Hacker groups use a tactic known as a “low and slow” attack to try to exploit email vulnerabilities. With this tactic, the attackers deliberately slow down the rate of their password guessing in order to avoid detection. These attacks are stealthy and are often missed by security admins.
For example, an attacker may try to guess a user’s email password at the rate of 1 per hour. This would NOT trigger Fail2Ban (automated systems) which are designed to block such attacks. This can allow the attacker to continue attempting to guess the password without being detected or blocked.
But at a rate of 1 guess per hour, it will take years for hackers to succeed. This is why we see the distributed nature of the attack over thousands of devices. In our case, I saw more than 25,000++ IP addresses in a span of 5 days.
Why Hackers are targeting your emails
Email compromise occurs when an attacker gains access to an individual’s or organization’s email account. The hacker is able to read, send, and/or delete emails as if they were the legitimate owner of the account. This can have serious consequences for an organization or an individual. Check out FBI warning re: BEC (Business email compromise)
For an organization, email compromise can result in the theft of sensitive or confidential information, such as financial data, trade secrets, or customer information. It can also lead to financial losses, as the attacker may send fake invoices or requests for money to be transferred to their own accounts. In addition, an attacker with access to an organization’s email account may be able to send malicious emails to employees or customers, potentially causing damage to the organization’s reputation. Think phishing emails with ransomware payload!
For an individual, email compromise can also have serious consequences. The attacker may use the individual’s email account to send spam or phishing emails to their contacts, potentially leading to further attacks on those individuals. The attacker may also use the individual’s email account to gain access to other accounts, such as social media or financial accounts, by resetting the passwords and using the email account to receive the reset instructions.
Overall, email compromise can have significant and far-reaching consequences for both organizations and individuals. It is important to take steps to protect your email accounts and to be cautious about opening emails or clicking on links from unknown sources.
How to thwart eMail brute force attacks
To protect against low and slow attacks, it is important for email administrators to carefully monitor and analyze login activity on their systems and to set appropriate thresholds for blocking suspicious activity. Tip: Grep/Filter for “SASL Login Failure” or “Failed SASL login” in your maillogs.
Reconfigure more restrictive settings for fail2ban. Monitor intrusion detection and prevention systems for failed login activity. Block or alert these failed or unusual activities.
Additionally, individuals and organizations can take steps to protect their email accounts from low and slow attacks by using strong and unique passwords, enabling two-factor authentication, and regularly changing their passwords. This can make it more difficult for attackers to gain access to their accounts, even if they are using a low and slow attack tactic.
As a security admin, I have compiled a list of the top IP addresses of the hackers that can be used to configure your firewalls. Drop them before they reach your email servers. This is available for free.