Olympus Docs
SecurityWeb attacks

Business email compromise defense

Reducing BEC risk for Olympus-authenticated workflows

Business email compromise (BEC): attackers gain access to an employee's email account, then social-engineer downstream actions (wire transfers, password resets, OAuth grants).

Olympus is a target because:

  • It's the gateway to IAM (employee identity).
  • Recovery flows depend on email.
  • OAuth2 client management (Athena → OAuth2 Clients) is high-value.

Olympus controls

Without MFA on IAM admin accounts, a compromised email gives the attacker:

  • Password reset for the admin account.
  • Access to Athena.
  • Ability to mint new OAuth2 clients with high privileges.

Cookbook, Force MFA by role makes MFA mandatory for IAM admins.

Phishing-resistant MFA

TOTP can be phished (user types code into phishing page; attacker forwards in real-time). WebAuthn cannot, the browser binds the response to the origin.

Encourage admin accounts to use WebAuthn / hardware keys. See Identity, TOTP and WebAuthn.

Step-up for sensitive admin actions

In Athena, sensitive operations (creating M2M clients, viewing audit log, deleting identities) should require AAL2, see Cookbook, Enforce step-up auth.

Even if attacker has a recently-compromised AAL1 session, they can't immediately escalate.

Notify on new device sign-in

If the user's email is BEC'd and the attacker logs into Olympus from a new device, the new-device email notification goes to the user's real email (assuming the BEC'd email is the only one), but the attacker can intercept.

Better: notify a secondary channel (SMS, Slack DM, push notification to a registered device).

Anti-phishing for the auth flow

Strict redirect_uri allowlists

Phishing sites can attempt OAuth2 flows with an attacker-controlled redirect URI:

GET /oauth2/auth?client_id=<legit>&redirect_uri=https://attacker.com/callback&...

Hydra rejects redirect URIs not on the client's allowlist. As long as your client allowlist is tight, this attack fails.

Verify URLs in auth emails

Recovery / verification emails should:

  • Link to your canonical domain only.
  • Not include redirect-tracking links (which BEC attackers can exploit).
  • Display the user's email so they can verify "yes, that's me."

Operational hygiene

Quarterly admin account review

Every quarter:

  • List all IAM identities with role: admin.
  • Confirm each is still active.
  • Disable any whose owner left.

Outgoing email DMARC enforcement

Set DMARC p=reject for your sending domain. Prevents attackers from spoofing your domain in BEC.

Separate "high-risk" email account

For your platform admin email (the one with access to GitHub Secrets, VPS provider, DNS), use a separate phishing-resistant authenticated email account. Don't reuse the personal address you read newsletters on.

Incident response

If you suspect BEC on an Olympus admin account:

  1. Disable the IAM identity immediately (Athena → identity → Set state: inactive).
  2. Revoke all sessions for that identity (Operate, Incident response).
  3. Audit all admin actions by that identity in the recent past.
  4. Force re-enrollment of MFA for the recovered account.
  5. Audit Athena's settings vault for any malicious changes.

Account Lockout

Lockout policy applied by the Hera login UI

Brute-Force Protection

Login attempt tracking, account lockout, and audit logging in the Olympus SDK

On this page

Olympus controlsMFA strongly recommended for IAMPhishing-resistant MFAStep-up for sensitive admin actionsNotify on new device sign-inAnti-phishing for the auth flowStrict redirect_uri allowlistsVerify URLs in auth emailsOperational hygieneQuarterly admin account reviewOutgoing email DMARC enforcementSeparate "high-risk" email accountIncident responseRelated