Organizations Should Establish ‘Blame-Free Employee Reporting’ of Suspicious Activity, CISA Says

The Cybersecurity and#38; Infrastructure Security Agency (CISA) has warned businesses that rely on cloud services to look out for phishing campaigns and other threats that exploit poor cybersecurity practices and misconfigurations in cloud services.

The agency said it is aware of several recent successful cyberattacks against unnamed victims, and provides granular examples of the tactics, techniques and procedures (TTPs), as well as the indicators of compromise (IOCs) that CISA observed as part of these engagements.

CISA stresses that its report is not tied to any one threat actor or specifically associated with any known incidents, like the recent SolarWinds hack, or other recent events.

Targeting remote workers

The lengthy analysis was put together with remote workers in mind, with CISA noting that the attacks described in the document “frequently occurred when victim organizations’ employees worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services.”

“Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks,” CISA notes.

The actors involved in the attacks laid out by CISA are said to have used phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in victim organizations’ cloud security practices.

CISA’s description of the latest phishing attempts fit the bill for spear phishing, or whaling, where the attackers typically go after a high-profile victim who handles the company’s finances, or an executive. With the victim in the phishers’ net, the attackers took advantage of email forwarding rules to steal sensitive information.

Clever use of email forwarding

In several engagements, CISA observed threat actors collecting sensitive information by taking advantage of email forwarding rules, which users had set up to forward work emails to their personal email accounts, the agency explains.

In one case, investigators determined that “the threat actors modified an existing email rule on a user’s account—originally set by the user to forward emails sent from a certain sender to a personal account—to redirect the emails to an account controlled by the actors.”

The attackers modified the rule to forward not just some emails, but all of them, to the account they controlled.

Cyber actors are also increasingly thwarting multi-factor authentication (MFA) by using what CISA refers to as a “pass-the-cookie” attack.


The agency offers a lengthy list of recommendations and best practices to all organizations with remote staff that rely on cloud applications and services. Some of those include:

  • Routinely review user-created email forwarding rules and alerts, or restrict forwarding
  • Have a mitigation plan or procedures; understand when, how and why to reset passwords and to revoke session tokens
  • Consider a policy that does not let employees use personal devices for work
  • Consider restricting users from forwarding emails to accounts outside of your domain
  • Allow users to consent only to app integrations pre-approved by an administrator
  • Implement MFA for all users, without exception
  • Forward logs to a security information and event management (SIEM) appliance for aggregation and monitoring so as to not lose visibility on logs outside of logging periods
  • Place any system with an open remote desktop protocol (RDP) port behind a firewall and require users to use a VPN to access it through the firewall

Organizations are advised to train staff on information security principles and techniques, as well as overall emerging cybersecurity risks and vulnerabilities. Employees should be encouraged to report any errors, including their own.

‘Blame-free’ reporting

“Establish blame-free employee reporting and ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack,” the agency says. “This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.”

Stanford University Communications Professor Jeff Hancock noted in a recent study that employees may be reluctant to admit to their errors if employers judge them too harshly.

“They may be more reluctant to admit they’ve made a mistake because they don’t want to ‘lose face.’ Businesses, therefore, need to de-shame the reporting of mistakes,” the professor said.

CISA’s full analysis report can be found here: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services.