Digital Shadows (now ReliaQuest)’ latest research report, Pst! Cybercriminals on the Outlook for Your Emails, highlights the different ways cybercriminals can access corporate email accounts to perform business email compromise (BEC) attacks. Our previous two blogs looked at how attackers can outsource this work to other online actors, or even try their luck with previously compromised credentials for finance and accounting departments. Both these approaches create opportunities for actors, often with lesser-capabilities, to conduct BEC operations without the need to conduct their own phishing campaigns or use information stealing malware.

If that wasn’t enough, there is a third method available to cybercriminals, with companies and individuals inadvertently exposing entire email inbox archives across misconfigured file sharing services. Building on our research paper, Too Much Information, we searched for emails and email archives across FTP, rsync, SMB, S3 buckets, and network attached storage (NAS) drives. All in all, we discovered 12,556,810 email archives exposed across these services. Why go to a dark web market and pay for access when you can get sensitive information for free on the open web?


Pst! Email Archive Exposure

To determine the level of email archive exposure, we searched across misconfigured SMB, rsync, FTP, S3 buckets, and NAS drives for the following email file types:

  • EML: EML is a file extension for an e-mail message saved to a file in the MIME RFC 822 standard format by Microsoft Outlook Express as well as some other email programs.
  • MSG: MSG is a file extension for a mail message file format used by Microsoft Outlook and Exchange. MSG files may be exported for the purposes of archiving and storage or scanning for malware.
  • PST. Personal Storage Table – Outlook (.pst) Data Files are used for POP3, IMAP, and web-based mail accounts
  • OST. Outlook (.ost) Data Files are used when you have an Exchange account and want to work offline or use the default Cached Exchange Mode.
  • mBox. MBOX stands for MailBOX. The MBOX file is the most common format for storing email messages on a hard drive

 In total, we detected over 12 million exposed files, with EML and MSG the most popular. The full breakdown is provided in Figure 1.


Figure 1: Number of exposed files for different email file formats


A BEC Goldmine

Gaining access to a corporate email account can be highly lucrative for an attacker. Contracts, invoices and purchase orders will all be stored in these inboxes – perfect for conducting BEC campaigns. We detected over 50,000 email files that contained “invoice” (27,000), “payment” (21,000) or “purchase order” (7,000) in the subject line across unauthenticated or misconfigured file stores.

In some instances, these were worryingly sensitive. In Figure 2, a whole accounting firm’s email correspondence with clients was publicly-available online, including thousands of invoices and tax returns – a gold mine for a BEC campaign or fraudster looking to sell documents on forums and marketplaces.


Figure 2: Accounting firm exposing client information, including emails with tax return information. Redacted by Digital Shadows (now ReliaQuest)


We all archive and store emails somewhere, but this level of exposure prompts us to ask ourselves many questions: are you securing email archives appropriately? Have your employees been given training on the risks of using home NAS drives? And what about your 3rd parties and contractors?


To learn how to reduce the risk of BEC for you and your organization, download a copy of our latest research report, Pst! Cybercriminals on the Outlook for Your Emails.


We’ve also created an infographic around our BEC research. Here are 5 ways that cybercriminals gain access to emails without conducting a phishing campaign or network intrusion.

To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.


Photon logo small