Lateral Phishing

What is Lateral Phishing?

Attackers use recently hijacked or compromised accounts to send phishing emails to unsuspecting recipients, such as close contacts in the company and partners at external organizations. Because these lateral phishing attacks come from a legitimate email account and appear to be from a trusted colleague or partner, they tend to have a high success rate.

How Lateral Phishing Works

Lateral phishing begins with an account takeover attack. This is one of the fastest growing email security threats, and attackers are coming up with many new ways to exploit compromised accounts—lateral phishing is one of them.

Hackers use compromised accounts to learn about the organization, its employees, and its partners. They use this information to carefully craft targeted email messages and send them directly from compromised accounts.

Why Lateral Phishing is Important

The impact of lateral phishing is significant. In fact, one in seven organizations surveyed reported that they experienced account takeover and lateral phishing over a seven-month period.

Due to the implicit trust in the legitimate accounts they’ve compromised, attackers often use compromised accounts to send lateral phishing emails to dozens, if not hundreds, of other organizations so they can spread the attack more broadly. And because they target such a wide range of victims and external organizations, these attacks ultimately lead to increasing reputational harm for the initial victim organization.

These attacks prove particularly insidious because they come from a compromised but legitimate account. As a result, many users and existing email protection systems assume these lateral phishing emails are legitimate, because phishing emails have historically come from spoofed or external accounts.

How to Protect Against Lateral Phishing

There are a number of steps you can take to protect your users against lateral phishing:

Security awareness training

Improving security awareness training and making sure users are educated about this new class of attacks will help make lateral phishing less successful. Unlike traditional phishing attacks, which often use a fake or forged email address, lateral phishing attacks are sent from a legitimate—but compromised—account. As a result, checking the sender properties or email headers for a fake or spoofed sender doesn’t work.

In many cases, carefully checking the actual destination URL (and not just the URL text that is displayed) of any link within the email can help users identify a lateral phishing attack. It’s also very helpful to contact the apparent sender to confirm that any unusual request is in fact legitimate.

Advanced detection techniques

Lateral phishing represents a sophisticated evolution in the space of email-based attacks. Because these phishing emails come from a legitimate email account, they are more difficult for even well-trained users to detect.

For this reason, it’s important to invest in advanced detection techniques and services that use artificial intelligence and machine learning to automatically identify phishing emails without relying on users to identify them on their own.

Account takeover protection

Lateral phishing attacks originate from compromised accounts, so be sure scammers aren’t using your organization as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognize when accounts have been compromised and that remediates in real time by alerting users and removing malicious emails sent from compromised accounts.

Two-factor authentication

Finally, one of the most important things that you can do to mitigate the risk of lateral phishing is to use strong two-factor authentication (2FA). Today’s two-factor authentication apps and hardware-based tokens can be very effective. While non-hardware based 2FA solutions remain susceptible to phishing, they can help limit and curtail an attacker’s access to compromised accounts.

Learn More About Conversation Hijacking

Related terms

Further Reading

How Barracuda can help

Barracuda Sentinel is an API-based inbox defense solution that protects against business email compromise, account takeover, spear phishing, and other cyber fraud. It combines artificial intelligence, deep integration with Microsoft Office 365, and brand protection into a comprehensive cloud-based solution.

Sentinel’s unique API-based architecture lets the AI engine study historical email and learn users’ unique communication patterns. It blocks phishing attacks that harvest credentials and lead to account takeover, and provides remediation in real time.

Barracuda PhishLine is an email security awareness and phishing simulation solution designed to protect your organization against targeted phishing attacks. PhishLine trains employees to understand the latest social engineering phishing techniques, recognize subtle phishing clues, and prevent email fraud, data loss, and brand damage. PhishLine transforms employees from a potential email security risk to a powerful line of defense against damaging phishing attacks.