Valid Account Credential Abuse: Exploiting the Weakest Link
January 2024 by Dylan Deane, Reliaquest
Employees of organizations frequently use their corporate email addresses to register for personal accounts and services, often with the same passwords. As adversaries become ever more adept at acquiring exposed credentials online or with the help of an information stealer (infostealer), ReliaQuest regularly investigates exposures that lead to an increased risk of an organization’s corporate credentials becoming exposed to threat actors, leading to significant consequences for its data and operations.
The risks are manifold: The attacker can mask malicious activity as legitimate, move around your organization’s system, retrieve files containing sensitive information, and disrupt operations. As a result, user negligence can expose your organization to data breaches and extortion. At ReliaQuest, we have been researching the prevalence of valid account credential abuse and protecting our customers from its associated risks. Here, we provide you with an outline of the impact of valid account credential abuse, how ReliaQuest protects its customers from this type of attack, and how to improve your organization’s security posture.
Acquiring Exposed Credentials
Threat actors employ a range of methods to acquire exposed credentials, including searching through breach directories for email accounts, scouring cybercriminal forums for shared databases, utilizing lookup services to scan cloud-stored logs, and acquiring stolen credentials from initial access brokers. Therefore, the more users using corporate accounts for personal services, the higher the chance your organization’s credentials are available online.
In the absence of Multi-Factor Authentication (MFA) and other defenses, a threat actor can easily log in using the stolen credentials, granting them access to varying levels of access. Once inside an organization’s network, these actors wreak havoc, moving laterally, compromising additional hosts and servers, gaining access to sensitive information, and potentially causing serious financial and operational damage. With the increasing prevalence of ransomware attacks, financially-motivated threat actors can find numerous ways to profit from gaining access to exposed credentials.
Impact of Valid Account Compromise
When threat actors gain access to valid accounts, they can effortlessly infiltrate an environment without being detected by intrusion detection systems. By using legitimate credentials, the attackers can blend in with normal user activity, granting them more time to carry out malicious activity undetected.
Broader System Access
Once inside the network, threat actors can use the compromised account to move laterally and gain access to other hosts and servers. They can also retrieve sensitive information, which puts the organization at risk of data theft or encryption.
When threat actors have access to user accounts and their permissions, they can disrupt operations on multiple levels. They can establish persistence, move laterally, deploy ransomware, and exfiltrate sensitive data, especially if they have administrator accounts,
All of the above can lead to significant financial and reputational damage to your organization.
According to ReliaQuest research, the threat of valid account compromise is likely to persist. Even as phishing and social engineering tactics continue to become more sophisticated, the need for human interaction remains the same, meaning the risk attached will also persist. Additionally, organizations continue to add more technologies and capabilities to their operations. These changes, alongside a tendency toward remote work, offer more potential entry points for attackers.
What ReliaQuest Is Doing
To address this issue and help organizations mitigate the risk of valid account compromise, ReliaQuest actively monitors for signs of account compromise by scanning the dark web and criminal forums using its This proactive approach allows us to acquire and alert our customers of any exposed credentials, ensuring their information is protected to the highest standard. In addition to using GreyMatter™, we recommend customers take the following actions to improve their security posture with regard to this threat.
Recommendations and Best Practices
To counter the impact of valid account compromise attacks, consider the following recommendations and best practices.
Identify and block exposed credentials: Organizations can identify exposed credentials associated with employees by using online breach directories and online tools, in much the same way a threat actor might search for exposed credentials. Block associated accounts immediately to prevent compromise.
Correct poor password behavior: Analyze common trends among your users’ exposed passwords and create strict password policies based off these habits. To ensure password policies are followed, set up systems to automatically enforce them, and encourage the use of password managers.
Enable Multifactor Authentication (MFA): MFA can prevent threat actors from gaining initial access through the account that has been successfully phished. Additionally, MFA also helps you to identify when a user’s credentials have been exposed, as the user will receive notifications during adversaries’ log-in attempts.
Enforce conditional access policies: These are essential for account security as they enable real-time access decisions based on conditions such as user identity, device state, location, application type, and risk detection. Ensure your access policies are activated and frequently updated.
By following these recommendations and best practices, organizations can significantly reduce the impact of valid account compromise and enhance their overall security posture.