Full Report
Your inbox is an identity system all of its own: whoever owns it may own a lot more
Analysis Summary
# Tool/Technique: Email Account Takeover (ATO) and Phishing
## Overview
Email Account Takeover is a foundational attack strategy where cybercriminals gain unauthorized access to a user's primary email inbox. Because email serves as a central identity hub, attackers leverage this access to reset passwords for other services, intercept multi-factor authentication (MFA) codes, and conduct further social engineering or business email compromise (BEC).
## Technical Details
- **Type**: Technique / Attack Vector
- **Platform**: Multi-platform (Cloud email providers like Gmail/Outlook, Corporate IMAP/Exchange servers)
- **Capabilities**: Password resets, identity impersonation, message interception, persistent access via forwarding rules/API tokens.
- **First Seen**: Historically persistent; article notes a 36% increase in malicious email telemetry in H2 2025.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566 - Phishing]
- [T1566.001 - Phishing: Spearphishing Attachment]
- **[TA0003 - Persistence]**
- [T1137.005 - Office Application Startup: Outlook Rules]
- [T1098.002 - Account Manipulation: Exchange Email Delegate Permissions]
- **[TA0006 - Credential Access]**
- [T1528 - Steal Application Access Token]
- [T1110 - Brute Force]
- **[TA0007 - Discovery]**
- [T1114.002 - Email Collection: Remote Email Services]
## Functionality
### Core Capabilities
- **Password Reset Interception**: Utilizing the "Forgot Password" feature on banking, social media, or cloud sites to receive reset links directly in the compromised inbox.
- **Identity Impersonation**: Sending fraudulent messages to contacts (CEO fraud/BEC) using the victim’s legitimate email address to ensure trust.
- **Data Exfiltration**: Searching the inbox for sensitive files, invoices, photos for blackmail, or corporate CRM/HR data.
### Advanced Features
- **Persistence via Forwarding**: Creating hidden mail-flow rules that automatically forward incoming emails to an attacker-controlled address (e.g., hxxp[://]attacker[.]com).
- **Token Stealing (EvilTokens)**: Using phishing to steal session tokens rather than passwords to bypass MFA (Session Hijacking).
- **Mobile Phishing (Smishing)**: Leveraging a 40% higher click rate on mobile devices compared to desktop email.
## Indicators of Compromise
- **File Names**: Fujifilm-themed attachments (observed in Win/PSW.Delf distribution).
- **Registry Keys**: N/A (Web-based focus).
- **Network Indicators**:
- Unusual login geolocations in account audit logs.
- Connection requests from known proxy or VPN services used by attackers.
- **Behavioral Indicators**:
- Creation of new inbox rules (e.g., "Move to Trash" or "Forward to [external address]").
- Sudden spikes in "MFA fatigue" prompts (unsolicited push notifications).
- Modification of account recovery options (secondary email/phone).
## Associated Threat Actors
- **General Cybercriminals**: Seeking financial gain through fraud.
- **Win/PSW.Delf Operators**: Specifically noted for using Fujifilm-themed phishing.
- **APT Groups**: Targeted corporate inbox access for espionage.
## Detection Methods
- **Signature-based detection**: Scanning for known malware families like `Win/PSW.Delf` in attachments.
- **Behavioral detection**: Monitoring for "Impossible Travel" logins and unusual mailbox rule creation.
- **Audit Logs**: Reviewing Microsoft 365 or Google Workspace logs for unauthorized App/API permission grants.
## Mitigation Strategies
- **Enforce MFA**: Use hardware security keys (FIDO2) or app-based authenticators instead of SMS.
- **Identity Hygiene**: Regularly review account recovery settings and active sessions/connected apps.
- **Employee Training**: Security awareness focused on identifying "urgency" and mismatched sender domains.
- **DMARC/SPF/DKIM**: Implement email authentication protocols to prevent domain spoofing.
## Related Tools/Techniques
- **Adversary-in-the-Middle (AiTM)**: Phishing kits designed to steal session cookies in real-time.
- **Business Email Compromise (BEC)**: Financial fraud resulting from inbox access.
- **Win/PSW.Delf**: Trojan often delivered via email used to steal credentials.