Rising threats in cloud-based email

Impersonation scams are up 148% and every CISO has seen it- on everything- email, text, messaging apps, phone calls…. Whether it’s fake CEO emails/texts, vendor fraud, or BEC-enabled theft, the rise is sharp and real. Key threats: * BEC 2.0 — Generative AI makes executive impersonation far more convincing * Retail risk — Fake purchase orders, refund fraud, and supplier cons are on the rise * CEO impersonation — Used to push urgent transfers, influence M&A, or mislead staff A few things to do as we get smarter about this evolving threat: - Lock down email: SPF, DKIM, DMARC - Confirm financial instructions out-of-band (make this part of procedure!) - Teach employees to pause, question, and escalate (tough to do!) - Use behavioral AI, if you can, to detect anomalies - Have a BEC-ready incident plan- including your law enforcement contact info (probably should be the #1). For US- Report impersonation scams: https://www.ic3.gov

Beware of an active integrated credential phishing and cloud Account Takeover (ATO) campaign. It was originally detected by Proofpoint researchers in late November 2023. This campaign uses individualized phishing lures within shared documents, including embedded links to 'view document' that lead to a malicious phishing webpage. The targets of this attack are often senior positions, including sales directors, account managers, and finance managers. Even individuals holding executive positions such as 'vice president, operations,' 'chief financial officer & treasurer,' and 'president & CEO' were among those targeted, according to the researchers. During the access phase of the attack, the attackers use a specific Linux user-agent for accessing OfficeHome sign-in application and gain access to a range of native Microsoft365 apps. Defenders can use this information as an indicator of compromise (IOC) as the user-agent reads: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36". Once the initial access succeeds, the attackers manipulate multi-factor authentication (MFA) to maintain persistence. This can include registering a fake phone number for SMS authentication or adding a separate authenticator with notification and code. Subsequent activity is likely to include data exfiltration, internal and external phishing, financial fraud, and compromise obfuscation through new mailbox rules to cover tracks and remove evidence of malicious activity from the victims’ mailboxes. Stay vigilant, and be cautious when clicking on shared documents or links, especially if they are individualized and come from an unverified source.

The recent Microsoft Midnight Blizzard breach in January 2024 has raised concerns about targeted social engineering and credential theft. Midnight Blizzard, also known as APT29, is a Russian state-affiliated hacking group that has been identified as the source behind a surge in credential theft attacks. Microsoft has disclosed that the group employs a range of techniques, including password spraying, brute force, token theft, and session replay, to gain unauthorized access to cloud resources. The impact of these attacks is far-reaching, with governments, IT service providers, non-governmental organizations (NGOs), as well as defense and critical manufacturing industries being targeted[3]. In a recent development, Microsoft revealed that executive emails were hacked by this Russian intelligence group, also known as Midnight Blizzard. The group has been using sophisticated, highly targeted social engineering attacks, such as credential theft phishing lures distributed via Microsoft Teams chats. To enhance credibility, the actor employs security-themed or product name-themed keywords in crafting new subdomains. Midnight Blizzard frequently employs token theft techniques as part of their initial access strategy and has been using previously compromised Microsoft 365 tenants owned by small businesses to conduct these attacks[4][5]. The breach highlights the ongoing threat posed by sophisticated state-affiliated hacking groups and the importance of robust cybersecurity measures to protect against such attacks. Organizations and individuals are urged to remain vigilant and implement best practices to safeguard their systems and data. Citations: [1] https://lnkd.in/gmDcGWis [2] https://lnkd.in/g9KhVJ44 [3] https://lnkd.in/gcWbUZYK [4] https://lnkd.in/gGn5xbMS [5] https://lnkd.in/gV6KrMFR

Just reviewed this excellent breakdown on email threats for SOC analysts - a solid technical reference covering the fundamentals of modern email-based attacks. 🔑 Key insights for security teams: • Attackers evade detection using newly created domains, non-blacklisted SMTP servers, and sandbox evasion techniques (sleep functions, encrypted files, VM detection) • Most prevalent attack vectors: spear phishing attachments (Office docs, PDFs, compressed files, ISO images), credential harvesting links, and BEC attacks via thread hijacking • Email security bypass tactics include hosting phishing pages on legitimate cloud domains with SSL certificates (appspot.com, web.app) • Social engineering remains critical - even sophisticated technical controls can be circumvented through spoofing, lookalike domains and thread hijacking For SOC analysts, understanding these mechanics is essential for effective detection engineering and incident response.

Headline: Google Warns 1.8 Billion Users of New AI-Powered Cyber Threat Introduction: Google has issued an urgent cybersecurity alert to all 1.8 billion Gmail users, warning of a rising danger fueled by generative AI—indirect prompt injections. Unlike traditional hacking methods, these attacks target the AI systems themselves, embedding hidden malicious commands in everyday content like emails and documents. Key Points: • Nature of the Threat: • Indirect prompt injections differ from direct ones by hiding harmful instructions in external data sources. • These can be embedded in emails, documents, calendar invites, or other shared files. • When an AI tool processes this content, it may be tricked into leaking sensitive data or executing unauthorized actions. • Why It’s Emerging Now: • The rapid adoption of generative AI in daily workflows has created new vulnerabilities. • Attackers exploit AI’s trust in incoming data, bypassing traditional security filters. • Potential Impact: • Risks extend beyond individuals to businesses and governments, as AI assistants become embedded in operations. • Could enable large-scale phishing, corporate espionage, or data exfiltration without the user realizing. • Google’s Advice: • Be cautious when granting AI tools access to emails, calendars, or cloud files. • Keep AI integrations updated with the latest security patches. • Limit AI’s ability to automatically act on unverified external inputs. Why This Matters: As AI becomes a core part of productivity tools, attackers are shifting from targeting humans to targeting the AI systems that humans trust. Indirect prompt injections represent a new frontier in cyber threats, requiring both users and organizations to rethink how they secure AI-powered workflows. I share daily insights with 22,000+ followers and 8,000+ professional contacts across defense, tech, and policy. If this topic resonates, I invite you to connect and continue the conversation. Keith King https://lnkd.in/gHPvUttw

Over the past year, the number of users clicking on phishing links has nearly tripled! Research by Netskope in their recent Cloud and Threat Report showed an increase from 2.9 in 2023 to 8.4 out of every 1,000 users in the average organisation clicking on a phishing link each month. This increase comes despite most organisations requiring users to undergo security awareness training to avoid phishing attacks. The main factors leading to this increase are cognitive fatigue and the creativity and adaptability of the attackers in delivering harder-to-detect baits. The top target for phishing campaigns users clicked on in 2024 were cloud applications, representing over one-quarter of the clicks. These findings did not surprise me, as most of the breaches our MinterEllison cyber team responded to were caused by social engineering/phishing.

I’m thrilled to share the latest findings from Perception Point’s H1 2024 report, which is now available! Here’s what we’ve uncovered: 🔹Cyber attacks per employee increased by 24% in H1 2024 🔹Business Email Compromise (BEC) & Vendor Email Compromise (VEC) attacks rose by 42% and 66%, respectively 🔹Phishing continues to dominate, accounting for 75% of email-based attacks and 89% of browser-based attacks Our report reveals a major shift in the threat landscape. BEC and VEC attacks are increasingly replacing traditional malware, driven by the growing use of GenAI to create more sophisticated social engineering tactics. This trend makes it clear: traditional security systems are no longer enough. Dive into our findings and explore how to stay ahead of these evolving threats: Read the press announcement: https://hubs.la/Q02NzZnS0 Download the report: https://hubs.la/Q02NzYp80 Check out our latest blog post: https://hubs.la/Q02Nz_dL0 #ThreatPrevention #BEC #VEC #Phishing #GenAI

Your Cloud Logins at Risk! New Phishing Campaign Abuses Trusted Cloud Platforms Even the most trusted tools can be turned against us. An ongoing spear phishing campaign is exploiting popular cloud storage platforms like Dropbox, DocuSign, and Google Drive to steal login credentials. How it Works: Hackers compromise legitimate cloud storage accounts and use them to share malicious documents. These documents contain links that appear harmless, directing users to a seemingly authentic login page for services like Microsoft 365. Here's the catch: These login pages are fakes, designed to steal your credentials. Because the malicious link is embedded in a document on the cloud sharing site, it often evades most security protection tools too. The Impact: If a user falls victim, hackers gain complete access to their M365 account, potentially compromising sensitive data, emails, and even giving them a platform to launch further phishing attacks within your organization. Combating the Threat: -> User Awareness: Train your team and clients to be cautious of unexpected documents, even from trusted cloud storage providers. Encourage a "see something, say something" culture to report suspicious links. -> Security Controls: Consider implementing stricter email security measures to detect and block emails containing links to these compromised cloud storage sites. -> Block Sites Your Company Doesn’t Use: Leverage web content filtering and DNS filtering technology to block sites not used by your organization. Proactive communication needed here to avoid issues. Communication is Key: Educate your clients about this evolving phishing tactic. The more informed they are, the less susceptible they become. -> Stay vigilant! By understanding these new threats and taking preventative measures, we can protect ourselves and our clients from falling victim to sophisticated phishing schemes. What additional security measures do you use to protect your organization from cloud-based phishing attacks? Share your thoughts in the comments! #phishing #cybersecurity #cloudsecurity #informationsecurity #datasecurity #protectyourdata #M365 #cloudstorage #businesssecurity #ITsecurity #securityawareness https://lnkd.in/g3McnKt5