SOC · 3 MIN READ · BEN NAHORNEY AND ZACH DAVIS · SEP 29, 2025 · TAGS: Phishing
TL;DR
- Malicious emails sent from within an organization present their own, unique challenges.
- In a recent incident, bad actors compromised an employee and sent malicious emails using their account.
- Read on to see how Expel’s MDR email coverage flagged this activity as critical, where standard alerts did not.
When it comes to dealing with attacks initiated through email, most modern-day defensive solutions are well equipped to identify and block malicious emails coming from outside the organization.
But what happens when the malicious email comes from within the organization? If an attacker manages to compromise a user within your company and then uses their email account to distribute phishing emails, detecting and blocking the activity in time becomes significantly more challenging.
This is where Expel MDR’s email coverage offers a distinct advantage. Using our advanced email threat detection to ingest and correlate telemetry from across your environment, email threats that are distributed from within the network can easily be flagged and addressed before any lasting damage can occur.
It all started with Joe from Accounting
Not long ago we saw this play out in real time. In a recent customer incident, bad actors had managed to compromise Joe from Accounting’s* employee credentials. (*Names and job titles have been changed to protect the innocent.) With access to Joe’s email account, they proceeded to send emails with a malicious link to several other people within the corporate environment.
The email contained the following details:
- From: Joe’s actual email address
- Subject: “Fwd: Document from Joe from Accounting .pdf”
- Body: Requests the user sign a document located at a provided link
To the recipient of the email, it simply looked like Joe needed them to sign a document that was located at the email’s link. If the user clicked it, a file was downloaded that was named to look like a scanned document.
However, this file was not a scanned document, but rather an executable. If launched, the file would install an attacker-controlled remote management and monitoring (RMM) tool. The RMM used in this incident was actually a legitimate application, regularly used by system administrators to oversee and control systems on their networks.
Unfortunately, RMMs are at times abused by attackers because they can allow them the same control over a system as an administrator if they trick a user into installing it. The attraction of using legitimate tools in this manner is they can effectively work the same as a remote access trojan (RAT) would. But, being legitimate tools, the activity is less likely to be detected in comparison to using a traditional RAT.
It all stopped with Expel MDR
All told, five recipients of the internal email clicked the link, downloading the attacker-controlled copy of the RMM tool. It appears as though the goal of the attackers was to move laterally, gaining further control of other user’s systems, likely as part of some pre-ransomware activity.
However, we’ll never know definitively because the attackers didn’t get any further. Detections that are part of Expel MDR’s email coverage automatically identified unusual activity from Joe’s compromised account.
For starters, the IP address that Joe had logged in from was unusual compared to the locations he normally works from. Also, the list of folks that Joe sent the email to were not regular contacts—unusual for his day-to-day activities. Finally, it appeared as though Joe had set up filter rules for certain emails and had deleted several emails associated with the activity.
All of this was enough for Expel MDR’s email detection technologies to alert our SOC to the unusual activity. A SOC analyst reviewed the case, and upon realizing what was happening, raised a critical incident.
The analyst swung into action, and after completing their assessment recommended the customer:
- Immediately disable access to Joe’s account and force a password reset.
- Contain the five systems where users had clicked the link and then reimage them.
- Block the domains and IP addresses used in the attack.
- Delete any remaining malicious emails.
In terms of shoring up the organization’s defensive posture, the analyst suggested the organization implement conditional access policies and application control policies to reduce the risk of unauthorized access in the future.
Interestingly, the customer had already spotted the malicious email and quarantined it. The fact that we had raised a critical incident on something that appeared to be contained surprised them. However, the default alert raised by their detection technologies had not caught the five users who had clicked the link that led to the attacker-controlled RMM application. The detections available in Expel MDR’s email coverage had.
Stopping malicious emails from entering your organization is important, but defending against malicious emails that originate from within your organization is a challenge unto itself. Fortunately, Expel MDR, with its unique email detection strategy that correlates data across your environment, can help. We can detect threats earlier in the attack life cycle, scope who and what may have fallen victim, and automatically contain and remediate the threat.
Want to learn more about Expel MDR’s email coverage? Check it out here.
