Determine attack vector (e.g. phishing, credential stuffing)
  2. Containment
    • Block malicious IPs and domains
    • Force password resets on impacted accounts
    • Notify employees of the incident
  3. Eradication
    • Remove malware and backdoors from compromised systems
    • Patch vulnerabilities that enabled the attack
  4. Recovery
    • Restore systems to pre-incident state
    • Validate security controls are effective
  5. Post-Incident Activity
    • Conduct root cause analysis
    • Identify opportunities to improve security posture
    • Update incident response plan based on lessons learned

Inject Ideas

Add these injects to make your simulation more challenging:

  • Emails are sent from the CEO's account authorizing fraudulent wire transfers
  • Customer data is leaked and posted on a hacker forum
  • The attacker conducts a DDoS attack during remediation efforts
  • Incident responders identify an insider threat during the investigation

MITRE ATT&CK Techniques

Techniques potentially used in this attack:

  • T1566.001 Spear Phishing Attachment - The initial compromise vector
  • T1110.003 Password Spraying - To gain access to additional accounts
  • T1114.001 Email Collection - Attacker accesses sensitive data in inbox
  • T1036 Masquerading - Spoofing the "From" field to appear as a known contact

About ChaosTrack

Running a tabletop exercise like this is crucial to improving your cyber resilience, but planning one can be time-consuming and expensive. ChaosTrack can reduce the time spent by 85% and cost by 90%, enabling you to run simulations more frequently. Prepare your team for real-world attacks with ChaosTrack.

©2024, ChaosTrack, Inc. All Rights Reserved. Privacy Policy.