Why social graphs won’t save you from account takeover attacks

Thought leadership

Account takeover (ATO) is a dangerous form of business email compromise (BEC). Attackers gain access to a legitimate email account within an organization, often by stealing credentials through spear phishing. They’ll then send emails from the compromised account with the goal of getting a fraudulent payment authorized or accessing sensitive data to exfiltrate.

Social graphs are touted by some as the answer to sophisticated attacks like account takeover – and they are indeed useful as part of a wider defence against phishing and preventing outbound email data breaches. However, they have some major limitations when it comes to dealing with advanced inbound attacks, such as supply chain compromise and ATO.

On its own, social graph technology is simply not enough to protect you. Here’s what you need to know.

What are social graphs?

Social graphs, sometimes known as relationship graphs, map the communication patterns between people. They show which colleagues within a business communicate with each other, as well as who they contact outside of the organization. This lets the software determine a level of trust between people. For example, if two people email each other regularly, they would be deemed as having a high level of trust.

However, it doesn’t only take direct contact into account. Just because someone hasn’t emailed you before, they can still be a trusted member of your wider network. For example, you may receive an email from a client for the first time. However, if the client regularly corresponds with colleagues from your own close social circle, there will be a higher degree of trust. This works in a similar (but more advanced!) way to how LinkedIn classes people as first, second and third degree contacts.

Social graphs are particularly powerful when it comes to ensuring outbound emails and attachments go to the right recipients and alerting users to misdirected sends. The technology also offers an effective way of catching out spoofed spear phishing emails that closely mirror real addresses:

Real: mike.brown@TechCompany.com

Spoof: mike.brown@TechC0mpany.com

A social graph would detect that there had been no prior contact or mutual correspondence from the spoofed email account with the intended recipient or with any of their contacts.

Why don’t social graphs work against ATO?

Social graphs detect inbound threats by looking for tell-tale signs that flag up risk:

  • First-time communication
  • Display name anomalies
  • Spoofed email addresses
  • Unusual IP addresses

However, account takeover presents a unique challenge to social graphs, as well as to any anti-phishing technology that relies on blocklists and malware detection. The cybercriminal is using a legitimate email account, so there isn’t a spoofed address, display name anomaly, or malware to detect. There is often a history of real email communication from the compromised account and the scammed recipients, showing evidence of a legitimate relationship before the account was compromised.

IPs are largely irrelevant when it comes to account takeover too. As if the attacker is sending an email through a cloud provider such as Microsoft 365 or the attacked account itself, the IP address will be either of that cloud or the company who’s been hacked. So it has no impact in determining a threat.

Limitations against zero-day attacks

Social graphs rely on connecting huge numbers of data points that link all emails in and out of a business in order to try and catch impersonation. However, this still isn’t enough data for full accuracy. If an attack is new or highly sophisticated, there won’t be much data on it in the model. Social graphs suffer from survivorship bias: they can only learn from the things they already detect.

So how can a model feed a phishing tactic into its algorithms, if it didn’t detect it in the first place? If something slips through the defenses of a solution that relies on social graphs, then it slips through. This makes it ineffective against zero-day attacks that are being seen for the first time, and in practice little more effective at preventing advanced phishing than a Secure Email Gateway (SEG) blocklist.

When relying on social graph solutions or SEGs, the only real solution to zero-day attacks is for users to flag and report new attacks. Of course, that means non-cyber experts need to detect attacks in the first place, and also not report any false positives that could skew the algorithm. This also places a burden on administrators when it comes to checking reports and updating their solutions.

How can you eliminate ATO and zero-day attacks?

You need to be able to detect the subtle signs of advanced inbound attacks that social graphs cannot pick up. For example, natural language processing (NLP) capabilities can detect anomalies in the content of emails. A CEO may usually sign off their emails with a simple ‘Thanks’ and their initials. If they suddenly started using ‘Kindest regards’ with full name and job title, NLP can pick up on this, as well as other linguistic flags such as urgent or pressurising phrases.

Some technologies that primarily rely on social graphs have had elements of linguistic analysis added as an afterthought. Egress Defend on the other hand, was built and shaped from the ground up by GCHQ (the UK government’s intelligence agency), with machine learning and NLP capabilities as key components from the start.

By using a zero-trust approach to cybersecurity, Defend treats every email as untrustworthy by default, allowing it to detect the most advanced types of threat, particularly those leveraging pre-existing relationships like ATO. It scans emails for any sign of malicious content when they come in, and then scans them again once a link is clicked to analyze where the link is going. This provides layered protection in several steps.

In addition, user actions do not feed into our model, meaning we remove the risk of non-experts poisoning the algorithms and weakening our detection capabilities. Egress doesn’t make admins waste time manually reviewing emails, it focuses on displaying better info for the user through clear, unobtrusive, heat-based banners. This empowers users to become cybersecurity assets, rather than security risks.

Want to learn more?

Learn more about Egress Defend protects your business from sophisticated attacks such as account takeover here. Want to see it for yourself? We’re more than happy to set you up with a no-strings-attached demo.

You might also be interested in ...