Researchers from Agari entered credentials that didn’t belong to anyone into phishing sites and then waited to see what the phishers did next with the compromised credentials.
The report found that 23% of the accounts were accessed immediately. So, that means it will more than likely be an automated system that logs in to check the credentials. 50% of the accounts, however, were accessed manually within just 12 hours of the compromise. Within the first 7 days, 91% of the compromised accounts were accessed manually.
How Are Compromised Accounts Used?
The phishing pages that the credentials were put into were impersonating legit services such as Office 365, Microsoft OneDrive, SharePoint, Adobe Document Cloud, etc.
Six months, activity was detected in nearly 40% of their psuedo-compromised accounts.
Although a majority of the compromised accounts (64%) were only accessed one time, a number of the accounts were accessed repeatedly over an extended period of time. In fact, one account was accessed 94 times over a four-and-a-half month period, a great example of the persistent and continuous access cybercriminals maintain on compromised email accounts.Agari
Attackers use exploited enterprise mailboxes to map out employees within an organization. They will find out who has access to the company’s financial information, etc. Then, they usually set up redirect rules or email forwarding to get the latest information coming in.