A Wolf in Sheep’s Clothing: Are Cybercriminals Hiding Out in Your Privileged Accounts?


ProofpointProtect people. Defend data.

Monday, November 20, 2023

Discover the growing threat of identity theft in today's digital world and how cybercriminals are leveraging email-based attacks to compromise organizations.

Article 5 Minutes
A Wolf in Sheep’s Clothing: Are Cybercriminals Hiding Out in Your Privileged Accounts?
  • Home
  • IT
  • Security
  • Are Cybercriminals Hiding Out in Your Privileged Accounts?

In today’s digital world, identity theft has become one of the biggest threats to your cybersecurity.

Skilled cybercriminals have worked out that it’s easier, cheaper, and far more effective for them to steal credentials and gain access to your systems, rather than waste time hacking through strong technical controls.

By gaining access details to just one employee’s account, criminals can begin to move laterally through your company’s networks and systems; stealing more data, escalating privileges and compromising servers to download sensitive information along the way.

This means that a criminal can easily turn just one compromised identity into a company-wide breach.

What’s more concerning is the fact that these attacks can be harder to detect, which is why so many organizations are unaware of the risks they pose.

With that in mind, security professionals need to think carefully about the tools and systems they have in place and whether these are enough to spot and stop compromised users. The earlier they can recognize stolen credentials and lateral movements, the easier it is to mitigate the damage.

Email remains the most common point of entry

Cybercriminals know all too well that people hold the key to an organization’s most important data. They also know that it is relatively easy to trick or mislead individuals, whether regular users or more privileged ones, into completing an action that could jeopardize the business and its sensitive data.

And this can be done with just one simple email.

In fact, email-based attacks remain the most common form of cybercrime. In 2022 alone, over 300,000 people in the US fell victim to phishing scams, while in the UK, phishing contributed to 83% of the cyberattacks suffered by businesses.

Among the UK organizations that experienced attempted email-based phishing attacks last year, 91% experienced at least one successful attack.

Of these successful attacks, 43% resulted in credential theft and/or account compromise, where employees invertedly expose their credentials, giving threat actors access to sensitive data and their business accounts.

In fact, phishing is the main delivery method for ransomware, with one study finding that 26% of organizations experienced a significant increase in the number of email-based threats in 2022, and of those, 88% were targeted by ransomware.

What’s most concerning is that nearly 30% of phishing emails are opened. From this data, it’s easy to see that strong email security is absolutely critical to an organization and its employees.

The good news is that there are several ways that organizations can work to block these targeted attacks before they ever reach an employee’s inbox, these include:

  • Email gateway filtering
  • Advanced threat analysis
  • Email authentication

It’s important to understand the entire attack chain for an effective, defense-in-depth, cybersecurity strategy. This must cover the varying threats that your employees and their identities are facing.

How to break the attack chain

Cybercriminals will continue to use email-based techniques like this for one simple reason: it works.

All it takes is one initial compromised email, and a criminal could access a large volume of email accounts and your domain, giving them the opportunity to steal data and commit other types of fraud.

They will continue to target employees with malicious emails in the hopes of gaining access to company accounts and systems, so organizations must do all they can to break the links in the attack chain and stop this from happening.

The first step to breaking the chain is to stop the identities from becoming compromised in the first place. This is why a robust email security strategy is crucial.

Not only that, but since compromised accounts can go undetected for prolonged periods of time, they can pose an even bigger risk. 

Sure, the deployment of privileged account management (PAM) and multi-factor authentication (MFA) tools can help. But even with these defenses in place, these types of attacks are still on the rise.

And if they are left undetected, organizations can find themselves facing an even bigger issue: escalation and lateral movement within their networks.

To combat this, organizations must be able to identify and respond to compromised users in a timely manner. In doing so, they can remove what the criminal needs to complete their attack: access to a privileged account or high valued system.

This will require a unique and robust approach that helps these organizations to better understand the risks associated with identity attacks and how to remedy these. By getting the right technical controls in place, they can reduce the threat of identity theft and compromise.

Empowering employees and sharing responsibility

Of course, breaking the attack chain doesn’t just stop with technical controls. For the best possible outcome organizations need a combination of technology, processes, and people. This is because security needs to be a joint effort and a shared responsibility across your organization.

As 74% of data breaches rely on the human element to be successful, your employees play a critical role in defending your business from these attacks.

With that in mind, organizations need to empower employees at every level, ensuring they understand security best practices and how their own behavior can lead to a breach.

A big part of this should be training programs.

Despite this, Proofpoint’s 2023 State of the Phish report found that only 56% of global organizations with a security awareness program actually make the effort to educate the entire workforce.

So clearly there is a lot more work to be done in this area.

And as cybercriminals make it their business to try and hack your network and systems to steal or ransom your data, the very least you can do is make them work for it.

But if you need a little support, Proofpoint can offer the perfect solution. The Proofpoint Identity Threat Defense and Proofpoint Aegis solutions can help you prevent identity risks and detect real-time threats in your networks and systems.


Protect people. Defend data.


Your people do business well beyond the bounds of traditional network perimeters and connected endpoints. Email, social media, and mobile devices are the new tools of the trade—and for cyber criminals, the new tools of attack. Proofpoint protects your people, data and brand against advanced threats and compliance risks. Built on the cloud and the world's most advanced intelligence platform, our solutions help you effectively detect and block targeted attacks and respond quickly to suspected compromises.


Join the conversation...