How Email Logs Tell the Story Behind an Inbox Compromise
Because email is one of our routine, daily tasks — “circling back,” subscribing and unsubscribing from mailing lists, paying invoices — it’s easy to overlook the sensitivity of information housed in the inbox. Conversations, customer contacts, and troves of personal or company data are all available in one place for attackers to grab and use to their advantage.
Simply put, threat actors target email accounts for a reason. In the first half of 2024, one-third of claims observed by Coalition stemmed from business email compromise. The average loss from funds transfer fraud was $218,000.
In the event that your organization is a victim, how do you know what data threat actors accessed, if any? Do you need to reset passwords for all user accounts? How far does the compromise go?
The answers to all of the above can often be found in your email logs — as long as they’re turned on.
What is logging?
Logging identities activity within a certain application or computer system. Everything from your operating system to your endpoint devices are documenting events (like logins) as text records. These digital records, or logs, tell a comprehensive story.
If your organization experiences a cyber event, logging helps digital forensic and incident response (DFIR) teams understand how threat actors accessed your server, when they did it, and the extent of the compromise.
In an email environment, like Microsoft 365®, email logs track account sign-ins, mail transmission, mailbox interactions, file downloads, and general configuration changes.
Why email logs matter
Consider an airplane’s flight recorder or “black box.” It stores data on information pertinent to potential causes of a crash or incident, like cockpit commands, flight controls, and fuel systems. If a plane crashes, a black box explains what went wrong and helps airlines prevent similar scenarios in the future.
Email logs serve as the black box for incident response teams looking to help stop the spread following a breach.
When it comes to your inbox, what does the data tell them?
Without email logging enabled, it’s extremely difficult to determine the extent of the compromise. If an organization with hundreds of employees experiences a breach, and there’s not enough data to pinpoint where it starts or ends, you would need to force sign-out of all sessions and reset the passwords for everyone to secure your email environment. That’s weeks of work, which is a daunting task for most businesses.
Email logs serve as the black box for incident response teams looking to help stop the spread following a breach.
To try to avoid that entire process, many businesses opt to focus solely on resetting passwords and performing a forced logout for the accounts they know are compromised, which leaves them vulnerable if threat actors are hiding out elsewhere.
It’s also helpful to know what data, if any, has been compromised. Regulatory requirements dictate when and how organizations should notify impacted customers of a data breach, and in many instances, businesses are required to notify each affected individual whose sensitive information “is reasonably likely to have been compromised.”
Notification costs and time can be drastically reduced when you have the right information to narrow down the impacted individuals. Otherwise, attorneys will likely recommend notifying all individuals with data contained in the compromised mailbox.
Are your email logs turned on?
If your organization uses Google Workplace®, email logs are automatically turned on! You’re all set.
If your organization uses Microsoft 365, you may need to manually turn on the unified audit log (UAL).
Microsoft 365 recently changed its default approach to logging, moving mailbox audit logging (MAL) and admin audit logging (AAL) under the umbrella of the UAL, which may need to be manually enabled. To turn on email logs, it’s just one click and no additional cost.
Log management beyond the inbox
It’s straightforward for you to flip the switch on an email server and start the logging process. The data is all stored in the cloud, making it manageable for small businesses without any additional investments.
But email is just one facet of critical infrastructure at your organization. Endpoints, cloud services, productivity applications, and additional security tools all generate logs (and risk) at an overwhelming rate.
You run into a two-pronged problem: All of that infrastructure creates too much data for any one person to parse through, and most of these applications and servers don’t come with enough storage to hold onto information dating back more than a few hours.
While large organizations may opt for in-house security information and event management (SIEM) to collect and analyze logs from various sources, like firewalls, servers, and network devices, it can be challenging for small businesses to adopt on-premise SIEM solutions. Typically, they require staffing in-house analysts and can cost up to $607,000 per year to maintain.
Endpoints, cloud services, productivity applications, and additional security tools all generate logs (and risk) at an overwhelming rate.
Small or medium-sized businesses that are looking to get serious about log management — but lack the time or resources to go full-fledged down the SIEM rabbit hole — may find success with managed detection and response (MDR) and extended detection and response (XDR) solutions.
MDR provides small teams with extra human expertise to detect and respond to threats, particularly by analyzing their network data. XDR (often paired with MDR offerings) provides a more panoramic view of security threats across your infrastructure. If an incident occurs, your MDR/XDR offering can hold onto six months of past logs versus only the few hours of data that your firewall can.
Learn more about Coalition’s round-the-clock MDR solution, which includes XDR and EDR technologies.
