We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Handling an Account Takeover

  • Last updated on

If you become aware that a malicious actor has seized control of an internal email account, you can take steps within Barracuda Sentinel to begin to mitigate the problem and prevent more takeovers.

Barracuda Sentinel can detect Account Takeovers based on many factors, including:

  • Suspicious sign-ins
  • Suspicious Inbox rules

 

Note: You can only resolve issues with accounts that are currently being tracked by Barracuda Sentinel.

 

To handle a compromised email account, complete the following steps:

  1. Click the menu icon and select Account Takeover. Scroll down to Incidents, and click NEW INCIDENT.
    Read the first screen and click Next to continue.
    incident.png
  2. Enter a the first few characters of the compromised account's email address to search for and select it within Sentinel.
    Enter all or part of the subject of the malicious email and select the approximate time frame when the malicious email was received.
    Note: If you are creating an incident based on an alert, you might not have a sample email. You might be creating an incident based on a suspicious log in. In this case, select the I don't have a sample... checkbox. Refer to Account Takeover Alerts for more information on alerts.
    Click NEXT. Sentinel will search for the specific emails you have designated as being malicious.
    step2-checkbox.png
  3. Take a close look at the emails found by Sentinel. Make sure that they are all, indeed, malicious.
    If any are not malicious, click the BACK button and attempt to narrow down the search by using a more specific Subject or time frame.
    If all the emails displayed are malicious, click YES, ALL ARE MALICIOUS.
    Incident2.png
  4. Sentinel locates malicious messages that were sent to internal recipients. At this stage you have the following options:
    • Click CLEAN UP to have Sentinel access the mailboxes for each of the internal recipients takes an action. Specify the action:
      • Permanently delete the attack email from recipients' inboxes.
      • Move the malicious email out of the recipient's Inbox to a Junk mailbox.
    • Click SKIP to handle the malicious messages using your organization's own protocols and procedures and move to the next step.
    • Click DISMISS to handle the malicious messages using your organization's own protocols and procedures and exit this process.
    Incident3.png
  5. Select the email to specify as the sender of the notification and click View message preview to edit the message to these external recipients.
    Optionally, click Export to CSV to save a record of the external names and emails of those affected by this incident.
    Click Send Notifications to warn external recipients about the incident. Emails will be sent within ten minutes.

    The process of locating external issues is not completely accurate. Some external recipients might have received the malicious message but cannot be tracked by Sentinel.


    incident4.pngincidentEmail.png

  6. Review the Inbox rules for the account affected by this incident and delete any rules, if needed. Then click Next to continue.
    Inbox rules are often used by attackers to cover their tracks or take advantage of the accounts they take over. Review rules that might move, delete, or forward emails automatically.
    Incident5.png

  7. You must now manually disable the account. Barracuda suggests you at least complete the following steps:

    • Disable the account sign-in.

    • Reset the account password.

    • Kill any of the existing account sessions with any of your organizations systems.

      Incident6.png

  8. Barracuda recommends enabling multi-factor authentication to prevent future incidents.
    Incident7.png

Last updated on