A domain spoofing email phishing campaign that very convincingly impersonates Microsoft and successfully tricks legacy secure email gateways has recently been spotted by Ironscales. It also led them to discover that Microsoft servers are not currently enforcing the DMARC protocol. “This is especially perplexing when considering Microsoft frequently ranks as a top 5 most spoofed brand year after year,” said Lomy Ovadia, the company’s VP of research and development. The phishing campaign The phishing emails … More
The post Phishers bypass Microsoft 365 security controls by spoofing Microsoft.com appeared first on Help Net Security.
26% of remote workers have experienced a cyber attack personally, while 45% of employers have asked their employees to use their personal devices for work since the start of the pandemic, according to a Microsoft research.
The study surveyed 500 employees and 200 business decision makers in September 2020 about remote working, digital security behaviours, and the worries they now face.
The accelerated transition to homeworking is placing pressure on organizations to support the unavoidable blending of personal and professional lives more than ever before.
However, this naturally creates new risks, including the increased risk of cyber attacks. This was reflected in the research which showed that only 17% of remote workers currently believe that the software and technology provided has done enough to protect their data.
This could be in some way due to the pace at which employers had to transition to remote working environments, with 36% of employers admitting they have spent the past few months putting in place the security, privacy, and workplace procedures required for today’s remote working world.
Remote workers’ information protection concerns
76% of workers were surprised with how well they had adapted to remote working. However, one in five employees feel their data is more vulnerable when working from home due to the absence of regular IT supports.
The research points to some potentially dangerous cybersecurity issues amongst remote workers:
- Personal emails: 30% of workers still use personal email accounts to share confidential work materials.
- Poor password hygiene: One third of workers use the same password to log into work and personal devices.
- Unregulated access: 43% face/navigate no security restrictions when accessing work-related documents and materials remotely.
Employers’ security management concerns
One of the most concerning findings is that organizations are potentially side-stepping their own security procedures in the name of expediency:
- Reactive approach: One third of employers acknowledge they are exposed since they had to make remote-working decisions and transitions so quickly.
- Lack of devices: 45% of employers have had to ask their employees to use their personal devices for work purposes since the start of the pandemic.
- No remote BYOD policies: 42% of employers are yet to secure those remote employee’s personal devices.
Furthermore, 41% of employers acknowledge it has become increasingly difficult to remain GDPR compliant because of the pandemic.
The report identified an escalation in both the level and sophistication of attacks. For example:
- Over 13bn malicious and suspicious mails were blocked, out of which more than 1bn were URLs set up for the explicit purpose of phishing credential attacks in 2019.
- Ransomware is the most common reason behind Microsoft’s incident response engagements from October 2019 through July 2020.
- The most common attack techniques used by nation-state actors in the past year are reconnaissance, credential harvesting, malware, and VPN exploits.
- IoT threats are constantly expanding and evolving. The first half of 2020 saw an approximate 35% increase in total attack volume compared to the second half of 2019.
Des Ryan, Solutions Director for Microsoft Ireland, said: “Cyber hackers are opportunistic, skilled, and relentless. They have become adept at evolving their techniques to increase success rates, whether by experimenting with different phishing lures, adjusting the types of attacks they execute or finding new ways to hide their work.
“While our physical work locations may have changed, our responsibilities in protecting organizational data and complying to data regulations have not. Now is the time to address this with an increased investment in cybersecurity, secure devices, tighter policies, increased support, and education for employees so they can play an important role in not only protecting themselves but also their organizations.”
Cloud-based services and hybrid working
When asked about the future, 58% believe they will have a hybrid workforce in future as more staff work from home more of the time and others are in the office.
57% felt more positive about using cloud-based services, including productivity tools.
Remote priorities: Training, support and investment
However, the research shows that Irish organizations understand there is a gap with 41% admitting they are behind the curve when it comes to having the right digital services and technologies in place to deal with new working realities.
As a result of the move to remote working, employers are focused on investment in digital security. The research found:
- 38% of organizations have already increased the level and detail of cybersecurity training for staff who are working from home.
- A further 52% will prioritise investing in training in 2021.
- 44% of workers would also welcome alternatives to passwords, with biometric verification (fingerprint or facial recognition) being the most popular options.
Phishers are using a bogus GDPR compliance reminder to trick recipients – employees of businesses across several industry verticals – into handing over their email login credentials.
“The attacker lures targets under the pretense that their email security is not GDPR compliant and requires immediate action. For many who are not versed in GDPR regulations, this phish could be merely taken as more red tape to contend with rather than being identified as a malicious message,” Area 1 Security researchers noted.
In this evolving campaign, the attackers targeted mostly email addresses they could glean from company websites and, to a lesser extent, emails of people who are high in the organization’s hierarchy (execs and upper management).
Every and any pretense is good for a phishing email, but when targeting businesses, the lure can be very effective if it can pass as an email sent from inside the organization. So the attackers attempted to make it look like the email was coming from the company’s “security services”, though some initial mistakes on their part would reveal to careful targets that the email was sent from an outside email account (a Gmail address).
“On the second day of the campaign the attacker began inserting SMTP HELO commands to tell receiving email servers that the phishing message originated from the target company’s domain, when in fact it came from an entirely different origin. This is a common tactic used by malicious actors to spoof legitimate domains and easily bypass legacy email security solutions,” the researchers explained.
The phishing site
Following the link in the email takes victims to the phishing site, initially hosted on a compromised, outdated WordPress site.
The link is “personalized” with the target’s email address, so the HTML form on the malicious webpage auto-populates the username field with the correct email address (found in the URL’s “email” parameter). Despite the “generic” look of the phishing page, this capability can convince some users to log in.
Once the password is submitted, a script sends the credentials to the phishers and the victim is shown an error page.
As always, users/employees are advised not to click on links in unsolicited emails and to avoid entering their credentials into unfamiliar login pages.
Companies are losing money to criminals who are launching Business Email Compromise (BEC) attacks as a more remunerative line of business than retail-accounts phishing, APWG reveals. High-ticket BEC attacks Agari reported average wire transfer loss from BEC attacks smashed all previous frontiers, spiking from $54,000 in the first quarter to $80,183 in Q2 2020 as spearphishing gangs reached for bigger returns. Scammers also requested funds in 66 percent of BEC attack in the form of … More
The post Phishing gangs mounting high-ticket BEC attacks, average loss now $80,000 appeared first on Help Net Security.
Brand impersonation is a go-to tactic for attackers, especially for credential phishing and BEC attacks
Trends in BEC and email security during Q2 2020 included a peaking and plateauing of COVID-19-themed email attacks, an increase in BEC attack volume and acceleration of payment and invoice fraud, according to an Abnormal Security report.
The report also reveals that Zoom supplanted American Express as the most impersonated brand in email attacks.
There have been surges in COVID-19-themed email security attacks, which continued in Q2, with weekly campaign volume increasing 389% between Q1 and Q2. There has also been a continued increase in BEC attacks targeting finance department employees over C-level executives, which grew by 50% quarter-over-quarter.
A spike in payment and invoice fraud attacks
Payment and invoice fraud attacks, largely driven by vendor fraud, grew by 112% over the last quarter, spiking at the end of June. For the first time, a surge in payment and invoice fraud related to the pandemic has been detected.
BEC-specific attacks also saw an acceleration of attack campaign volume, growing by 11% over Q2 as hackers took advantage of new work-from-home scenarios. As BEC attacks are highly targeted and sophisticated, designed to dupe key targets with the potential to lead to big payouts, this increase is substantial in nature.
The shift to remote work makes employees more susceptible to BEC attacks and gives threat actors the opportunity to apply tactics likely to be successful given these working conditions.
“The pandemic has ignited digital transformation efforts at a breakneck pace and cybercriminals are moving just as fast, taking advantage of a new work-from-home landscape amid great business uncertainty,” said Even Reiser, CEO, Abnormal Security.
“Keeping pace with change is critical, as attackers have continued to exploit enterprises’ weak links – such as vendor and partner relationships – and are pushing more sophisticated and targeted BEC attacks than we’ve seen previously.”
Changing trends in brand impersonation attacks
The report also uncovered changing trends in brand impersonation attacks, a form of fraud where a bad actor assumes the identity of a trusted or known entity. These attacks tend to follow the zeitgeist, which may help explain why Zoom became the most impersonated brand in Q2 due to its instant popularity and ubiquity.
Rounding out the top three were two other brands very much associated with COVID-19 shifts toward e-commerce and delivery: Amazon and DHL. For comparison, the three most impersonated brands in Q1 2020 were American Express, Amazon and iCloud.
“Our analysis of BEC and email security trends in Q3 will certainly prove to be interesting as we expect a downward trend in COVID-19-related attacks, an uptick in attacks related to the 2020 election and a continued rise in BEC, as attackers find success with socially-engineered techniques that evade traditional email security defenses,” said Reiser.
“Business leaders need to continue to focus on reviewing email security measures, most importantly examining BEC defenses, to ensure protection against attackers who are gaining steam.”
With fewer than 100 days left until Election Day, a new report from Area 1 Security reveals that states are still in widely varying stages of cybersecurity readiness.
Key findings include:
- The majority (53.24 percent) of state and local election administrators have only rudimentary or non-standard technologies to protect themselves from phishing
- Fewer than 3 out of 10 (28.14 percent) election administrators have basic controls to prevent phishing
- Fewer than 2 out of 10 (18.61 percent) election administrators have implemented advanced anti-phishing cybersecurity controls
- A surprising 5.42 percent of election administrators rely on personal email accounts or technologies designed for personal email (such as Yahoo!, Hotmail, AOL or others), to conduct their duties
- A number of election administrators independently manage their own custom email infrastructure, including using versions of Exim known to be targeted by cyber actors linked to the Russian military that interfered in prior U.S. elections.
Ninety-five percent of cybersecurity damages worldwide begin with phishing, and phishing campaigns come in all shapes and sizes. The majority of phishing campaigns begin with an innocuous and authentic email that individuals are unable to recognize as malicious. Consequently, the quality of email protection used by organizations and individuals has an inordinate bearing on their overall cybersecurity posture.
“Our elections are vital. They need to be resilient against whatever crisis the moment throws at us — and that requires resources and planning,” said Oren J. Falkowitz, co-founder of Area 1 Security. “However, most state and local election administrators are not very close to ensuring a safe election. This challenge is going to be exacerbated the longer it takes for them to get the resources and expertise needed to make changes.”
Security recommendations for state and local election administrators
Ending use of Exim email servers: Given the government’s guidance to update Exim to mitigate CVE-2019-10149 and other vulnerabilities including, but not limited to, CVE-2019-15846 and CVE-2019-16928, election administrators are urged to cease use of Exim. Upgrading alone does not mitigate exploitation. Prior Russian cyber activities directed towards U.S. elections make use of Exim ill-advised. For those who must continue running Exim, update to the latest version; running a version prior to 4.93 leaves a system vulnerable to disclosed vulnerabilities. Administrators can update Exim Mail Transfer Agent software through their Linux distribution’s package manager or by downloading the latest version.
Transitioning to cloud email infrastructure: Running custom email infrastructure requires network administrators to be perfect every single day. Instead, Area 1 Security recommends the use of cloud email infrastructure such as Google’s GSuite or Microsoft’s Office 365 in combination with a cloud email security solution.
Ending use of personal email technologies for election duties: Under no circumstances should election administrators use personal email for the conduct or administration of elections.
Domain-based Message Authentication, Reporting & Conformance (DMARC), is an email authentication, policy, and reporting protocol. It builds on the SPF and DKIM protocols to improve and monitor protection of the domain from fraudulent email.
To select a suitable DMARC solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.
Scott Croskey, Global CISO, Cipher
DMARC solutions add security to business email systems by ensuring DKIM and SPF standards are in place to mitigate risks from fraudulent use. They evaluate every inbound and outbound email for these security standards and can integrate with Secure Email Gateway solutions to block malicious activity.
When evaluating DMARC solutions, you should focus on vendors that employ the following features:
- Cloud-based (SaaS) deployment. This eases the burden on company IT teams, allowing for the solution to be easily deployed and configured with out-of-the-box security policies.
- Domain diagnosis. This will ensure your business is aware of any domain vulnerabilities, many of which can be common for SMBs to overlook and consequently increase their risk.
- User friendly dashboard. This will ensure your team does not need a lot of time to understand how the solution works.
For larger companies, you should also consider vendors that employ:
- Forensic reporting. This allows for detailed information on why emails may have failed DMARC checks and allow for additional system tuning.
- DNS record change tracking. This allows for additional insight into malicious activity.
- API integration. Large companies typically have internal dashboards and workflows. API Integration with the DMARC solution will allow you to tailor the solution into your enterprise reporting & analysis tools.
Len Shneyder, VP of Industry Relations, Twilio
A company that wants to achieve DMARC enforcement should consider a walk, crawl, run approach as DMARC doesn’t work unless you have published SPF and DKIM. DMARC essentially communicates a policy and set of prescriptive actions to a receiving domain on what to do if an email fails an SPF or DKIM check.
If a company has the technical aptitude to publish SPF and DKIM then it stands to reason they can publish one more policy. However, when a sophisticated enterprise begins working with third parties that want to send emails on behalf of that company, in the form of an email service provider for marketing communications, a ticketing system, an internal HR tool, or all of the above and more, then the DMARC policy becomes much more complicated and a company might consider turning to one of a small field of companies that have automated the process of reaching enforcement.
The question of which provider to choose really rests around the complexity and breath of your company. Different providers will be suited to different sized companies—however, if you haven’t reached that scale yet, then there’s no reason why you couldn’t do it yourself.
Chuck Swenberg, SVP Strategy, Red Sift
It used to be that interpreting DMARC reports, which provide a view of mail authentication results of every IP that’s being used to send mail on behalf of your domain, was sufficient. However, these traditional stand-alone DMARC tools linked with professional services are increasingly no longer cost effective or time sensitive to organization needs. The continuing rise of email threat volumes and increased diversification and enablement of app/cloud services for email require strong diligence in selecting a solution. DMARC should also no longer be viewed just as a one-time configuration project.
- Accuracy: What is the level of completeness for classification of IP’s from the reports of mail senders and subsequent categorization that represent the mail that belongs to my organization?
- Insight: Is there a clear, defined workflow process in the solution? The best solutions will have easy to use, staged flows that display recommended actions and contextual guides from the data presented to explain misconfigurations in email authentication. Data needs to be actionable with insight.
- Automation: How long will it take my organization to implement DMARC? How can I effectively maintain a DMARC enforcement policy on an ongoing basis? More recent platform solutions for DMARC use hosted management for SPF authentication which allows for expansion past the 10 SPF lookup limit and provides a far more reliable and resilient email delivery. Ongoing automated monitoring with alerting which recognizes changes in authentication, identifies new sources and takes immediate action should be requirements.
- Value: How much should I budget and how can total cost and time resources be efficiently managed? Look for automation of defined actions and applying expertise to specifically implement those actions in the best manner for the organization. This will help limit the dependency on external professional services and result in significantly lower costs over time.
Automation is fundamental to selecting a solution that significantly lowers cost and reduces time to implementation of DMARC and ensures the more reliable approach to email handling and delivery of your organization’s email.
Anna Ward, Head of Deliverability, Postmark
A good DMARC solution should clearly identify high-risk sources, forwarders, and common email providers. It should provide actionable next steps in mitigating risk and minimize details until you actually need them. Avoid solutions that don’t show all authentication domains, differentiating between just passing SPF/DKIM and alignment.
Remember that adding a DMARC solution is essentially just adding a reporting address to your policy, so try on a few (or several at a time) if you’re curious about any provider.
How hands-on do you want to be? Will you regularly access the data via API, the app/website, email digests, etc? For sharing the data with multiple people/teams, look for secure multi-user management. Want a human guiding your progress, or do you prefer the ability to self-serve? Finally consider whether you’d point your DNS records to your DMARC provider, as some will include/exclude sending sources for you.
- If you have many low-sending domains, look for tiered pricing by volume. Some are even free below a certain volume.
- If you have a higher-volume domain, look for pricing per monitored domain. This also limits price fluctuations, especially if there’s a surge in unauthorized mail.
- With both pricing options, check whether they include monitoring for subdomains inheriting the DMARC policy from the main domain.
Impersonations have become pervasive, and are by far the most prevalent type of email-based attack ending up in business’s inboxes. This is according to a survey report by GreatHorn.
Emphasizing the trend, 48.7% of respondents reported seeing impersonations of people such as colleagues, customers or vendors preying on the sense of urgency of an increasingly distracted and dispersed workforce.
To develop the report, researchers collected data from over 640 security, IT and c-suite professionals to gain a better understanding of new threat vectors, issues impacting the industry at large and emerging strategies for targeted attacks.
Impersonations wreaking havoc on email inboxes
As the professional community continues to work in a remote environment, email impersonations present the perfect way for opportunistic fraudsters to take advantage of human vulnerabilities.
Although there are infinite variations of impersonation attacks, each one relies on an end users’ misguided trust in surface appearance and quick reactions to emails. The survey found that this type of attack has continued to flourish, with 35.1% of respondents saying that people impersonation attacks ranked as their top email threat in 2020.
Meanwhile, 42.4% report seeing impersonations of well-known brands in their inbox – a sharp rise from just 22.4% in 2019. Furthermore, ten percent of participants flagged brand impersonations as their top email threat, another increase from 2019 (4.8%).
Both people and brand impersonations remain difficult to detect as they appeal to authority and urgency, utilize a known contact name and depend on the systematic lack of education among non-technical recipients.
Remediation takes center stage as email-based attacks skyrocket
With this increase in email threats, IT professionals are being stretched thin as their time spent responding to and remediating email-based attacks has increased dramatically over the past year.
35.8% of respondents report seeing phishing, impersonations, credential theft, spoofing, malware, ransomware or other email threats in their inbox on a daily basis – up from 24.3% in 2019.
Due to this increase, 33.6% of respondents said they need to remediate an email-based attack every day – including suspending compromised email accounts, running PowerShell scripts, resetting compromised application accounts, legal action and more – a significant 165% increase from 2019, when only 12.7% reported the need to remediate an email-based attack on a daily basis. This surge in email-based attacks serves as a reminder that email security strategies require continuous improvement in order to mitigate the ever-evolving threats.
“This year’s survey data presents a clear reminder that organizations continue to be inundated with email-based attacks, most notably impersonations, that require constant remediation,” said GreatHorn CEO Kevin O’Brien.
“It’s impossible to prevent all phishing attacks, which is why it’s so important for IT professionals to reassess their email security strategy by putting a renewed emphasis on risk reduction in order to decrease time to detection (TTD) and time to respond (TTR.)”
Additional key stats
- 40% of respondents said their biggest problem with their current email security solution was missing payload attacks such as malware, malicious attachments and links. This was followed by missing phishing attacks (39.3%), which includes people impersonations, brand impersonations or even impersonations of services like fake voicemail scams and fake invoices.
- In 2020, 21.9% of study participants said they saw a wire transfer request in their inbox, a slight decrease from 2019 where it was 26.3%.
- When asked about credential theft attempts found in inboxes, 28.1% of survey respondents saw these in 2020 – a slight increase over 2019, where it was 24.1%.
- Only 32.9% study participants said they had seen spam/graymail in their inboxes – a significant drop from 2019 data, where 53.3% indicated that spam/graymail slipped past the filter.
- 48.3% of respondents report having to go into their junk or spam folder within the past week to retrieve and open an email that should have wound up in their inbox – up from 2019, when only 30.7% reported having to do this in the same time span.
There has been a 200 percent increase in BEC attacks focused on invoice or payment fraud from April to May 2020, according to Abnormal Security. This sharp rise continues the trend.
Also, according to the report, invoice and payment fraud attacks increased more than 75 percent in the first three months of 2020.
Larger dollar amounts are involved
During invoice and payment fraud BEC attacks, attackers pose as vendors, suppliers or customers in order to steal money using tactics such as initiating fraudulent wire transfers or hijacking vendor conversations to redirect vendor payments. These types of attacks typically involve much larger dollar amounts compared to other types of BEC attacks since they target business to business transactions.
In one example, the Abnormal Security team detected and stopped an attempted invoice fraud targeting a telecommunications provider, preventing more than $700,000 in losses. The attacker impersonated a real vendor and methodically engaged numerous employees over the course of two months, eventually convincing the target to change banking details and redirect the payment of a legitimate invoice of over $700,000 to the attacker’s account before the transaction was prevented.
Increasing number of attacks
An increasing number of these attacks were tracked, both in the number of organizations targeted and the number of attacks received per organization. The research team observed:
- A 200% increase in the average rate of invoice and payment fraud BEC attacks each week
- A 36% increase in the number of organizations experiencing these attacks
- Out of all types of BEC attacks, invoice and payment fraud BEC attacks are increasing in popularity. In April, these types of attacks comprised 14% of all BEC attacks, increasing to 17% in May.
“While all business email compromise attacks can lead to significant financial loss, those focused on invoice and payment fraud can have an even greater financial impact,” said Evan Reiser, CEO and co-founder, Abnormal Security.
“Even when an organization has established best-in-class security, third-parties represent a weak link. As these types of attacks continue to climb, it’s more important than ever for companies to implement technology that detects and stops them.”
COVID-related attacks increased 436% between the second and third weeks of March 2020, with an average 173% week-over-week increase during the quarter, according to Abnormal Security.
A trend toward payment fraud
There has also been a shift from individual to group BEC attacks, with campaigns with more than 10 recipients up 27% compared to Q4 2019. Attackers also adjusted their targets, with attacks on finance employees increasing more than 75% as attacks on C-Suite executives decreased by 37%. This illustrates a trend away from paycheck and engagement fraud and toward payment fraud, specifically invoice fraud attacks, which increased more than 75%.
“The email security trends we witnessed during Q1 are most certainly related to the COVID-19 pandemic and the shift to work from home, but they also reflect greater sophistication and attack strategy by threat actors,” said Evan Reiser, CEO, Abnormal Security.
“By increasing campaign target size, attackers increase the opportunity for social validity and by targeting finance employees who manage third-party payments, they’ve found a new vector for payouts.”
COVID-19-related attacks capitalizing on fear and uncertainty
COVID-19-related attacks during Q1 2020 capitalized on fear and uncertainty, leveraging trusted entities and using spoofed and compromised accounts to scam recipients, steal credentials or install malware.
Attack themes followed the pandemic news cycle, using lures such as testing and vaccines and financial relief and stimulus payments, as attackers impersonated trusted entities such as the CDC.
“With employees largely working from home and a daily inundation of information related to the pandemic, attackers saw multiple areas of vulnerability in Q12020 and they took swift advantage of them,” said Reiser.
“Without sophisticated BEC security measures in place, the likelihood of business and email compromise increases significantly. The good news is that technology exists to thwart these attacks before they reach their intended targets.”
Cyber scammers are starting to use legitimate reCAPTCHA walls to disguise malicious content from email security systems, Barracuda Networks has observed. The reCAPTCHA walls prevent email security systems from blocking phishing attacks and make the phishing site more believable in the eyes of the user.
reCAPTCHA walls are typically used to verify human users before allowing access to web content, thus sophisticated scammers are starting to use the Google-owned service to prevent automated URL analysis systems from accessing the actual content of phishing pages.
Researchers observed that one email credential phishing campaign had sent out more than 128,000 emails to various organizations and employees using reCAPTCHA walls to conceal fake Microsoft login pages. The phishing emails used in this campaign claim that the user has received a voicemail message.
Once the user solves the reCAPTCHA in this campaign, they are redirected to the actual phishing page, which spoofs the appearance of a common Microsoft login page. Unsuspecting users will be unaware that any login information they enter will be sent straight to the cyber scammers, who will likely use this information to hack into the real Microsoft account.
Steve Peake, UK Systems Engineer Manager, Barracuda Networks comments: “In this difficult time, it is no surprise to see that cyber scammers are seeking increasingly sophisticated methods of stealing log-in credentials and data from unsuspecting, remote workers.
“Fortunately, there are a number of proactive measures employers and business owners can take to prevent a security breach. Most importantly, users must be educated about the threat so they know to be cautious instead of assuming a reCAPTCHA is a sign that a page is safe.
“Furthermore, whilst reCAPTCHA based scams make it harder for automated URL analysis to be conducted, sophisticated email security solutions can still detect these phishing attacks using AI-based email protection solutions. Ultimately, however, no security solution will catch everything, and the ability of the users to spot suspicious emails and websites is key.”
Opening a single email with a malicious URL or attachment can threaten your organization. In this interview, Liron Barak, CEO at BitDam, discusses the cybersecurity issue related to remote work, the inadequate security of collaboration tools, and more.
Working remotely is now a reality for most global organizations. What cybersecurity issues do you expect companies to encounter in the months ahead due to this change?
There are many security issues in working remotely. In addition to the technical risks associated with working from a location other than the organization’s facilities (perhaps not using their corporate computer or not using a proper VPN), organizations nowadays face a new challenge – the enormous increase in the use of IM and collaboration tools such as MS Teams, Zoom, Google Hangouts and others as well as cloud drives like Box, Google Drive or OneDrive which are not as secure as one may think.
This dramatic growth in the usage of such tools in general is a fertile ground for cyberattacks. Bad actors use these platforms to send malicious files or links and use this for phishing too. Employees are not always deeply familiar with all business collaboration tools and may be fooled, especially since these tools are typically not secured by Advanced Threat Protection (ATP).
In addition to that, we see a general increase in hacker’s activity around the COVID-19 crisis. Attackers take advantage of the fact that people are less focused, and mainly scared about anything related to this new reality that all of us experience. They send malicious or phishing emails, impersonating official bodies or someone who is trying to help, get the victims’ trust and thus lure them to click something or provide their personal details.
How can the inadequate security of some collaboration tools impact an organization? What can they do about it?
This can have devastating affect on organizations. The data breaches that we occasionally hear about, huge ransomware incidents, phishing attacks and other types of cyberattacks usually start with some kind of content-based malware. Or in other words, a malicious file or a link, sent to an innocent employee who opens it. It doesn’t really matter how this malware is sent. It could be through email, in a file shared on Google Drive, sent as a link on Zoom or delivered as an attachment using MS Teams. For the attacker, this really doesn’t make any difference.
As someone who used to be at “the other side of the fence”, I can spend hours talking about hackers’ strategies in how to deliver malware. To make it short, I will just say that they normally choose either the weakest link in the chain as the delivery method, or attack vector, if you will. Or, they will select the most common channel, and spray the attack assuming that if they send it to a large number of people, someone will be fooled. The latest is the reason that 92% of malware is sent via email.
However, attackers are agile and they are likely to take advantage of the current situation (in fact, they already started doing so). Since suddenly, a much larger number of people use VC and IM platforms, and since these tools are known for their lack in security (and for sure being less secure than email), it’s just a matter of time until we will all hear about the cyberattacks that started in platforms like Zoom or Teams.
Organizations should be proactive about this and deploy security solutions that are dedicated for these collaboration platforms. It was ok not to focus the organization’s security strategy on these channels in the past, but now, things are different. As traffic on these channels grows – and we see it every day at our customers’ environments – security leaders should refer to these platforms as potential penetration points and secure them accordingly.
What advice would you give to the security team of an organization that finds hundreds of its employees suddenly working remotely?
In a normal situation, I would say “combine training and education with technological tools to protect the business as well as your employees”. But let’s be fair. In this crazy crisis and level of uncertainty, we can’t really expect employees that struggle to keep working as expected, to focus on IT security training. Therefore, I would advice security teams to act quickly, and adopt a security solution that would protect against malware across the collaboration tools used by their organization.
This doesn’t have to be a hassle and doesn’t necessarily involve a long deployment or overhead to IT teams. There are cloud-based solutions that can be deployed within a few clicks. Some of them are even offered for a discount or free these days, as vendors are trying to support the global problem.
Email is still widely used in the corporate environment. Unfortunately, we see malicious files regularly bypass leading email security products. What can explain the shortcoming of these products?
As I mentioned, email is still the preferred attack vector by hackers. Why? Because it is working for them. It is true that most organizations have some kind of Secure Email Gateway, and many of them even have advanced security layers for their emails such as Office ATP or Proofpoint TAP. Unfortunately, a recent study shows that some attacks penetrate even those advanced security solutions. In fact, on average, between 25% to 35% of the unknown threats, that emerge every day, bypass them. The reason is quite simple. All these solutions are data-driven, meaning that they rely on knowledge of cyberattacks that they’ve encountered in the past in order to detect new attacks, which are similar to the old ones in one way or another.
The problem is that cyber attackers are sophisticated and they found ways to bypass this mechanism easily. They do so by using automation to generate large numbers of variants of the same attacks very quickly. The variants are slightly different from each other. Different enough to go below the radar of the security solutions. By the time the email security solution identifies a new variant as a threat (which takes hours or even days), there is a newer variant in place.
As long as email security continue to base on data, this problem will remain. A different approach is needed in order to detect attacks at first encounter.
BitDam’s Advanced Threat Protection (ATP) is threat-agnostic. Can you tell us more about its features and how it integrates with an existing security infrastructure?
BitDam is focused on protecting organizations from content-borne attacks, or in other words, ensuring that every content – file or link – that reaches the employees will be safe. BitDam’s ATP solution is not data driven and thus is threat-agnostic. We don’t collect data about threats. Therefore we are able to automatically protect against new variants of known threats when we first encounter those.
Instead of focusing on the malicious behavior and our familiarity with the threat, we focus on the legitimate behavior of business applications such as MS Word, PowerPoint, Safari and Adobe Reader, which attackers use to deliver their attack to end-users. We use a whitelisting approach on these applications, allowing us to detect malicious activities of any type.
This scanning is done before the end-users gets the file or link no matter which collaboration tool they use. BitDam ATP is cloud-based and available for O365 and G-Suite users, allowing security teams to secure enterprise email as well as other collaboration channels such as cloud drives (OneDrive, Google Drive, Drpbox, Box), IM (Teams, Slack) and VC (Zoom, Teams, Skype) within a few clicks.
After recently directly notifying a number of hospitals about vulnerable gateway and VPN appliances in their infrastructure, Microsoft has decided to offer its AccountGuard threat notification service for free for healthcare and worldwide human rights and humanitarian organizations.
“AccountGuard is available to organizations using Office 365 for business email and extends additional security to the personal accounts of their front line workers who use Microsoft’s consumer email services such as Outlook.com and Hotmail,” Tom Burt, Microsoft’s Corporate VP on Customer Security & Trust, explained.
“Both AccountGuard for Healthcare and AccountGuard for Human Rights Organizations will initially be available to organizations in the 29 countries where we already offer AccountGuard, subject to review of local laws and regulations, and we will be adding new countries based on need and local law.”
Microsoft AccountGuard and the new offer for healthcare
Launched in 2018 and previously available to only to political campaigns, parties, members of the U.S. Congress and democracy-focused non-profits, the Account Guard service warns the owners of enrolled accounts about ongoing attacks by nation-state hackers.
“Healthcare organizations can sign up here, and human rights and humanitarian organizations can sign up here,” Burt noted. AccountGuard for Healthcare will be available until the COVID-19 pandemic subsides.
The threat notification service is now available for free to: hospitals and care facilities, clinics, labs, and clinicians that provide frontline care to patients; pharmaceutical, life sciences, and medical devices companies that research, develop, and manufacture COVID-related treatments drugs; non-governmental organizations (NGOs), and international non-governmental organizations (INGOs) involved in the response to the COVID-19 pandemic; select individuals (with Outlook.com and Hotmail.com personal emails) invited to participate by an eligible organization.
Participation in AccountGuard for Human Rights Organizations is offered by invitation only.
“Leading human rights and humanitarian organizations including Amnesty International, CyberPeace Institute, Freedom House, Human Rights Watch and Physicians for Human Rights have already registered for our AccountGuard threat notification service through an initial pilot,” Burt added.
Most attacks start with phishing emails
“An attacker will often disguise malicious content as a message from a health authority or medical equipment provider. These emails sent to work or home inboxes seek to obtain the person’s credentials and often contain documents or links that will infect a computer and spread the infection through a network, enabling attackers to control it,” he explained.
Attackers targeting healthcare organizations are after COVID-19-related intelligence and/or are looking to disrupt the provision of desperately needed care or supplies. Those probing human rights or humanitarian organizations are after intelligence on these organizations and the people who these groups protect, or want to disrupt their work.
Attackers looking to exploit CVE-2020-0688, a critical Microsoft Exchange flaw patched by Microsoft in February 2020, don’t have to look hard to find a server they can attack: according to an internet-wide scan performed by Rapid7 researchers, there are at least 315,000 and possibly as many as 350,000 vulnerable on-premise Exchange servers (out of 433,464 total) out there.
What Rapid7 discovered
The scan also revealed more depressing statistics:
- Over 31,000 Exchange 2010 servers have not been updated since 2012
- Nearly 800 Exchange 2010 servers have never been updated
- There are 10,731 Exchange 2007 servers and over 166,000 Exchange 2010 servers. (The former versions is no longer supported, and the latter will reach that status in October 2020.)
Attackers are looking to exploit CVE-2020-0688
Despite Microsoft releasing patches for CVE-2020-0688 in February 2020, and despite the fact that soon after attackers began probing for vulnerable servers and using freely available PoC exploits and a Metasploit module released in early March to breach them, far too many organizations have yet to implement the patch.
Security updates fixing the flaw have been provided for:
- MS Exchange Server 2010 Service Pack 3 Update Rollup 30
- MS Exchange Server 2013 Cumulative Update 23
- MS Exchange Server 2016 Cumulative Update 14, 15 and 3
- MS Exchange Server 2019 Cumulative Update 4
What makes random exploitation difficult?
The one thing that makes random exploitation of the flaw difficult is that attackers need compromised, valid email credentials to access the server before attempting to exploit CVE-2020-0688. But motivated, well-resourced attackers who are looking to breach a specific organization will, no doubt, find a way to get their hands on the required credentials.
Still, the fact that there is such a huge number of outdated and unpatched MS Exchange mail servers out there doesn’t bode well.
“Email is one of, if not the most, sensitive and important systems upon which organizations of all shapes and sizes rely. The are, by virtue of their function, inherently exposed to the Internet, meaning they are within the range of every targeted or opportunistic intruder, worldwide. In this particular case, unpatched servers are also vulnerable to any actor who can download and update Metasploit, which is virtually 100% of them,” noted Richard Bejtlich, Principal Security Strategist at Corelight.
“It is the height of negligence to run such an important system in an unpatched state, when there are much better alternatives – namely, outsourcing your email to a competent provider, like Google, Microsoft, or several others. The bottom line is that unless your organization is willing to commit the resources, attention, and expertise to maintaining a properly configured and patched email system, you should outsource it. Otherwise you are being negligent with not only your organization’s information, but the information of anyone with whom you exchange emails.”
Check out Rapid7’s blog post for instructions on how to find out whether your MS Echange servers need patching and how to check whether they’ve already been compromised through CVE-2020-0688.
Google has announced the rollout of two new non-negotiable security features for Android users who have also enrolled in the company’s Advanced Protection Program (APP).
What is the Advanced Protection Program?
In late 2017, Google decided to provide additional security for those who are at an elevated risk of targeted attacks – e.g., journalists, human rights and civil society activists, campaign staffers, people in abusive relationships, etc. – and are willing to trade off a bit of convenience for more protection.
Initially offered only for consumer/personal Google accounts, in 2019 the program was made available for G Suite accounts, so that high-risk employees such as IT admins, executives, and employees in regulated or high-risk verticals such as finance or government can better secure their email accounts.
Users who enroll must use a physical security key (or their Android, iPhone or iPad device) to gain access their account, are not able to use untrusted third-party apps that require access to their email account, must go through a stricter account recovery process, have some download protections from Google Safe Browsing (when signed into Google Chrome with the same identity), and their accounts have enhanced email scanning for threats.
The new Google Advanced Protection security features
On Wednesday, Google said that the company is now automatically turning Google Play Protect on for all devices with a Google Account enrolled in Advanced Protection and will require that it remain enabled.
Google Play Protect is a security suite for Android devices that scans and verifies apps users want to download/ have downloaded from Google Play and third-party app stores, periodically scans the device for potentially malicious apps, and more.
Google will now also start blocking most apps that come from third-party app stores from being installed on any devices with a Google Account enrolled in Advanced Protection.
“You can still install non-Play apps through app stores that were pre-installed by the device manufacturer and through Android Debug Bridge. Any apps that you’ve already installed from sources outside of Google Play will not be removed and can still be updated,” explained Roman Kirillov, Engineering Manager, Android Security and Privacy.
“G Suite users enrolled in the Advanced Protection Program will not get these new Android protections for now; however, equivalent protections are available as part of endpoint management.”
A serious disconnect exists between how decision makers (i.e., CISOs, CIOs and CEOs), and security practitioners (i.e., IT managers and directors, security architects and security operations analysts) perceive phishing prevention, according to a research by Ironscales.
The research is based on a detailed, cross-industry survey of 252 security professionals from the United States and the United Kingdom.
Among its key findings, the survey revealed that decision makers are four times more likely than security practitioners to consider email security the highest priority, suggesting that security personnel believe that they have a sufficient handle on phishing prevention while the C-Suite sees substantial business risk.
“The disconnect between security practitioners and decision makers is extraordinarily problematic for phishing prevention and incident response,” said Eyal Benishti, CEO at Ironscales.
“The cause for such a predicament – whether or not security professionals on the front lines don’t fully understand the long-term business impacts of a successful phishing attack or if the C-Suite is simply over-concerned – is irrelevant. What matters is that moving forward these two important constituencies get on the same page so that the proper time and attention can be allocated towards minimizing phishing risk.”
The survey revealed that there is a critical need for real-time threat intelligence to more thoroughly address the risk of phishing; that the security skills shortage is having a material impact on security teams’ ability to deal with phishing properly, and that most organizations are using several tools to combat phishing, with secure email gateways remaining the most common.
Key research findings
- 24% of a 40-hour work week is spent by security analysts investigating, detecting or remediating phishing emails.
- Only One in five organizations continuously updates and tweaks its corporate email security policies in a typical month.
- Nearly three in five organizations train their users on proper email security protocols no more than twice per year, while only a third of organizations do so much more frequently (at least monthly or continuously).
- More than 70% of organizations use only manual processes for reviewing user-reported phishing emails, making it far too labor and time-intensive to mitigate email threats at scale.
Problems with phishing prevention
The survey also found that phishing emails continue to take organizations a substantial amount of time to detect, investigate and remediate. In total:
- 70% of organizations take more than 5 minutes to remove a phishing attack from a corporate mailbox even though the average time-to-click is 82 seconds.
- 75% of organizations cannot act on phishing intelligence automatically in real-time.
- 90% of organizations cannot orchestrate phishing intelligence from multiple sources in real time in the context of their overall email security solution(s).
“The survey’s findings reinforce the significant challenges that email phishing attacks incur on organizations of all sizes,” said Michael Osterman, principal analyst at Osterman Research.
“Most immediately, decision makers and cybersecurity practitioners must work to overcome the disconnect that exists so that time, budget and resources can be properly allocated to reduce email phishing risk.”
As of January 2020, nearly 1 million (933,973) domains have published DMARC records — an increase of 70% compared to last year, and more than 180% growth in the last two years. In addition, 80% of all inboxes worldwide do DMARC checks and enforce domain owners’ policies — if domain owners have configured DMARC, a new Valimail report reveals.
However, just 13% of all DMARC records are configured with enforcement policies, demonstrating that interest in DMARC is increasing but DMARC expertise is not keeping pace.
“Given DMARC’s benefits, it comes at no surprise its rate of adoption has been growing consistently,” said Alexander García-Tobar, CEO and co-founder, Valimail.
“But publishing a DMARC record is just the first step — enforcement must be reached before a domain is protected, and trust can be restored to email.
“There’s an additional downside to not getting to enforcement: Our research demonstrates that domains without DMARC policies at enforcement are spoofed nearly four times more often compared to domains with DMARC at enforcement. This is because fraudsters give up trying to spoof a domain once they realize it doesn’t work, and move on to easier targets.”
Additional key data points
- At a minimum, 1% of global email volume is sent using a spoofed domain.
- The United States remains the largest source of spoofed email by volume.
- Russia, China, Vietnam and India continue to have a proportionally high number of spoofs among email originating from these countries.
- 79% of US federal domains have DMARC records and 93% of those are at enforcement, a tribute to the the success of a 2017 directive from the Department of Homeland Security, BOD 18-01.
- 23% of billion-dollar companies’ domains are at DMARC enforcement.
The research from Valimail was compiled by analyzing a broad cross-section of company sizes and revenues across eight different verticals.
Despite heading a company that provides a technological solution for stopping targeted email attacks, Evan Reiser, CEO of Abnormal Security, knows that technology is not the complete answer to the malicious email problem.
At the same time, security awareness and anti-phishing training is also not a foolproof solution, he maintains.
“Some businesses are giving up on technology and defaulting to an awareness-based security program for detecting email attacks, but that sets them up for failure. Our brains are wired to look for patterns and repeat processes, so for something that we do daily like email, it’s only a matter of time before an employee accidentally clicks a link from a ‘trusted’ company,” he told Help Net Security.
Forcing employees to dedicate a good chunk of each working day to evaluating emails for signs that it might have been sent by a bad actor is not good for business and not good for the employees, he opined: companies must marry training and technology together to build a comprehensive approach to protecting against email-based attacks.
Building a robust awareness training strategy
“There have been massive strides in the industry regarding training and awareness. There are a lot of great organizations that will provide security training as a service. These offerings teach employees to look for tell-tale clues such as emails from unknown senders, spelling errors, bad links, and inconsistent email addresses,” Reiser noted.
“However, I don’t think organizations fully realize how sophisticated attackers are. They are using information from social media, company websites, and other email communications to mimic people you trust, like bosses, colleagues or vendors. We’re not falling for emails from a Nigerian prince asking for money anymore.”
Even the most security-savvy employees can fall for some of these sophisticated tricks, and some may be too embarrassed to tell anyone about it or flag their failure quickly enough to prevent a (relative) catastrophe.
For many employees and in many organizations, falling for an email attack still carries a stigma, but companies should work on minimizing it, as well on sharing the lessons learned.
“It’s not about pointing fingers, but about creating a level of honesty and information sharing. Companies and executives need to move beyond exercises and share insights with employees about what they see in the industry, inside their own company, and how employees have been targeted and fooled,” he advised.
Collaboration and learning leads to better security for all
Reiser was interested in technology since forever, but only recently focused on cybersecurity – more specifically, on creating a more accurate solution for spotting malicious emails, especially if they are sent from legitimate but compromised accounts.
After getting a BS in computer systems engineering and a job in web development, he quickly found himself transitioning away from the corporate setting and into the world of startups.
His first company, an online-to-offline advertising platform that used behavioral profiling to direct offline purchasing through online ads, was sold to JP Morgan in 2010.
“With that experience, I built a new business that applied machine learning to advertising technology. That company was acquired by TellApart – and later by Twitter – where we worked on large-scale behavioral modeling, distributed machine learning and data privacy, security, and strategy,” he says.
He then realized that the same behavioral modeling technology that they used at TellApart and Twitter could have exciting cybersecurity applications – and this is how Abnormal Security came to be.
In this day and age, companies can’t do business without using email, but phishing and scam emails and business email compromise (BEC) incidents are a daily occurrence. Even the biggest and the most tech-savvy corporations aren’t immune to being victimized, and this means there’s a healthy demand for more effective solutions.
“The way I view it is that we’re partners and teammates with our customers,” Reiser explains. The ultimate goal is to get customers as secure as possible, he noted, but they are not under the illusion that the defenses they build last forever. “Bad actors will always come up with new ways to attack, and that’s why we need to learn together to build the best possible security posture.”
Nearly 90 percent of global organizations were targeted with BEC and spear phishing attacks in 2019, reflecting cybercriminals’ continued focus on compromising individual end users, a Proofpoint survey reveals.
Seventy-eight percent also reported that security awareness training activities resulted in measurable reductions in phishing susceptibility.
The report examines global data from nearly 50 million simulated phishing attacks sent by Proofpoint customers over a one-year period, along with third-party survey responses from more than 600 information security professionals in the U.S., Australia, France, Germany, Japan, Spain, and the UK.
The report also analyses the fundamental cybersecurity knowledge of more than 3,500 working adults who were surveyed across those same seven countries.
A people-centric approach is recommended
“Effective security awareness training must focus on the issues and behaviors that matter most to an organization’s mission,” said Joe Ferrara, senior vice president and general manager of Security Awareness Training for Proofpoint.
“We recommend taking a people-centric approach to cybersecurity by blending organization-wide awareness training initiatives with targeted, threat-driven education. The goal is to empower users to recognize and report attacks.”
End-user email reporting, a critical metric for gauging positive employee behavior, is also examined within this year’s report. The volume of reported messages jumped significantly year over year, with end users reporting more than nine million suspicious emails in 2019, an increase of 67 percent over 2018.
The increase is a positive sign for infosec teams, as there’s a trend toward more targeted, personalized attacks over bulk campaigns.
Users need to be increasingly vigilant in order to identify sophisticated phishing lures, and reporting mechanisms allow employees to alert infosec teams to potentially dangerous messages that evade perimeter defenses.
Phishing attacks in 2019: Key takeaways
More than half (55 percent) of surveyed organizations dealt with at least one successful phishing attack in 2019, and infosecurity professionals reported a high frequency of social engineering attempts across a range of methods.
88 percent of organizations worldwide reported spear-phishing attacks in 2019, 86 percent reported BEC attacks, 86 percent reported social media attacks, 84 percent reported SMS/text phishing (smishing), 83 percent reported voice phishing (vishing), and 81 percent reported malicious USB drops.
Sixty-five percent of surveyed infosec professionals said their organization experienced a ransomware infection in 2019; 33 percent opted to pay the ransom while 32 percent did not. Of those who negotiated with attackers, nine percent were hit with follow-up ransom demands, and 22 percent never got access to their data, even after paying a ransom.
Organizations are benefitting from consequence models. Globally, 63 percent of organizations take corrective action with users who repeatedly make mistakes related to phishing attacks. Most infosec respondents said that employee awareness improved following the implementation of a consequence model.
Many working adults fail to follow cybersecurity best practices. Forty-five percent admit to password reuse, more than 50 percent do not password-protect home networks, and 90 percent said they use employer-issued devices for personal activities. In addition, 32 percent of working adults were unfamiliar with VPN services.
Recognition of common cybersecurity terms is lacking among many users. In the global survey, working adults were asked to identify the definitions of the following cybersecurity terms: phishing (61 percent correct), ransomware (31 percent correct), smishing (30 percent correct), and vishing (25 percent correct).
These findings spotlight a knowledge gap among some users and a potential language barrier for security teams attempting to educate employees about these threats. It’s critical for organizations to communicate effectively with users and empower them to be a strong last line of defense.
Millennials continue to underperform other age groups in fundamental phishing and ransomware awareness, a caution that organizations should not assume younger workers have an innate understanding of cybersecurity threats. Millennials had the best recognition of only one term: smishing.
Email security miss rates are definitely a huge issue. Malicious files regularly bypass all of today’s leading email security products, leaving enterprises vulnerable to email-based attacks including ransomware, phishing and data breaches, according to BitDam.
BitDam conducted an empirical study to measure leading email security products’ ability to detect unknown threats at first encounter. Unknown threats are produced in the wild, sometimes hundreds in a day.
The study employs the retrieval of fresh samples of malicious files from various feeds and sources, qualifying them as unknown threats, and sending them to mailboxes protected by leading email security products. The miss rate at first encounter was then measured, as well as the Time To Detect (TTD).
According to the study’s findings, for Office ATP, the miss rate over seven weeks in late 2019 was about 23% and the TTD average was about 48 hours. About 20% of missed unknown threats took four or more days to be detected. Office 365 ATP was ‘blind’ to selected unknown threats it did not detect at first encounter. For G Suite, the miss rate was 35.5% over four weeks in late 2019. The TTD average was about 26 hours with about 10% of missed unknown threats taking three days or more to be detected.
These massive detection gaps provide proof of how enterprises are often unprotected against unknown threats, which leads to successful email-based attacks such as ransomware, phishing, and malware.
“Mind the gap! is as relevant to CISOs as it is to riders on the London Underground. The time gap between malware delivery and subsequent detection by the industry’s most widely used endpoint protection suites solutions is shockingly long – in practice long enough to be useless. The study pinpoints this unacceptable gap in detection time, showing that organizations are exposed to cyberthreats for many hours, or even days, before their email security identifies these as malware,” said Simon Crosby, CTO, SWIM.AI.
Most threat detection technologies fail to provide protection against unknown threats. Due to their dependency on previous knowledge about threats, these technologies must be augmented by advanced solutions in order to provide better email security.
“We feel that even though the email threat landscape is constantly evolving, it is BitDam’s responsibility to do all that it can to identify the weakest security points that exist today and offer a solution for the everyday unknowns,” said Liron Barak, CEO of BitDam.
“It was this thought process that was behind our study to find the most common shortcomings of email security products on the market today, so we could respond with meaningful industry knowledge and of course, provide a solution. The detection miss rate levels were higher and more alarming than we had anticipated. Our study is a call to action for solution providers to do more, and for enterprises to enrich their arsenal with solutions like BitDam’s to detect the malware that slip through their current email security,” Barak concluded.
One of phishers’ preferred methods for fooling both targets and email filters is to use legitimate services to host phishing pages. The latest example of this involves Office 365 users being directed to phishing and malicious pages hosted on Office Sway, a web application for content creation that’s part of Microsoft Office.
The email that tries to trick recipients into visiting the phishing page isn’t stopped by Microsoft’s filters, likely because:
- It was sent from an onmicrosoft.com email address
- Includes links in the email that point to sway.office.com and other trusted sites (e.g., LinkedIn).
It pretends to be a fax receipt notice, shows a small image of the supposedly received fax, and asks the user to open the attachment to view it.
The phishing Office Sway page
Those who fall for the scheme are directed to a landing page hosted on Sway, which instructs them to click on another link that will either download a malicious file or lead them to a spoofed Office 365 login page:
“The Sway page will include trusted brand names. Most commonly, the spoofed brands are Microsoft-affiliated, just like the SharePoint logo shown in the example above,” Avanan explained.
And if the recipient is logged into an Office account, Sway pages appear wrapped in Office 365 styling with accompanying menus, making the page even more convincing.
“Attackers can turn Microsoft Sway into most any site they like, causing both Outlook and even the most savvy recipients to trust sway.com links,” the company pointed out, and noted that because the attackers are using multiple senders and domains, blacklisting them won’t work.
“Instead, we’ve seen many clients blacklist sway.office.com in their web filters. Unless your organization actively uses Sway, you should consider blocking Sway links,” they advised.