Jennifer Marsh - Page 3

With a background in software engineering, Jennifer Marsh has a passion for hacking and researching the latest cybersecurity trends. Jennifer has contributed to TechCrunch, Microsoft, IBM, Adobe, CloudLinux, and IBM. When Jennifer is not programming for her latest personal development project or researching the latest cybersecurity trends, she spends time fostering Corgis.

DarkGate/PikaBot Malware Phishing Campaign the Work of Qakbot Operators?

A malware phishing campaign has been running since September 2023 that is distributing DarkGate malware. Now, the threat actor behind the campaign has switched to PikaBot malware, and the campaign has several similarities to those conducted by the threat actor behind Qakbot.

DarkGate malware was first detected in 2017 but was only offered to other cybercrime groups this summer. Since then, distribution of the malware has increased significantly, with phishing emails and malvertising – malicious adverts – the most common methods of delivery. DarkGate malware is a multi-purpose Windows malware with a range of capabilities, including information stealing, malware loading, and remote access. In September, security researchers at Cofense identified a malware phishing campaign that was spreading DarkGate malware that has since evolved into one of the most advanced active phishing campaigns making it clear that it is being conducted by an experienced threat group. Then in October 2023, the threat actor behind the campaign switched to distributing Pikabot malware. Pikabot malware was first detected in early 2023 and functions as a downloader/installer, loader, and backdoor.

Security researchers have analyzed the malware phishing campaign and have identified several similarities to those used to distribute Qakbot (Qbot) malware including the behavior of the malware upon infection, the method of distribution, as well as internal campaign identifiers. Qakbot was one of the most active malware botnets; however, in August this year, an international law enforcement operation headed by the U.S. Department of Justice successfully took down the infrastructure of Qakbot.

The emergence of the phishing DarkGate/Pikabot campaign around a month after the Qakbot takedown, the use of a similar campaign that was used to distribute Qakbot, and no detected Qakbot activity since the takedown has led security researchers to believe the operators of Qakbot have switched to distributing DarkGate/Pikabot. Both of those malware families have similar capabilities to Qakbot and that could indicate the Qakbot operators have switched to newer malware botnets. As was the case with Qakbot, the new malware variants provide the threat actor with initial access to networks and it is probable that attacks will result in data theft and potentially the use of ransomware. Given the pervasive nature of Qakbot, if the same threat actors are behind the latest DarkGate/Pikabot campaign it poses a significant threat to businesses. The phishing campaign starts with an email that forwards or replies to a stolen message thread. Since the message threat contains genuine previous conversations there is a much higher probability of the recipient responding to the message. The emails contain an embedded URL that directs the user to a.ZIP archive that contains a malware dropper, which delivers the final DarkGate or Pikabot payload.

The phishing campaign continues to evolve and it is the work of a very experienced threat actor. One of the best defenses against these attacks is security awareness training. Employees should be warned of the tactics that are being used to distribute the malware and should be instructed to be vigilant, especially requests received via email that appear to be responses to previous communications that prompt them to visit a website and download a compressed file. They should be instructed to report any such email to their security teams for analysis.

With SafeTitan, TitanHQ’s security awareness training platform, it is easy to incorporate the latest threat intelligence into training content and push out short training sessions to employees to raise awareness of the latest malware phishing campaigns. SafeTitan also includes a phishing simulator that allows custom simulated phishing emails to be sent out to the workforce, including simulated phishing emails that include the tactics used in the DarkGate/Pikabot campaign. Security teams can use the simulator to determine how employees react and can then take proactive steps to address any knowledge gaps before a real DarkGate/Pikabot phishing email lands in an inbox.

An advanced spam filter should also be implemented that is capable of scanning and following links in emails along with a WebFilter for blocking access to malicious websites and restricting file downloads from the Internet, such as TitanHQ’s SpamTitan Plus and WebTitan DNS filter. For more information on the SafeTitan security awareness training and phishing simulation platform, advanced spam filtering with SpamTitan Plus, and web filtering with WebTitan, call TitanHQ today. All TitanHQ solutions are also available on a free trial.

Watch Out for Black Friday Phishing and Cyber Monday Scams!

You may be able to grab a bargain on Black Friday and Cyber Monday but you need to be extra vigilant for Black Friday phishing attacks and Cyber Monday scams. Cybercriminals are waiting to take advantage of unwary online shoppers on Black Friday and scams are rife throughout the holiday season.

Black Friday and Cyber Monday are two of the busiest shopping days of the year. Many people take advantage of the deals on offer and delay major purchases to try to get a Black Friday or Cyber Monday bargain, and savvy shoppers get started on their Christmas shopping early and try to grab the best gifts while they are available, often at a sizeable discount. On Black Friday, Cyber Monday, and throughout the holiday season, cybercriminals are hard at work. It is the perfect time for them to fill their pockets before the Christmas break. There are huge numbers of people looking to make purchases online, and cybercriminals are more than happy to offer the bargains and special deals that they seek.

During this shopping frenzy, people who delay making a purchase often miss out due to limited product availability. That means it is the perfect time to conduct a phishing attack offering a high-value product at a rock-bottom price, as it is exactly what consumers are expecting and hoping to find. The whole retail event plays into cybercriminals’ hands. People are made to think that they need to act fast and make a quick purchase when what they need to do is stop and think about whether the offer being presented is really what it seems.

Last year, UK residents lost more than £10 million to cybercriminals over the festive shopping period, according to the UK National Cyber Security Centre, with each victim losing an average of £639 to scams between November 2022 and January 2023. This year, the outlook looks even bleaker due to the ease at which artificial intelligence can be used to create convincing scams. While phishing attempts, scam emails, and malicious websites often contain red flags that indicate all is not what it seems, those red flaws are often missing from AI-generated content. Cybercriminals are leveraging large language models, such as ChatGPT, to create convincing emails, scams, fake adverts, and fraudulent websites. The aim of these attacks is to get unsuspecting consumers to disclose their usernames and passwords, provide their credit card and bank details, make purchases for non-existent products, or download malware. AI allows cybercriminals to conduct these scams on an increasingly large scale.

Tips for Avoiding Black Friday Phishing Scams and Online Fraud

AI tools allow cybercriminals to generate phishing emails with perfect grammar and no spelling mistakes and even generate convincing lures targeted at specific groups of people, but the same social engineering techniques are used in these phishing attempts as human-generated phishing emails. With phishing attempts, there is a sense of urgency. Phishing emails have a call to action and only a limited time to respond and there will usually be a threat of negative consequences if prompt action is not taken. With Black Friday phishing scams, product scarcity or a special offer expiring are often how cybercriminals get urgent action to be taken, or there may be a threat of pending costs, charges, or account closures if the email is ignored. Another common ploy is to generate a security alert about unauthorized account access or a potentially fraudulent purchase that has been made, with immediate action required to block the charge or protect the account. Everyone needs to be extra vigilant during the holiday season and should carefully check the sender of the email and stop and think before taking any action suggested in an email.

With so many purchases being made at this time of year, it is the perfect time for phishing lures warning about unsuccessful deliveries. Most people will be expecting packages to be delivered over the next few days and weeks. If you are notified about a failed delivery attempt, make sure that the message has been sent from the domain of the company that claims not to be able to deliver the package. If the email claims to have been sent by FedEx, UPS, DPD, Yodel, or Evri, check it has been sent from the official domain used by that company and watch out for hyphenated domain names, spelling mistakes, and transposed letters.

While email scams are common, so are scams on social media platforms. Malicious advertisements are posted offering products that are never dispatched. According to the Federal Trade Commission, $2.7 billion has been lost in the United States to social media scams over the past 2 years. While there may be genuine offers on social media sites, any vendor should be carefully vetted before making a purchase through an advert and checked to make sure they are who they claim to be and that they are a reputable retailer. It is also far better to use a credit card for any purchases, as credit card companies offer much greater protection against fraud than banks do for debit cards.

While non-delivery scams are common, and credit card theft is rife, many Black Friday and Cyber Monday scams try to obtain access to accounts. In addition to being extra vigilant, it is important to ensure that accounts are properly protected, which means setting a strong, unique password for each account and ensuring multifactor authentication is enabled. If passwords are reused across multiple sites, if that password is obtained, all accounts that use the same password will be put at risk. Multifactor authentication will provide greater protection for accounts should passwords be guessed or otherwise obtained. A password alone is not sufficient to gain access to an account, as an additional form of authentication must be provided.

What is Malware Sandboxing for Email?

Malware sandboxing for email is now vital for email security. Suspicious files that pass AV checks are sent to the sandbox where they are safely detonated and subjected to behavioral analysis.

Email-based Cyberattacks are Increasing

Email is one of the most common initial access vectors used by cybercriminals. Initial access to victims’ networks is gained via two main methods: email attachments and embedded URLs. The first attack type involves emails with attachments that contain malicious code, such as macros. If the files are opened and the code is allowed to execute, it will trigger the download and execution of malware from a remote server, or in some cases, malware will be executed in the memory (fileless malware).

The other method, which is now more common since Microsoft started blocking macros in Office documents by default if they are received via the Internet, is for phishing emails to be sent that contain malicious URLs. These URLs may be added to the message body or be hidden inside documents. These URLs point to an Internet site that hosts malware which is silently downloaded when the link is visited or the user is tricked into installing the malware.

Businesses need to ensure they have adequate defenses to block email-based attacks. The first line of defense is an email security solution that will scan the message headers, message body, and attachments and perform reputation checks on the sender. Email security solutions use blacklists of malicious domains and IP addresses and will block messages from these domains and IPs if they have previously been used for phishing, scams, or malware distribution. Checks will be performed on URLs and the messages are searched for the signatures of spam and phishing content – words and phrases commonly used by threat actors. If these checks are failed, the messages will be quarantined.

To block malware, email security solutions scan email attachments using anti-virus engines, which search for the signatures of malware – specific parts of the malware code that have been identified in previous malware analyses. The anti-virus software is regularly updated, and new signatures are added when new malware variants are identified. While these scans will block all known malware if the signature for malware is not in the definition list, the file will not be classed as malicious, and the message will be delivered to the end user. Unfortunately, new malware variants are being released faster than ever before to get around signature-based detection. To block unknown malware another method is required – malware sandboxing for email.

Malware Sandboxing for Email

Advanced email security solutions include malware sandboxing for email. If an email attachment passes the standard checks and anti-virus scans, it is sent to a sandbox where the behavior of the file is analyzed. A sandbox is an isolated, secure environment where files can be opened and analyzed without risk. Any checks of the environment that are performed by malware when it is executed are often passed as the sandbox is created to look exactly like a real endpoint. Any actions performed by files when they are opened are analyzed in detail and if any checks fail, the file and email will be quarantined and all other copies of that email will be removed from the email system. These checks may take a few minutes to perform, so there will be a slight delay in delivering genuine emails.

SpamTitan, TitanHQ’s award-winning email security solution, includes a powerful next-gen sandbox that is powered by Bitdefender. The malware sandboxing service uses powerful emulation tools to ensure that files are inspected using real-time intelligence along with comprehensive detection techniques, which provide advanced threat protection and zero-day exploit detection. To avoid unnecessary email delivery delays, SpamTitan has strong machine learning, static analysis, and behavior detection technologies which ensure that only files that require further analysis get sent to the sandbox. If all sandbox checks are passed, the message will be delivered. If one or more checks are failed, the message will be quarantined, and the results passed to Bitdefender’s Global Protective Network. If that threat is encountered again, it will be recognized and will be quarantined immediately and will not need to get sent to the sandbox to be detonated again.

With SpamTitan malware sandboxing for email, businesses will be well protected against zero-day malware threats that would otherwise be delivered to inboxes. For more information give the TitanHQ team a call. SpamTitan with malware sandboxing for email is also available on a 14-day free trial.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Sandboxing Technology for Email

Implementing your own sandboxing technology for email can be complex and costly. SpamTitan Email Security has an inbuilt sandbox, so all the hard work is done for you. You get the full cybersecurity benefits of a sandbox at a very low cost.

What are the Benefits of an Email Sandbox?

Email sandboxing is no longer a ’want’ it is now a ‘must-have.’ Cybercriminal groups are conducting huge numbers of attacks, nation-state actors are targeting businesses to steal their proprietary data, and these attacks are getting far more sophisticated and can easily evade standard security solutions. The consequences of a successful cyberattack are severe. IBM’s 2023 Cost of a Data Breach Report indicates that the average cost of a successful attack and data breach has risen to $4.45 million in the United States. It is no surprise that many small to medium-sized businesses fold within 6 months of a successful attack.

As has been the case for many years, one of the easiest ways to gain initial access to a company’s network is via email. Employees are targeted as they can be tricked into disclosing their credentials or installing malware. Email security solutions such as spam filters and secure email gateways are capable of blocking many threats, but they are failing to block zero-day malware threats. Traditional email security solutions are reliant on signature-based detection methods for blocking malware. When a malware threat is detected and analyzed by security researchers, the signature for that malware variant is added to the definition list. Email security solutions use signature-based detection methods to block 100% of known malware.

The problem comes with new malware, for which no signature has been defined. Without a signature, malware will not be identified as malicious if it is encountered. If a novel malware variant is attached to an email, the email will most likely be delivered and can be opened by an end user and new malware variants are now being released at an incredible rate. While signature-based detection has served businesses well, additional protection is now required – email sandboxing.

With an email security solution that has an email sandbox, inbound messages will first be subjected to standard checks. An email sandbox is then used to safely analyze the behavior of files in an environment where no harm can be caused. If malware is executed, it will be detected based on its behavior rather than a signature. The threat will then be blocked, and no harm will be caused.

SpamTitan Email Sandboxing Technology for Email

With SpamTitan, the initial checks include AI-based and machine-learning detection, which is capable of detecting previously unseen phishing threats.  All attachments are scanned with two antivirus engines to ensure 100% of known malware threats are detected and blocked. The sandbox provides an extra layer of protection. When initial checks are passed, suspicious messages are sent to the sandbox for deep analysis. File attachments are safely detonated, their behavior is analyzed, and the results are checked against an extensive array of online repositories. The process usually takes just a few minutes, or in some cases, a maximum of 20 minutes.

If a threat is detected it is reported to the Bitdefender Global Protective Network – Bitdefender’s cloud threat intelligence service. If that threat is detected again by SpamTitan or any device connected to the network, it will not need to be sent to the sandbox again and all devices will be protected against that threat. The latest malware variants often include code that checks for running security solutions and whether it has landed on a real endpoint. If a virtual environment is detected and the malware determines it is in a sandbox, it will not perform its malicious actions and may delete itself to prevent analysis. To get around this, the email sandbox emulates a real endpoint and analyzes files by leveraging purpose-built, advanced machine-learning algorithms. The sandbox incorporates anti-evasion and anti-exploit techniques and performs aggressive behavior analysis. Every evasion attempt by malware is properly marked and the files are flagged.

The sandbox analyzes a broad range of targets, including documents, spreadsheets, and executable files, and is capable of identifying and blocking polymorphic malware and other threats that have been developed for undetectable attacks. With email-based cyberattacks increasing in number and sophistication, businesses need to ensure they have advanced defenses. With SpamTitan sandboxing technology for email you get advanced threat protection at an affordable price. To find out more, call the TitanHQ team today or take advantage of a free 14-day free trial of SpamTitan.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

What is Sandboxing in Cybersecurity?

What is Sandboxing in Cybersecurity?

Sandboxing in cybersecurity terms refers to an isolated virtual machine that is used for testing code and analyzing files. Since the sandbox is isolated from other systems and networks, unverified code, untested programs, email attachments, and files downloaded from the Internet can be executed or detonated safely. Code is executed and files are opened and their behavior is analyzed to determine if they are safe or if they may cause damage to data or systems. In the sandbox, the activities that can be performed are restricted so they can’t cause any real damage. If code is executed in the sandbox and it is determined to be malicious, it will be deleted or quarantined for further analysis. Sandboxing is also used for checking URLs. For instance, some web browsers will first open a URL in a sandbox where permissions are set to the lowest privilege levels. If any attempt is made to perform an action that is not permitted, access to the URL will either be blocked or the user will receive a warning.

Why is Sandboxing Important?

In software development, new code may have unintended consequences, such as causing other systems to malfunction, which in a production environment could cause unacceptable and costly downtime. A sandbox allows code to be fully tested to ensure it is safe. A security sandbox protects against malicious code that has been deliberately written to cause damage and/or provide access to systems and data. For example, ransomware is malicious code that encrypts files to prevent them from being accessed. A threat actor then demands payment for the keys to decrypt files. If that code was allowed to execute on the network, data could be permanently lost, or a ransom would need to be paid to recover files.

Cyberattacks on businesses have been increasing and are now being conducted more frequently than ever before. The average ransom demand in data theft and ransomware attacks is now more than $1.5 million, and data from Rapid7 suggests more than 1,500 organizations fell victim to ransomware attacks in the first half of 2023, with more than 20 new ransom groups emerging. Cybercriminals also still use backdoors, keyloggers, banking trojans, and information stealers to gain access to networks and steal sensitive data. To make matters worse, new malware and ransomware variants are constantly being released and these evade security solutions that rely on signature-based detection. It is vital that all files and applications are thoroughly tested before being allowed anywhere near the network and sandboxing allows even previously unseen malicious files to be identified and neutralized.

Email Sandboxing

Email security solutions often use sandboxing for attachments and URLs. With email attachments, they will first be scanned using standard anti-virus engines to determine if they contain known malware or malicious code. These AV checks will only detect known malware. New malware variants that have not been encountered before cannot be detected, as standard AV solutions search for signatures of known malware. Email sandboxing is used to detect new malware, often referred to as zero-day threats. Files that are determined to be clean after AV scanning are sent to the sandbox for behavioral analysis. Email security solutions may also use a sandbox for testing embedded URLs in messages and will follow the links and check the destination and assess whether it contains any threats.

Email Sandboxing from TitanHQ

SpamTitan is a multi-award-winning email security solution from TitanHQ that offers advanced threat protection at an affordable price. SpamTitan blocks phishing, malware, spam, viruses, and other malicious email threats and includes a Bitdefender-powered email sandbox. Emails that pass the initial barrage of checks, including antivirus scans, are sent to the sandbox where they are safely detonated, and their behavior is analyzed. The SpamTitan sandbox combines the latest threat analysis with powerful emulation tools to ensure that files are inspected using real-time intelligence along with comprehensive detection techniques, ensuring businesses are protected against zero-day threats. For more information on SpamTitan Email Security, give the TitanHQ team a call today.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Advantages and Disadvantages of Email Sandboxing

Sandboxing is the use of a virtual environment for testing code and safely opening untrusted files. The sandbox is an isolated and secure environment that emulates a legitimate endpoint; however, there are no connections to the business network, the sandbox environment contains no real data, and if dangerous code is executed, no harm will be caused.

Advantages of Email Sandboxing

Sandboxing is important because of the sheer number and complexity of threats faced by businesses. Cybercriminal groups are conducting increasing numbers of attacks, new groups are constantly being formed, and their attacks are becoming much more sophisticated. The cost of these attacks and the resultant data breaches are also spiraling. According to the 2023 Cost of a Data Breach Report from IBM, on average, data breaches cost $4.45 million to resolve in the United States and $10.93 million for a healthcare data breach.

Many of these threats come from email. Emails are used to send attachments containing malicious code that downloads malware that provides a cyber actor with access to the network. Links to malicious websites are also distributed via email where malware is downloaded. While businesses have a degree of protection if they have anti-virus software installed, most anti-virus solutions can only detect known malware variants – Malware that has previously been analyzed and had its signature added to the solution’s malware definition list. Antivirus solutions will not detect new malware variants nor fileless malware, which is executed in the memory with no files downloaded to the disk.

Sandboxing provides an additional layer of protection against zero-day malware and ransomware attacks and will allow malicious files to be identified, detected, and quarantined before they can do any harm, even if they have not previously been encountered. In the sandbox, malware is identified by the actions it tries to perform, not by any signature.

Disadvantages of Email Sandboxing

While there are clear benefits, there are some disadvantages of email sandboxing. Businesses may want to add email sandboxing to their cybersecurity arsenal, but email sandboxes can be complicated to set up and run, and they can require a considerable amount of resources and can be expensive to run. Another of the disadvantages of email sandboxing is analyzing file attachments takes time and messages cannot be delivered until all checks have been performed. It is therefore inevitable that there will be email delivery delays.

As with any cybersecurity solution, there is the potential for false positives. An email attachment may be determined to be malicious when it is actually harmless. In such cases, important business emails may be blocked or deleted. The last main disadvantage is malware often contains code that determines if it has landed on the targeted endpoint or if it is in a virtual environment. If the latter is detected, the malware may delete itself or not perform any of its programmed malicious actions. Considering the cost of a successful cyberattack, the advantages of email sandboxing outweigh the disadvantages, provided the right sandboxing solution is chosen.

SpamTitan Email Security with Sandboxing

SpamTitan is an award-winning email security solution from TitanHQ that provides advanced threat protection at an affordable price. The solution is easy to implement and use and protects thousands of SMBs and managed service providers (MSPs) by blocking spam, viruses, malware, ransomware, and links to malicious websites from your emails. SpamTitan’s ATP defense uses inbuilt Bayesian auto-learning and heuristics to defend against advanced threats and evolving cyberattack techniques and features an integrated email sandbox tool that is part of Bitdefender’s Global Protective Network.

SpamTitan uses advanced intelligent technologies, such as AI, to predict and prevent advanced threats and the sandbox accurately mimics a real endpoint to trick malware into determining it has reached its intended target. As with any sandbox, there are delays in delivering emails but this is kept to a minimum. SpamTitan has multiple layers of security and sophisticated sandbox technology, which means only specific and dangerous emails will be sandboxed. Even if a legitimate email lands in a sandbox, the delivery delay will be, at most, twenty minutes. While there may be false positives on occasion, no emails are deleted. They are quarantined to allow administrators to check the validity of the results.

If you want to improve security and get the advantages of email sandboxes while eliminating the disadvantages, give the TitanHQ team a call today. SpamTitan is also available on a free 14-day trial to allow you to test the product and sandbox in your own environment before making a purchase decision.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Malicious File Sandbox for Email

Multiple layers of security are required to protect against increasingly sophisticated email attacks. A malicious file sandbox for email should be one of those layers to ensure your business is protected against zero-day and stealthy malware threats.

Email: The Most Common Initial Access Vector Used by Cybercriminals

There are many ways that cybercriminals can attack businesses, but email is the most common initial access vector. Most employees have email accounts which means they can be easily reached, and social engineering techniques are used to trick employees into opening malicious attachments or visiting links in emails. Cybercriminals have become adept at exploiting human weaknesses in defenses.

One of the main aims of email campaigns is to deliver malware to provide persistent access to victims’ networks. Executable files may be attached to emails and hidden using double file extensions to make the files appear to be legitimate documents, PDF files, or spreadsheets. Office files may be attached that have malicious macros which, if allowed to run, trigger the download of a first-stage malware payload. The problem for businesses is these campaigns are becoming much more sophisticated, they often bypass standard email security defenses, and they land in inboxes where they can be opened by employees.

Defending against sophisticated email attacks requires a defense-in-depth approach, which should include a spam filter/secure email gateway, a web filter, multifactor authentication, an endpoint detection and response solution, and security awareness training for employees. To improve protection further and defend against new and stealthy malware threats, it is important to have a malicious file sandbox for email.

What is a Malicious File Sandbox?

A malicious file sandbox is an isolated virtual environment where untrusted, suspicious files can be detonated securely without risking network or data security. The sandbox is used for analyzing emails, documents, application files, and other executable files to determine their true nature. When an email is received, it must first pass through a spam filter which looks for the common signatures of spam and phishing emails, performs reputation checks on the sender, analyzes the message content, and scans email attachments using antivirus software. The spam filter will filter out the majority of spam and phishing emails and all known malware variants using the antivirus software.

The problem is many email attacks are stealthy and have been developed to be undetectable, and cyber actors are skilled at getting their emails past email defenses and into inboxes. One way this is achieved is by using polymorphic malware, which cannot be detected by standard email security solutions and antivirus software. A malicious file sandbox is needed to protect against these novel threats.

When suspicious files are received that pass the front-end checks, they are sent to the sandbox for in-depth analysis of their behavior. The malicious file sandbox is configured to look like a real target environment to ensure that when an email is sent to the sandbox any malware acts as it would in the wild and is tricked into determining that it has landed on the endpoint of its intended target. No harm can be caused in the sandbox as the environment is isolated and not set up locally. If malware is detected, a report is generated of any malicious intent or unexpected actions, and actionable insights are provided to allow the threat to be blocked.

The SpamTitan Malicious File Sandboxing Service

SpamTitan is an award-winning anti-spam and anti-phishing solution from TitanHQ that is used by thousands of businesses and managed service providers to protect against email-based attacks. The solution leverages artificial intelligence and machine learning algorithms to detect novel threats and predict new attacks, reputation checks are conducted using SPF, DKIM, and DMARC, users are protected from malicious links in emails, and the solution has dual antivirus engines that scan for known malware.

SpamTitan also includes a Bitdefender-powered malicious file sandbox for blocking zero-day malware threats. The sandbox analyzes a broad range of targets, including emails, documents, application files, and other executable files, and leverages purpose-built, advanced machine-learning algorithms, aggressive behavior analysis, anti-evasion techniques, and memory snapshot comparison to detect sophisticated threats and delivers advanced threat protection and zero-day exploit detection. The sandbox also extracts, analyzes, and validates URLs within files.

The sandbox is not located on the endpoint so there are no performance implications, and strong machine learning and behavior detection technologies ensure that only files that require further analysis are sent to the Sandbox. If a malicious file is detected, the sandbox informs Bitdefender’s cloud threat intelligence service to ensure the threat is instantly blocked globally and will not need to be set to the sandbox for analysis again. The sandbox allows businesses to identify and block malicious files such as polymorphic malware and other threats that have been developed for use in undetectable attacks.

The SpamTitan malicious file sandbox delivers best-in-class detection, advanced anti-evasion technologies, innovative pre-filtering, and MITRE ATT&CK framework support. If you want the best protection from dangerous malware, you need a malicious file sandbox for email, and with SpamTitan you get that and more at a very affordable price. For more information on the capabilities of SpamTitan and details of pricing, give the TitanHQ team a call. SpamTitan is also available on a free 14-day trial to allow you to test the product in your own environment before making a purchasing decision.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Quishing: The Fast-Growing Phishing Trend

What is Quishing?

Quishing is a fast-growing phishing trend involving QR codes, which are now used in more than one-fifth of phishing attacks. QR Codes, or Quick Response codes to give them their full name, have become a popular way of communicating information, most commonly URLs for websites and PDF files. QR codes were originally developed and used for tracking parts in manufacturing, but their uses have grown considerably and QR codes are now everywhere.

They are also used by restaurants for directing diners to their menus – something that became more common during the COVID-19 pandemic as a way of reducing the risk of virus transmission as well as reducing costs by not having to print menus. They are used by advertisers at bus stops and train stations, in magazines and printed pamphlets, and even TV commercials. They allow advertisers to get smartphone users to quickly and easily visit a website to find out more about products and services and make a purchase.

The ubiquity of QR codes and how they have been embraced by consumers, coupled with the difficulty of distinguishing between a benign and useful QR code and a malicious one has made them perfect for malicious actors for driving traffic to their malicious websites. QR codes are sent via emails, instant messaging services, and on social media sites and direct users to a malicious website where credentials are harvested or malware is downloaded. Another key benefit of QR codes is they are read by smartphones, rather than laptops or desktop computers. Smartphones are far less likely to have security software installed that can detect either the phishing message or the malicious URL that users are directed to.

Malicious actors have embraced QR codes and commonly use them in phishing campaigns. One analysis of phishing emails revealed 22% of phishing emails intercepted in October 2023 used QR codes, many of which used standard phishing lures to get users to scan the QR code, such as a security alert requiring immediate action. Other types of quishing attacks have exploited the “login with QR Code” feature that is now used by apps and websites as a secure way of logging in. In this type of attack, termed QRLJacking, the attacker initiates a client-side QR session of the targeted app or website, and clones the login QR code to display a fake but realistic clone of the targeted app. Social engineering techniques are used to send a user to that page, the user scans the malicious QRL using the mobile application the QRL code was created for, and the attacker gains access to the victim’s account. The app is unaware this is fraudulent access and provides the user’s data to the attacker.

Protecting against these attacks is much harder than protecting against standard phishing attempts since security solutions struggle to detect these malicious QR codes. That said, protecting against QRLJacking is simple. Don’t ever use QRLs for logging in. Avoiding other quishing attacks involves similar advice. Avoid using QR codes entirely, or at least avoid using QR codes from untrusted sources. If a QR code is received via email, the source of the email needs to be verified, and even then it is best to avoid using it and just visit the website of the company that claims to have sent it.

Companies should also consider adding quishing to their security awareness training programs given how commonly QR codes are being used in phishing. That’s easy to do with the SafeTitan Security Awareness Training Platform – just choose the Quishing content and add it to your training program and incorporate the quishing templates into your phishing simulations.

Has AI Surpassed Humans at Writing Phishing Emails?

Has AI surpassed humans at writing phishing emails? A team of researchers at IBM decided to put that to the test and the results are now in. Humans still have the edge, but AI is not far behind and will soon overtake humans.

There has been a lot of press coverage recently about the capabilities of AI and significant concern has been voiced about the threat AI-based systems pose. While there are legitimate concerns that AI systems could turn against humans, one of the most pressing immediate cybersecurity concerns is that cybercriminals could use generative AI tools to devastating effect in their cyberattacks.

Many security researchers have demonstrated that generative AI chatbots such as ChatGPT can write perfect phishing emails, free of spelling mistakes and grammatical errors, and can also create convincing lures to trick humans into opening a malicious email attachment or visiting a malicious website. ChatGPT and other generative AI tools can also be used to write malware code, and there have been demonstrations of AI tools being used to create functional polymorphic malware and ransomware code. One of the key advantages of AI tools such as ChatGPT is the speed at which phishing emails, social engineering lures, and malware code can be generated, which could greatly improve the efficiency and even the quality of a range of malicious campaigns.

Tools such as ChatGPT have guardrails in place to prevent them from being used for malicious purposes such as writing malware or phishing emails. If you ask ChatGPT to write ransomware code or a phishing email, it will refuse to do so as it violates OpenAI’s terms and conditions of use. Those controls can, however, be easily bypassed, plus there are generative AI tools that have been developed specifically for cybercriminal use, such as WormGPT and FraudGPT.

Are Cybercriminals Using AI in Their Campaigns?

Security researchers have shown that it is possible to use generative AI tools for offensive cybersecurity purposes, but are cybercriminals actually using these tools? While there is limited evidence on the extent to which these tools have been used, it is clear that they are being put to use. An August 2023 report by the U.S. cyber defense and threat intelligence firm Mandiant explored this and found threat actors are certainly interested in generative AI but use remains limited. The main area where these AI tools are being used is in information operations, specifically to efficiently scale their activity beyond their inherent means and to produce more realistic content.

Financially motivated threat actors have been using generative AI such as deepfake technology to increase the effectiveness of their social engineering, fraud, and extortion operations, including the use of face swap tools. The main focus currently is on social engineering, such as phishing attacks, for generating convincing lures for phishing emails and greatly reducing the time spent researching potential targets.

Are Generative AI Tools Better than Humans at Phishing?

An IBM X-Force team of social engineering experts recently went head-to-head with a generative AI chatbot to see which was better at creating phishing emails. The researchers would typically take around two days to construct a phishing campaign, with most of the time taken on researching targets to identify potential social engineering lures, such as topics for targeting specific industries, the persons to impersonate, and for creating convincing emails.

They developed 5 simple prompts to get a generative AI chatbot to do this, and the entire campaign was created in just 5 minutes, thus saving a cybercriminal around 2 days of their time. The good news is that the security researchers’ email performed better in terms of a higher click rate and a lower reporting rate, but the margins were very small. Humans still have the edge when it comes to emotional manipulation in social engineering, but AI is not very far behind and is likely to overtake humans at some point.

How to Combat AI-generated Phishing

Generative AI can save cybercriminals a great amount of time and the content generated is almost as good as human-generated content, and certainly good enough to fool many users. The best defense is to provide more extensive and regular security awareness training to employees to improve resilience to phishing attempts and to put cybersecurity solutions in place that incorporate AI and machine learning tools.

TitanHQ’s Email Security solution, SpamTitan, has AI and machine learning capabilities that are used to detect previously unseen phishing threats, such as those generated by AI tools. These capabilities also apply to email attachments, which are sent to an email sandbox for deep analysis of their behavior, allowing SpamTitan to detect and block zero-day malware threats. TitanHQ can also help with security awareness training. SafeTitan is an easy-to-use security awareness training and phishing simulation platform that has been shown to reduce susceptibility to phishing by up to 80%. Combined with multifactor authentication and endpoint detection tools, these solutions can help organizations improve their defenses against cyberattacks that leverage generative AI.

What is Message Sandboxing?

Message sandboxing is a security feature of spam filters, secure email gateways, and other email security solutions where inbound messages are sent to a secure and isolated environment where the messages are subjected to behavioral analysis. File attachments are detonated and analyzed for malicious properties and actions, such as attempted file downloads from the Internet, command-and-control center callbacks, and attempts to write code to the memory.

What is a Sandbox?

In the technology sense, a sandbox is a contained virtual environment that is separate and isolated from other applications, operating systems, data, and internal networks. Sandboxes have several uses. In software development, a sandbox is used for testing new code, where it can be observed for unexpected compatibility issues, allowing software developers to troubleshoot the code without causing any harm to live systems and data.

In cybersecurity, a sandbox is used to open untrusted files, follow potentially malicious links, and analyze suspicious code and malware. If malware was installed and executed on a standard machine, the threat actor would be given remote access, malware may exfiltrate sensitive data, or in the case of ransomware, encrypt files. Since the sandbox is a secure environment, any malicious action has no consequences, and files can be studied in safety.

A sandbox is a virtual environment that is often configured to mimic a genuine endpoint. One of the first actions taken by malware is to explore the environment it is in to check whether it is on a genuine device. If not, it is likely not to run any malicious routines and may self-delete to prevent analysis. By configuring the sandbox to mirror a genuine endpoint, the malware can be tricked into performing its malicious routines, which are detected and logged. The intelligence gathered is fed into the email security solution, and all users of that solution, locally and globally, will be protected from that malware sample in the future.

Why is Message Sandboxing Necessary?

Traditional email security solutions check message headers, perform reputation checks of senders, scan email attachments with antivirus engines, follow embedded hyperlinks, and examine the content of the message for known spam and phishing signatures. For many years, these checks alone have been sufficient and ensure that more than 99% of spam and phishing emails are detected and blocked along with all known malware.

Email attacks have been getting much more sophisticated in recent years and new malware variants are being released at never-before-seen rates. A malware phishing campaign, for instance, will not just use one iteration of malware, but many, with each sample differing sufficiently to defeat signature-based detection mechanisms. Cybercriminals are using automation to spin up masses of samples and AI is being used to develop novel phishing methods.

AI and machine learning capabilities are now required in email security for blocking these zero-day threats, and email message sandboxing is necessary for detecting novel malware threats. Advanced email security solutions leverage AI, machine learning, and email sandboxing and protect against the rapidly evolving threat landscape. Without these features, many malicious messages will be delivered.

How to Set Up Message Sandboxing

The easiest way to get started and set up message sandboxing is to use SpamTitan Email Security. SpamTitan has been developed to be easy to set up and use by businesses of all sizes, from small offices and coffee shops to small and medium-sized businesses and large enterprises.  Being cloud-based, there is no software to install, just a small configuration change to your MX record (information on how to do this is provided). The solution can be accessed through a web-based interface, and the solution can be configured in just a few minutes.

Users benefit from spam and phishing detection rates of more than 99.99%, a very low false positive rate and a Bitdefender-powered email sandbox. The email sandbox leverages advanced machine learning algorithms, aggressive behavior analysis, anti-evasion techniques, and memory snapshot comparison to detect zero-day threats.

Without an email sandbox, you are likely to be exposed to many malicious messages. With sandbox email protection, you have much better control of the content that reaches user inboxes.

U.S. Federal Agencies Offer Guidance on Combating Phishing

Phishing is the most common way that malicious actors gain access to the networks of their victims. A single response to a phishing email by an employee is all it takes for a threat actor to get the foothold they need in the network to conduct a devastating attack. Once initial access has been gained, threat actors escalate privileges, move laterally, and conduct a range of malicious activities. What starts with a phishing email, often ends up with ransomware being deployed, with vast amounts of sensitive data stolen in between. This month, as part of Cybersecurity Awareness Week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued joint guidance on combatting phishing.

Phishing is a term that covers social engineering techniques used by malicious actors to trick people into revealing sensitive information such as login credentials or installing malware. The federal agencies explained that it is all too common for IT security teams to put the blame on employees for clicking links in emails, opening malicious attachments, and disclosing their credentials, but this blame game doesn’t solve the problem. Organizations need to create, implement, and maintain phishing defenses that account for human error, as it is inevitable and impossible to avoid.

Various tactics, techniques, and procedures (TTPs) are used by cyber actors in these campaigns, and different mitigations are required for each type of attack. Credential phishing attacks are usually conducted via email, so one of the most important defenses in an email security solution. Email security solutions will reduce the volume of spam and phishing emails reaching inboxes. SpamTitan, for example, blocks more than 99.99% of spam and phishing emails. The federal agencies recommend using DMARC, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) for verifying the sending server of received emails by checking published rules and DMARC, SPF, and DKIM, are all incorporated into SpamTitan.

An email security solution that relies on signature-based detection methods such as anti-virus engines will block all known malware but cannot block novel malware threats that have not yet been identified, and more novel malware variants are now being released than ever before. To improve defenses against malware-based phishing, email security solutions should incorporate machine-learning and AI-based detection, which look for the actions performed by emailed files rather than malware signatures. This is usually implemented through email sandboxing. Emails are sent to a safe and secure isolated environment where they are detonated, and their actions are analyzed for malicious actions.

No email security solution will block all malicious emails without also blocking an unacceptable number of genuine messages, and as the federal agencies point out, email security solutions cannot detect and block phishing attempts via SMS, instant messaging services, and voice phishing. It is therefore important to provide security awareness training to all members of the workforce. The purpose of security awareness training is to reduce susceptibility to phishing attempts by teaching employees about the threat of phishing, providing examples to help them recognize phishing attempts, and conditioning employees to stop and think and report any suspicious emails, SMS messages, and voice calls to their security teams.

Over time, employees will improve and get better at identifying phishing attempts, especially when training is combined with phishing simulations. Phishing simulations are a safe way to give employees practice at putting their training to the test, and these internal campaigns allow security teams to identify individuals who have not taken the training on board, as well as types of phishing emails that are proving effective, both of which can be addressed through further training. Security awareness training using SafeTitan has been shown to reduce susceptibility to phishing attempts by up to 80%; however, training will not totally eliminate employee mistakes. Employees are, after all, humans and not machines.

In addition to email security solutions and training, it is vital to add multi-factor authentication (MFA) to accounts. In the event that a phishing email bypasses technical defenses and fools an employee, MFA should prevent the obtained credentials from being used to access accounts. While any form of MFA is better than none, phishing-resistant MFA is recommended – FIDO or PKI-based MFA.

To increase protection against malware execution, denylists should be used to block malicious domains, URLs, and IP addresses, and rules should be implemented to prevent downloads of common executable files from the internet such as scr, .exe, .pif, .bat, .js, and .cpl files. This is easiest to implement with a web filtering solution such as WebTitan. WebTitan will also block all attempted visits to known malicious websites and can restrict access to only trusted, white-listed domains or URLs, or URLs and domains can be blocked by category.

Further information on improving phishing defenses can be found on the CISA website, and TitanHQ’s friendly sales team will be happy to discuss email security, web security, and security awareness training solutions with you and will help get you set up for a free trial of SpamTitan, WebTitan, and/or SafeTitan. The important thing is not to ignore the threat of phishing and to start taking steps to improve your defenses.

How to Sandbox Email Attachments

Do you know how to sandbox email attachments? If you have yet to start using a sandbox for email, you will be exposed to advanced malware and phishing threats. The good news is it is quick and easy to improve protection with a sandbox, and it requires no advanced techniques or skills, but before presenting an easy email sandboxing solution, we should explain why email sandboxing is now a vital part of email security

Email Sandboxing Detects Advanced and Sophisticated Threats

A hacker writes the code for a new malware variant or generates the code using an AI tool, and then sends that malware via email. A traditional email security solution will not block that malware, as it has not detected it before and it doesn’t have the malware signature in its definition list. The email would most likely be delivered, and the intended recipient could open it and infect their device with malware. From there, the entire network could be compromised and ransomware could be deployed.

How could a new, previously unseen threat be blocked? The answer is email sandboxing. When a file passes initial checks, such as AV scans, the attachment is sent to an email sandbox where its behavior is analyzed. It doesn’t matter if the malware has not been seen before. If the file performs any malicious actions, they will be detected, the threat will be blocked, and if that threat is encountered again, it will be immediately neutralized.

Email sandboxing is now an essential part of email security due to the sheer number of novel malware variants now being released. That includes brand new malware samples, malware with obfuscated code, polymorphic malware, and known malware samples that differ just enough to avoid signature-based detection mechanisms. Without behavioral analysis in a sandbox, these threats will be delivered.

The Easy Way to Sandbox Email Attachments

Setting up an email sandbox need not be complicated and time-consuming. All you need to do is sign up for an advanced cloud-based email security solution such as SpamTitan Email Security. SpamTitan is a 100% cloud-based email security solution that requires no software downloads or complex configurations. Just point your MX record to the SpamTitan Cloud and use your login credentials to access the web-based interface. You can adjust the settings to suit your needs, and the setup process is quick, easy, and intuitive, and generally takes around 20-30 minutes.

The solution is fed threat intelligence from a global network of more than 500 million endpoints, ensuring it is kept up to date and can block all known and emerging threats. You will be immediately protected from known malware and ransomware threats, phishing emails, spam, BEC attacks, and spear phishing, and you will benefit from email sandboxing, where suspicious emails are sent for deep analysis to identify zero-day phishing and malware threats.

The SpamTitan email sandbox is powered by Bitdefender and has purpose-built, advanced machine learning algorithms, decoys and anti-evasion techniques, anti-exploit, and aggressive behavior analysis. If a file is analyzed in the sandbox and found to be malicious, SpamTitan updates Bitdefender’s Global Protective Network, ensuring that the new threat is blocked globally.

Email sandboxing doesn’t need to be complicated. Just use SpamTitan from TitanHQ. SpamTitan is available on a free trial, with customer support provided throughout the 14-day trial to help you get the most out of the solution. We are sure you will love it for the level of protection provided and how easy it is to use.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

TitanHQ’s Email Sandbox Service

Businesses are now targeted by advanced persistent threat actors looking for proprietary data, financially motivated threat actors looking to steal sensitive data and conduct extortion attacks, and hacktivist groups that aim to disrupt business operations.

Many of these attacks see initial access to internal networks and accounts gained via email. Credential phishing and malware phishing attempts serve a similar purpose and allow threat actors to obtain initial access to allow them to achieve their objectives, whether that is to gain persistent access for espionage purposes, to steal data, use ransomware, or wipe devices.

Email techniques such as phishing and spear phishing for credential theft or the use of malspam emails for delivering malware can be sophisticated and difficult for end users to detect. Further, advances in artificial intelligence have led to generative AI solutions that are capable of producing flawless phishing emails and generating novel social engineering techniques to trick users into taking the required actions – following a link, disclosing sensitive data, or downloading and executing malware.

Spam filters and secure email gateways have long protected businesses against these threats, but increasingly sophisticated techniques are now used that can bypass the protections of traditional email security solutions and reach end users. To combat these threats email security solutions have had to adapt. Cutting-edge email security solutions such as SpamTitan Email Security have AI and machine learning capabilities that are capable of detecting advanced and sophisticated attacks, in addition to DMARC, SPK, and DKIM reputation checks, and blacklists of known malicious IP addresses and domains.

One of the biggest threats comes from malware, either attached to emails or downloaded from URLs that are linked in email messages. For many years, antivirus engines have been effective at detecting and blocking malware threats, and while they still provide a degree of protection, AV engines are signature-based. When a new malware sample is detected, a unique signature is detected and added to a malware definition list. When a new file is received, it will be checked against all known signatures. If that signature is detected, the file will be quarantined or deleted.

New malware samples, which are being released at an incredible rate, will not be detected as malicious, as their signature has yet to be created and added to the list. These files will therefore not be detected as malicious and will be delivered to inboxes. To protect against this, advanced email security solutions use email sandboxing.

Email sandboxing involves creating an isolated, protected environment for analyzing suspicious emails. If front-end checks are passed, the email is sent to the sandbox for deep analysis. The sandbox is a protected environment where no harm can be caused, and files can be safely analyzed for malicious behavior.

TitanHQ’s Email Sandbox Service

In response to growing threats, TitanHQ added a next-generation email sandbox to its SpamTitan Email Security solution in 2019 to better protect users against malware, spear-phishing, advanced persistent threats (APTs), and to provide security teams with insights into new threats.

TitanHQ’s email sandbox service incorporates award-winning machine learning and behavioral analysis technologies, allowing security teams to safely detonate suspicious files in a secure environment that mirrors production endpoints. Malicious actors are tricked into thinking their malicious payloads have reached their intended target, and the malicious activities are detected. The sandbox analyzes documents, spreadsheets, application files, and executable files, and can detect malware, including polymorphic malware, and other sophisticated threats that have been developed for use in undetectable targeted attacks.

The TitanHQ email sandbox service leverages purpose-built, advanced machine learning algorithms, decoys and anti-evasion techniques, anti-exploit, and aggressive behavior analysis, and all results are checked against an extensive array of online repositories. The analysis takes from a few seconds to a few minutes, and if a malicious file is detected, the results will be uploaded to a cloud threat intelligence service and all users will be protected. If that threat is detected on any device globally, it will not need to be sent to the sandbox again and will be instantly neutralized.

SpamTitan email sandbox service greatly increases the detection rate of elusive threats in the pre-execution stage, including APTs, targeted attacks, evasion techniques, obfuscated malware, custom malware, and ransomware, allows security teams to quickly integrate advanced emulation-based malware analysis, and protects against a rapidly evolving threat landscape.

You can put the SpamTitan email sandbox service to the test today by signing up for a 100% free trial and instantly start protecting your business with sandbox technology.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

How Does a Sandbox Work?

Sandboxing is a security feature that protects against malicious code. Rather than execute potentially unsafe code in a standard environment, it is sent to the sandbox – an isolated environment where no harm can be caused.

How Does a Sandbox Work?

A sandbox is an important cybersecurity tool for protecting host devices, operating systems, and data from being exposed to potential threats. The sandbox is a highly controlled system that is used to analyze untrusted applications, files, or code. The sandbox is isolated from the network and real data, and there are only essential resources that are authorized for use. It is not possible for a sandboxed file to access other parts of the network, resources, or the file system, only those specifically set up for the sandbox.

Sandboxes can have different environments. One of the most common implementations uses virtualization. A virtual machine (VM) is set up specifically to examine suspicious programs and code. Some sandboxes include emulation of operating systems to mimic a standard endpoint. Some malware samples perform checks of their environment before executing malicious routines to make sure they are not in a VM. If a VM is detected, the malware will not execute malicious routes and may self-delete to prevent analysis. By emulating a standard endpoint, these checks can be passed to allow analysis. Some sandboxes have full system emulation, which includes the host machine’s physical hardware as well as its operating system and software. These sandboxes provide deeper visibility into the behavior and impact of a program.

In email security, files, attachments, URLs, and programs are sent to the sandbox to check whether they are benign or malicious. The analyses can take between a few seconds to a few minutes, and if any malicious activity is detected, the file will be either quarantined and made available for further study or it will be deleted. Any other instances of that file will be removed from the email system, and any future encounters will see the file, attachment, URL, or program deleted.

SpamTitan Email Sandboxing

SpamTitan Email Security includes a Bitdefender-powered email sandbox to ensure users are protected against zero-day threats. All emails are subjected to a barrage of checks and tests, including scans using two different antivirus engines. SpamTitan features strong machine learning, static analysis, and behavior detection technologies to ensure that only files that require deep analysis get sent to the sandbox. This is important, as deeper analysis may take several minutes, so verified clean and safe messages will not be unduly delayed.

Files that are sent to the sandbox for deep analysis are executed and monitored for signs of malicious activity, with self-protection mechanisms in place to ensure every evasion attempt by a piece of malware is properly marked. The sandbox has purpose-built, advanced machine learning algorithms, decoys and anti-evasion techniques, anti-exploit, and aggressive behavior analysis. All results are checked across known threats in an extensive array of online repositories. If a malicious file is detected, the sandbox updates the Bitdefender’s cloud threat intelligence service – the Bitdefender Global Protective Network – and the sandbox will never have to analyze that threat again as it will be blocked globally.

If you want to improve protection against zero-day threats, give the TitanHQ team a call to find out more about SpamTitan. SpamTitan is available on a free trial to allow you to test it out in your own environment before making a purchase decision.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

What is Sandbox Security?

What is sandbox security? In an IT sense, sandbox security refers to the use of an isolated environment for testing potentially malicious or unsafe code. The sandbox is an environment that resembles the organization’s real environment. The sandbox is made to look like it is a legitimate rather than a virtual environment; however, the sandbox is totally isolated from other systems and contains no real data.

A sandbox is used for malware analysis, testing potentially unsafe code, or as a guest environment with a tightly controlled set of resources, with no ability to inspect the host system or gain access to the networks, therefore not exposing any threats to real systems or data. For example, if a file needs to be opened and it is unclear whether it contains malicious code, it is opened in a sandbox. Security teams can assess the behavior of the file to determine if it is benign or malicious, and if it is the latter, no harm will be caused.

Sandboxes are commonly used for testing new code to determine whether it is safe and compatible with other systems, without actually putting those systems at risk. The sandbox is used to perform troubleshooting to identify any problematic parts of the code. One of the main benefits of sandbox security is blocking cyberattacks, and sandboxing has become indispensable for email security.

Email Sandboxing

Email sandboxing is the use of a sandbox environment for inbound email, which can be used to protect against phishing and malware threats. When an email is received that contains an attachment or a hyperlink, these can be evaluated in the sandbox before the message is released for delivery to the end user’s inbox. Phishing is one of the most common ways that malicious actors gain initial access to internal networks.  Emails are often sent that contain hyperlinks to URLs that host phishing kits that steal credentials or sites hosting malware. These emails can be sent to a sandbox where the links can be followed, and the content of the URLs assessed. If a file download is triggered, the file can be analyzed to determine its behavior.

The same applies to email attachments. An email attachment such as a Word document or Excel spreadsheet may contain a malicious macro or other malicious code, which could provide a threat actor with remote access to the device and network. By opening the attachment in the sandbox, the behavior of the file can be analyzed safely. If found to be malicious, all other instances of that malware can be removed and if the file is received again, it will be automatically deleted. Security teams can also safely study malware to determine the nature of the threat and learn important information about the adversary and their intentions.

Why Is Email Sandboxing So Important?

Traditional email security solutions are effective at detecting and blocking known malware threats. They use one or more antivirus engines for scanning email attachments for known signatures of viruses and malware. If these signatures are detected, the threat will be blocked. The problem with signature-based detection is the signature must be known. While virus definition lists are updated on a daily or even hourly basis, new malware threats are constantly being released. If a new malware variant is received for which there is no signature, it will not be detected as malicious and will be delivered to an inbox where it can be executed.

Sandbox security plugs this security gap. If an attachment passes AV checks, it is sent to the sandbox for deep analysis of its behavior, allowing zero-day malware threats to be detected and blocked. Cybercriminals do not just use one version of a malware sample, they use many different versions, each differing sufficiently to evade AV checks. Without sandbox security, organizations are at risk of infection with these malware variants.

TitanHQ’s SpamTitan Email Security solution features dual antivirus engines for detecting known malware threats, and a Bitdefender-powered email sandbox for detecting zero day malware and phishing threats and provides security teams with valuable insights into new threats to help them mitigate risks. Give the TitanHQ team a call to find out more about how SpamTitan with sandbox security can improve your security posture. SpamTitan is also available on a free trial to allow you to put the product to the test and see for yourself the difference it makes.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Email Sandboxing is the Key to Blocking More Malware Threats

https://www.spamtitan.com/blog/email-sandboxing-key-blocking-malware-threats/Email security solutions with email sandboxing block more malware threats than traditional spam filters, even novel malware variants that have yet to be identified as malicious. Without this important feature, emails with malicious attachments will likely be delivered to inboxes where they can be opened by employees. All it takes is for one employee to open a malicious file for malware to be installed that gives a threat actor the foothold they need for a comprehensive attack on the network.

What is an Email Sandbox?

In cybersecurity terms, a sandbox is an isolated, virtual machine where potentially unsafe code can be executed in safety, files can be subjected to deep analysis, and URLs can be visited without risk. In the sandbox, the behavior of files, code, and URLs is inspected, and since the sandbox is not networked and there is no access to real data or applications, there is no risk of causing any damage. Email sandboxing is used to identify malicious code and URLs in emails. The email sandbox mirrors standard endpoints to trick malicious actors into thinking that they have reached their intended target. Emails may pass front-end tests that look at the reputation of the sender, email headers, the content of the messages, and subject attachments to signature-based anti-virus tests, but there is no guarantee that the emails are safe without sandbox-based behavioral analysis.

Why is Email Sandboxing Important?

Cyber threat actors have been developing techniques for bypassing standard email security solutions such as embedding malicious URLs in PDF attachments, hiding malicious content in compressed files, using multiple redirects on hyperlinks, and including links to legitimate cloud-based platforms such as SharePoint for distributing malware. Traditional email security solutions can filter out spam and phishing emails, but they often fail to block more sophisticated threats, especially zero-day malware threats. Email sandboxing provides an extra layer of protection against sophisticated threats such as spear-phishing emails, advanced persistent threats (APTs), and novel malware variants.

A few years ago, new malware variants were released at a fairly slow pace; however, threat actors are now using automation and artificial intelligence to generate new malware variants at an alarming rate. Malware samples are used that deviate sufficiently from a known threat to be able to bypass signature-based detection mechanisms, ensuring they reach their intended targets. Rather than just using one version of malware in their email campaigns, dozens of versions are created on a daily basis. While security awareness training will help employees identify and avoid suspicious emails, threat actors have become adept at social engineering and often hoodwink employees.

The SpamTitan Email Sandbox

The SpamTitan email sandbox is a powerful next-generation security feature with award-winning machine-learning and behavioral analysis technologies. Powered by Bitdefender, the SpamTitan sandbox for email allows files to be safely detonated where they can do no harm. Email attachments that pass the barrage of checks performed by SpamTitan are sent to the sandbox for deep analysis. The sandbox is a virtual environment that is configured to appear to be a typical endpoint and incorporates purpose-built, advanced machine learning algorithms, decoys and anti-evasion techniques, anti-exploit, and aggressive behavior analysis. Files are also subjected to checks across an extensive array of online repositories, with the sandbox checks taking just a few minutes. That ensures that genuine emails are not unduly delayed. If malicious properties are detected in the sandbox, the threat intelligence is passed to Bitdefender’s Global Protective Network (cloud threat intelligence service). If the threat is encountered again, it will be detected and blocked without having to be analyzed again in the sandbox.

The SpamTitan sandbox is used for a wide range of attachments, including office documents to check for malicious URLs, macros, and scripts, and all executable and application files. The sandbox allows SpamTitan to detect polymorphic malware and other threats that have been designed for use in undetectable targeted attacks. If a malicious file is detected, the email is not sent to a spam folder where it could be opened by an end user, it is quarantined in a directory on the local email server which only an administrator can access. Administrators may wish to conduct further investigations to gain insights into how their organization is being targeted.

Threat actors are conducting increasingly sophisticated attacks, so email security solutions need to be deployed that are capable of detecting these advanced threats. With zero-day threats on the rise, now is the ideal time to improve your email defenses with SpamTitan. Why not sign up for a free trial of SpamTitan today to put the solution to the test to see the difference the advanced threat detection capabilities make to your security posture? Product demonstrations can also be requested by contacting TitanHQ, and our friendly sales team will be more than happy to discuss SpamTitan with you and the best deployment options to meet the needs of your business.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Commonly Asked Questions About Email Sandboxing

Commonly asked questions about email sandboxing so you know what to expect from an email security solution with a sandbox, and why this advanced feature is vital for email security.

What is an Email Sandbox?

One of the commonly asked questions about email sandboxing is what is an email sandbox? Like the children’s equivalent, it is a safe space for building, destroying, and experimenting. In cybersecurity terms, it is an isolated environment where harm cannot be caused to anything outside of that environment. An email sandbox is an isolated virtual machine that is used for performing risky actions, such as opening unknown attachments and analyzing files and URLs in depth, rather than using a real machine where there is a risk of harm being caused such as file encryption by ransomware, theft of sensitive information, or wiping of data.

Why is an Email Sandbox Important?

Email is the most common vector used in cyberattacks. Through emails, cyber threat actors can gain initial access to a protected network from where they can steal sensitive data or move laterally for a more comprehensive attack. One of the most common ways of gaining remote access is through malware. Once malware is downloaded, an attacker can remotely perform commands and gain full control of an infected device. While businesses use antivirus software to detect and remove malware, these solutions are signature-based. In order to detect malware, the signature of the malware must be in the definition list used by the anti-virus solution, which means the malware must have previously been encountered. Novel malware variants that have not yet been determined to be malicious will not be identified as such and will therefore be delivered to inboxes where they can be executed by employees. An email sandbox is used to safely detonate suspicious files and inspect their behaviors. The behavioral analysis allows previously unknown malware samples can be identified and blocked. This is important due to the volume of new malware samples that are now being released.

How Does an Email Sandbox Protect Against Malware?

Email security solutions with sandboxing perform the same front-end checks as traditional email security solutions and will identify and block many malicious messages. If the initial checks are passed, and the messages are determined to potentially pose a risk, they will be sent to the sandbox for behavioral analysis. Once inside the safety of the sandbox, the attachments will be opened and subjected to various tests. The sandbox is configured to appear to be a normal endpoint, so any malware will be tricked into running malicious commands as it would if it had reached its intended target. The actions of the file are assessed, and if they are determined to be malicious they will be sent to a quarantine folder. By performing these checks, new malware variants can be identified and blocked before any harm is caused.

Will Sandboxing Delay Message Delivery?

Performing standard checks of messages is a quick process, often causing imperceptible delays in mail delivery. Performing in-depth analysis takes longer, so there will be a delay in message delivery. Many emails will not need to be sent to the sandbox and will be delivered immediately, but if sandboxing is required, there will be a delay while the behaviors of the email and attachments are analyzed. Some malware has built-in anti-analysis capabilities and will delay any malicious processes to combat sandboxing. Time is therefore required to ensure full analysis. With SpamTitan, the delay will be no longer than 20 minutes.

How Can I Avoid Message Delivery Delays?

SpamTitan incorporates artificial intelligence and machine learning capabilities which minimize the number of emails that are sent to the sandbox, and SpamTitan will check every 15 seconds to ensure that emails are delivered as soon as the sandbox analysis is complete. SpamTitan’s sandbox is part of Bitdefender’s Global Protective Network, which ensures rapid checks of suspicious messages. To avoid delays, certain email addresses and domains can be added to a whitelist, which means they will not be sent to the sandbox for analysis, ensuring rapid delivery.

What are the Benefits of Email Sandboxing?

The sandbox provides an important extra layer of protection against malware threats and malicious links. It will detect advanced attacks early and prevent breaches, reduce incident response costs and efforts, reduce the threat-hunting burden, and increase the detection rate of elusive threats in the pre-execution stage, including APTs, targeted attacks, evasion techniques, obfuscated malware, custom malware, ransomware.

How Does the SpamTitan Sandbox Work?

SpamTitan will subject all inbound emails to a battery of front-end tests, and if these are passed but the email is still suspicious, the message and attachment will be sent to the sandbox and the user will be informed that the message is in the sandbox for review. The email and attachments will then be opened in an isolated cloud platform or a secure customer virtual environment. If malware is detected, the email is blocked and assigned ATP.Sandbox and will be listed under “Viruses” in the relevant quarantine report and the intelligence gathered will be used to protect all users from that threat in the future. After twenty minutes of interrogation, if no malicious actions are identified, the file is marked clean and the email is passed onto the recipient.

How Can I Find Out More About Email Security and Sandboxing?

If you have unacceptable numbers of spam and malicious messages being delivered to inboxes, are receiving large numbers of queries about suspicious emails from your employees, or if you have experienced a malware infection via email recently, you should speak with TitanHQ about improving email security with SpamTitan.

SpamTitan has artificial intelligence and machine learning capabilities, a next-gen email sandbox, and a 99.99% detection rate with a very low false positive rate. Further, SpamTitan is very competitively priced, easy to use, and requires little maintenance. The solution is also available on a 100% free trial, with full product support provided for the duration of the trial.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

DarkGate Malware Infections Increase via Microsoft Teams Phishing and Malvertising Campaigns

Infections with DarkGate malware have been increasing in recent weeks. DarkGate malware was first identified in 2017 but was only used in limited attacks as the developer chose to use the malware privately against highly specific targets; however, over the summer the malware started being advertised on Russian-language cybercriminal forums and the developer has recruited a limited number of affiliates under the malware-as-a-service model. Reportedly, the developer offered the malware for sale to 10 people for an annual cost of $100,000.

DarkGate malware is written in Delphi and primarily serves as a malware loader, capable of downloading and executing other malware payloads. Typically, the malware payloads are executed in the memory which makes them hard to detect, since no files are written to the disk. The malware can also steal browser histories and Discord tokens and has a Windows Defender exclusion, reverse shell, hidden VNC, and keylogging capabilities.

The malware uses a variety of mechanisms to evade detection, including conducting checks for identifiers used by virtual machines, sandboxes, and anti-virus solutions and will alter its behavior based on the results of the checks, and has persistence mechanisms to ensure it is reloaded on reboot.

The advertising campaign appears to have been successful as distribution of the malware has increased significantly through spamming and phishing campaigns. One of those phishing campaigns uses compromised Office 365 accounts to send phishing messages that deliver DarkGate malware via Microsoft Teams messages.

Researchers at TrueSec identified messages that tricked recipients into clicking a link in the message that directs the or a SharePoint-hosted file called “Changes to the vacation schedule.zip” with the message advising employees that due to circumstances out of the company’s control, vacation time for certain employees has been canceled. The Zip file contains a malicious LNK file which masquerades as a PDF file with the same name as the zip file. Clicking the file will launch a VBScript file that will ultimately lead to the downloading and execution of DarkGate malware. Microsoft has security features to block attacks such as this – Safe Attachments and Safe Links – but neither of these features identified the file or link as malicious.

Other distribution campaigns have been detected in recent months, including a malvertising campaign that uses Google Ads to direct web users to a malicious site where the malware is hosted. The web page used in this campaign offered a legitimate network scanning tool, and while that tool was provided, extra files were bundled with the installation file that executed DarkGate malware.

Businesses are encouraged to defend against attacks through a defense-in-depth approach, involving multiple layers of protection such as an advanced AI-driven spam filtering solution, web filter, and endpoint protection software. Web filters will protect against malvertising campaigns, redirects to malicious websites, and malicious file downloads from the web. The increases in the use of SMS, Teams, and instant messaging services for distributing malicious links means these methods of link distribution should be incorporated into your security awareness training programs.

If you are interested in improving email security, web security, and security awareness training, contact TitanHQ today for more information on SpamTitan, WebTitan, and SafeTitan.

TitanHQ Announces New Partnership with India’s Leading Managed Service Provider

TitanHQ has recently announced a new partnership with one of India’s leading managed service providers, Tata Tele Business Services (TTBS). TTBS is the leading provider of business connectivity and communications solutions in India and has the largest portfolio of ICT services for businesses in the country.

Like many countries, India is facing a major increase in cybercrime. 78% of Indian organizations experienced a ransomware attack in 2021, web-based attacks have jumped sharply, and a 2022 Group-IB study placed India third globally for phishing attacks in 2021 with more attacks than any other country in the Asia-Pacific region. Indian businesses need to ensure that they have the necessary defenses in place to combat increasingly sophisticated cyberattacks, especially attacks that target employees.

Businesses often turn to their managed service providers for cybersecurity and seek solutions that can protect them against malware and phishing. TTBS provides cybersecurity solutions to SMBs and its cybersecurity packages have now been improved with the addition of SpamTitan email security and the WebTitan DNS-based web filter. Both solutions are 100% cloud-based, easy for MSPs to add to their service stacks, and easy to manage.

TTBS provides advanced email security with phishing protection through the Tata Tele Email Security Plus Program, which delivers advanced threat protection for email through TitanHQ’s AI-driven SpamTitan anti-phishing solution. Protection against Internet-based threats is provided through the Tata Tele Smart Internet Program, which includes web filtering provided by WebTitan. WebTitan is fed threat intelligence from a network of 650 million endpoints, ensuring malicious websites are blocked before threats are encountered.

“We are delighted to partner TitanHQ to offer Tata Tele Email Security- an advanced email security solution that is in line with Zero Trust security agenda of enterprises,” said Vishal Rally, Sr. VP & Head – Product, Marketing and Commercial, Tata Teleservices Ltd. “As a leading technology enabler TTBS is committed to simplifying and democratizing email security for businesses of any size. This partnership will ensure the protection of enterprise sensitive data efficiently and cost effectively”.

“We are excited to partner with Tata Teleservices to offer their growing customer base our advanced threat protection layer for email and web security,” said TitanHQ CEO, Ronan Kavanagh. “Over several years Tata Teleservices has excelled in the areas of customer service and security, our partnership further cements this commitment”.

If you are an MSP that has yet to start offering cybersecurity packages to your clients, or if you are keen to improve protection through AI-driven cybersecurity solutions, give the TitanHQ channel team a call to find out more about how TitanHQ can help you better protect your clients and improve your profits.

Email Sandboxing and Message Delivery Delays

Email sandboxing is important for security, as it will block threats that traditional email filters fail to detect. While sandboxing is now considered to be an essential element of email security, one disadvantage is that it will delay the delivery of emails. In this post, we will explain why that is and how email delivery delays can be minimized or avoided altogether.

What Does Queued for Sandbox Mean?

If you use SpamTitan or another email security solution with email sandboxing, you may see the message “email queued for sandbox” from time to time. The queued for sandbox meaning is the message has been determined to warrant further inspection and it has been sent to the sandbox for deeper analysis. This is most likely because the email includes an attachment that is determined to be risky, even though it has passed the initial antivirus scans.

While email sandboxing is important for security, there is a downside, and that is processing messages in a sandbox and conducting behavioral inspection takes a little time. That means there will be a delay in delivering messages that have been sandboxed while behavioral checks are performed. Messages will only be delivered once all sandbox checks have been passed. If a large volume of suspicious emails are received at the same time, messages will be queued for analysis, hence the queued for sandbox message being displayed.

Sandbox Delays for Inbound Emails

The processing of messages in a sandbox can take a little time. Cyber threat actors do not want their malware and malicious code analyzed in a sandbox, as it will allow their malware to be identified. Further, once a malware sample has been identified, details will be shared with all other users of that security solution, which means no user will have that malicious file delivered to their inbox. SpamTitan’s email sandbox is powered by Bitdefender, so all members of the Bitdefender network who subscribe to its feeds will also be protected.

Many malware samples now have anti-sandbox technologies to prevent this. When the malware is dropped on a device it will analyze the environment it is in before launching any malicious actions. If it senses it is in a sandbox it will terminate and may attempt to self-delete to prevent analysis. One technique often seen is delaying any malicious processes for a set time after the payload is delivered. Many sandboxes will only analyze files for a short period, and the delay may be sufficient to trick the sandbox into releasing the file. It is therefore necessary to give the sandbox sufficient time for a full analysis.

Are Your Sandbox Delays Too Long?

Conducting analyses of emails in a sandbox is resource-intensive and can take several minutes and there may be delays to email delivery that are too long for some businesses. There are ways to avoid this, which we will discuss next, but it may be due to the email security solution you are using. The SpamTitan email sandbox is part of Bitdefender’s Global Protective Network, which was chosen not only for cutting-edge threat detection but also the speed of analysis. If you are experiencing long delays receiving emails, you should take advantage of the free trial of SpamTitan to see the difference the solution makes to the speed of email delivery for emails that require sandbox analysis.

How the SpamTitan Sandbox for Email Minimizes Delays

SpamTitan does not send all messages to the sandbox to avoid unnecessary email delays. If a message is suspicious and the decision is taken to send it to the sandbox for analysis, SpamTitan will check to see if the analysis has been completed every 15 seconds to ensure it is released in the shortest possible time frame. Employees will be aware that they have received a message that has been sent to the sandbox as the message delivery status is displayed in their history. Provided all sandbox checks are passed, the email will be delivered. This process will take no longer than 20 minutes. If a file is determined to be legitimate, details are retained by SpamTitan so if the attachment or message is encountered again, it will not be subjected to further analysis in the sandbox.

How to Avoid Sandbox Delays to Message Delivery

There are ways to avoid messages being placed in the queue for sandbox inspection. While it is not always advisable for security reasons, it is possible to whitelist specific email addresses and domains. This will ensure that emails from important clients that need a rapid response will be delivered without delay and will not be sent to the sandbox. The problem with this approach is that if a whitelisted email address or a domain is compromised and used to send malicious messages, they will be delivered.

What Happens if a Message is Misclassified as Malicious?

False positives do occur with spam and phishing emails as email filtering is not an exact science. While this is rare with SpamTitan, any misclassified emails will not be deleted as they will be sent to a quarantine folder. That folder can be configured to be accessible only by an administrator. The administrator can then check the validity of the quarantined messages and release any false positives. Since SpamTitan has artificial intelligence and machine learning capabilities, it will learn from any false positives, thus reducing the false positive rate in the future.

Talk with TitanHQ About Improving Email Security

If you are not currently using an email security solution with sandboxing or if your current email security solution is not AI-driven, contact TitanHQ to find out more about how SpamTitan can improve protection against sophisticated email threats. SpamTitan is available on a free trial to allow you to put the product to the test before deciding on a purchase, and product demonstrations can be arranged on request. If you proceed with a purchase, you will also benefit from TitanHQ’s industry-leading customer service. If you ever have a problem or a query, help is rapidly at hand.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

How Does an Email Sandbox Block Malware?

You may have heard that email sandboxing is an important security feature, but how does an email sandbox block malware and why is this security feature necessary? In this post, we explain what an email sandbox is, why it is now an important element of email security, and how email sandboxes work.

An email sandbox is a secure and isolated environment where emails and their attachments are subjected to behavioral analysis. In the sandbox, malicious files and code can be safely detonated where no harm can be caused. Say an email is received that contains malicious code that is used to drop and execute ransomware on a device. Executing that code on a standard machine would initiate the process that ends with file encryption. Execute that code in an email sandbox and the malicious behavior would be detected and no harm would be caused. The email and code will then be eradicated from the email system, and the threat intelligence gathered will be sent to a global network to ensure that if the email or code is encountered again it will be immediately blocked.

Many Email Security Solutions Fail to Detect the Most Serious Threats

Traditional email security solutions perform many tests on emails to determine the likelihood of them being spam or malicious. DMARC and SPF are used to check the legitimacy of the sender, checks are performed on the reputation of an IP address/domain, and the subject, title, and body of a message are analyzed for signs of phishing and spam. Email attachments are also subject to anti-virus checks, which will identify and block all known malware variants. The result? Filtered emails contain no known spam, no known malicious hyperlinks, and no known malware.

The problem with traditional email security solutions is they are unable to detect unknown spam, phishing attempts, and malware. If a threat actor uses a previously unseen phishing email, which includes either a link to a fresh URL or a site with a good reputation, that email will most likely be delivered. If a new malware variant is sent via email, its signature will not be present in any virus or malware definition list and will similarly be delivered to an end user’s inbox. Threat intelligence is shared with email security solutions and they are constantly updated as new threats are found but there is a lag, during which time these threats will be delivered to inboxes. That is why an email sandbox is needed.

How an Email Sandbox Works

Antivirus scans will block the majority of malware, but not novel (zero-day) malware threats. When an email security solution has email sandboxing, the same checks are initially performed, and if they are passed, emails are sent to the sandbox for further analysis. The email sandbox is an isolated environment on a virtual machine that is configured to look like a genuine endpoint. As far as the threat actor is concerned, their email will have reached their intended target and the file should execute as it would on a standard machine.

In the sandbox, emails and attachments are opened and links are followed and behavior is analyzed in detail to determine if any malicious or suspicious actions occur such as a command-and-control center callbacks, attempted file encryption, or scans for running processes. If a Word document is opened that contains no hyperlinks, no macros, and no malicious scripts, and nothing suspicious occurs in the time it is present in the sandbox, the file will be determined as benign and the email will then be delivered to the intended recipient. If any malicious actions are detected, the file will be sent to a local quarantine directory where it can only be accessed by the administrator. The intelligence gathered will be sent to the global network and all users will be protected almost instantly. All copies of that message and the attachment will also be removed from the entire mail system.

Email Sandboxing and AI-Driven Threat Detection are Now Vital

Email sandboxing is now vital for email security as new malware variants are being released at an incredible rate and signature-based detection methods cannot detect new malware threats. In addition to email sandboxing, artificial intelligence must be leveraged to look for novel phishing messages, as phishing attempts are also increasing in sophistication. These AI-based checks look for messages that deviate from the typical messages received by a company, and greatly reduce the volume of spam and phishing emails that reach inboxes.

The threat landscape is constantly changing so advanced email defenses are now essential. If you are still using an email security solution without email sandboxing and AI-driven threat detection, your company is at risk. Speak to the team at TitanHQ to find out more about SpamTitan and how the award-winning email security solution can enhance your company’s security posture.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Email Sandboxing, Pattern Filtering, and Other Much-Loved SpamTitan Features

SpamTitan is a next-generation anti-spam, anti-phishing, and anti-malware solution for businesses that incorporates AI-based threat detection, email sandboxing, and many other advanced email security features. Some of the most important and best-loved features of SpamTitan are explained below:

Email Sandboxing in SpamTitan

Email sandboxing is a vital element of email security, yet many email security solutions lack this feature. An email sandbox is a secure, virtual machine where links can be followed and attachments opened where they cannot cause any harm. A malicious link that leads to an automatic malware download can be followed in safety, and even the nastiest piece of malware can be executed without risk as the sandbox is isolated, not connected to any network, and contains no real data.

The sandbox is configured to appear to be a genuine endpoint in order to trick malicious actors into thinking malware has reached its intended target. When a file is opened in the sandbox it is subject to deep analysis, and any malicious or suspicious actions are detected. Emails are subject to a battery of front-end checks, including scans using two anti-virus engines, and any emails that pass these checks but are determined to potentially pose a risk are sent to the sandbox for behavioral analysis. That includes emails along with any attached documents, spreadsheets, and executable files.

Sandboxing for email is important because of the speed at which novel malware samples are used in attacks. Rather than just use one version of a keylogger in a campaign, a threat actor will use dozens of versions of that keylogger, each differing slightly to evade signature-based detection mechanisms. AI and automation are used by threat actors to churn out new malware variants rapidly, and signature-based detection alone is no longer good enough. With sandboxing, email protection is greatly improved against these zero-day threats which would otherwise be delivered to end users’ inboxes.

Pattern Filtering in SpamTitan

One of the most loved features of SpamTitan is Pattern Filtering. It saves IT security teams a considerable amount of their precious time by ensuring spammy and phishy emails are not delivered. The Pattern Filtering feature allows administrators to use their own terminology to block inbound emails. Simply set a word or phrase through Pattern Filtering, and SpamTitan will search the subject line and message body and can be configured to generate a warning or quarantine the email if the word or phrase is found.

An example of where this can be useful is combating the Nigerian scam/419 fraud, a type of advanced fee fraud. The 419 comes from Section 419 of the Nigerian Criminal Code which prohibits this kind of scam. While the scam is common with Nigerian cybercriminals, cybercriminal groups in many different countries also conduct this type of scam. While the themes of the emails vary, they all have the same aim. An example would be a prominent person who has substantial funds in their account has been unable to transfer the funds out of the country due to unfair restrictions. They offer to transfer these funds to the user’s account to get the money out of the country in exchange for a percentage of those funds as payment, which may be as high as 20%, which is a life-changing amount of money. The catch? In order to proceed, charges need to be covered and they must be paid in advance. The Pattern Filtering option can be used to block these emails by incorporating phrases commonly used in these emails.

Geo-Filtering in SpamTitan

SpamTitan also incorporates geo-filtering, which allows users to block emails from specific countries. If you never do business with countries in Africa, for example, you can simply block all emails coming from African IP addresses with a few clicks of a mouse, rather than manually blocking IP addresses from which you get a lot of spam emails. This feature saves IT teams a considerable amount of time. One user who has benefited greatly from this feature is Benjamin Jeffrey, IT manager at M&M Golf Cars. His company was receiving many requests from countries that the company does not do business with and was getting flooded with spam emails from a specific IP subnet in a country. He configured the geo-filtering and instantly blocked all those messages. When he checked 6 months after configuring that feature, around 12,000 emails had been blocked. Geo-blocking is also useful for blocking malware quickly. Malware distribution campaigns are often launched from a handful of countries, and geo-filtering can be used to block those messages with ease.

AI and Machine Learning in SpamTitan

SpamTitan has AI and machine learning capabilities to improve the detection of spam and phishing emails. These technologies learn about the emails that are typically received by a company and create a baseline against which new emails can be measured. When emails deviate from the norms, they are flagged as risky and are subjected to more stringent security checks or are quarantined for manual inspection. These technologies greatly improve spam and phishing email catch rates and allow SpamTitan to improve day-by-day. These technologies are a vital defense against zero-day phishing threats – new threats that have not been encountered on the 500+ million endpoints from which threat intelligence is gathered.

Find out More About SpamTitan

These are just some of the most loved and most beneficial features of SpamTitan. In addition to having a high catch-rate and low false positive rate, SpamTitan is one of the most affordable email security solutions on the market, it’s quick and easy to set up, and requires little maintenance. The features, price, and ease of use are why it is loved by thousands of small- and medium-sized businesses, enterprises, and managed service providers. To find out more, give the TitanHQ team a call. The product is available on a 100% free trial if you want to put it to the test, and product demonstrations can be arranged on request.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Phishing-as-a-Service Platforms Used to Bypass Multi-Factor Authentication Controls

Phishing attacks are often conducted to obtain credentials in order to gain initial access to business networks; however, many businesses have implemented multi-factor authentication which prevents stolen credentials from being used to access accounts. With multi-factor authentication implemented, credentials alone are not sufficient as access will only be granted if one or more additional authentication mechanisms are navigated. Multifactor authentication can significantly improve protection against phishing attacks, but it does not guarantee protection against unauthorized account access, and multi-factor authentication bypass attacks are increasing.

To bypass multifactor authentication, threat actors typically use adversary-in-the-middle (AitM) techniques using a phishing-as-a-service (PhaaS) platform. PhaaS platforms such as EvilGinx, Muraena, and Modlishka use reverse proxy servers to steal session cookies that allow multi-factor authentication to be bypassed. In these attacks, the user is directed to the phishing site hosting the phishing kit and when they enter their credentials the site proxies them to the actual website that is targeted in real time. The website returns the MFA screen, which is proxied to the user, and when the user enters the additional authentication, it is proxied to the actual website. The MFA is successfully completed and a session cookie is returned, which is used by the attacker to access the targeted account as the genuine user. The phishing site redirects the user to another page, unaware that their account has been compromised. The attacker will be able to access the account for as long as the session cookie is active.

An alternative method of bypassing MFA is to use synchronous relay servers. This method is used by the Storm-1295 threat group, which provides the Greatness PhaaS platform. This PhaaS platform presents the user with a copy of the sign-in page for the website, similar to standard phishing attacks that only steal credentials. This method uses a phishing kit server that dynamically loads the phishing page and MFA request page and communicates with the PhaaS platform relay server through an API. The PhaaS platform provides a synchronous relay server to relay captured credentials and MFA codes to the sign-in service but does not proxy network traffic.

According to Microsoft, there has been a marked increase in AitM attacks this year which are being conducted through already established MFA-bypassing PhaaS platforms and there has also been an increase in phishing services incorporating AitM capabilities. Businesses need to ensure that they are properly protected against these phishing attacks. The first line of defense is still a spam filter, which will block the majority of phishing emails to ensure they do not land in inboxes where they can be clicked. SpamTitan Plus provides the best protection against phishing attacks. SpamTitan Plus has 100% coverage of ALL current market-leading anti-phishing feeds, which ensures 1.6x faster detection of phishing than all current market leaders.

End-user training is also important for improving resilience against phishing attacks. By providing ongoing training and phishing simulations, employees will learn how to recognize and avoid phishing attempts that are able to circumvent spam filters. SafeTitan is a comprehensive security awareness training and phishing simulation platform that user data shows can improve resilience to phishing by up to 80%.

The increase in the use of MFA-bypassing PhaaS platforms means businesses can no longer rely on standard MFA controls to protect their accounts. While any form of MFA is better than none, businesses should transition to the most secure MFA methods that are resistant to these phishing attacks, such as FIDO2 security keys and certificate-based authentication.

Sophisticated Ransomware Campaign Uses Business Email Compromise Tactics

Companies in Spain are being targeted by a ransomware group that uses phishing emails to distribute LockBit Locker ransomware. According to a recent warning issued by the Central Cybercrime Unit of the Policía Nacional, the campaign has a very high level of sophistication and has so far targeted architecture companies; however, the campaign may be expanded to target other sectors.

LockBit is a ransomware-as-a-service (RaaS) operation where affiliates are recruited to conduct ransomware attacks in exchange for a cut of any ransoms they generate. LockBit is one of the most active ransomware groups and was the most deployed ransomware variant in 2022. The LockBit Locker group conducting this campaign claims to be affiliated with the notorious LockBit group; however, those claims have yet to be verified. What is known is that this is a highly capable group that conducts sophisticated attacks targeting specific industry sectors. The lures and communications used in these attacks are very difficult to distinguish from genuine communications from legitimate companies.

The group appears to have adopted tactics used by business email compromise (BEC) threat actors who build trust with the victim over several emails. An initial communication is sent to a company and the threat actor then engages in conversations over several emails to make it appear that the firm is engaging with a legitimate company that is seeking their services.

The Policía Nacional described one of the attacks, which saw the initial email sent from the non-existent domain, fotoprix.eu. The threat actor claimed to be a photography company looking for a quote from architecture firms for a renovation of their premises. The targeted company responded to the initial email, then the threat actor exchanged several more messages before proposing a date to hold a meeting to finalize the budget. As a prerequisite, documents were sent via email that contained specifications for the proposed renovation to allow the architecture form to provide an accurate quote. The archive file attached to the email contained a shortcut file that executes a malicious Python script, which establishes persistence and executes the LockBit Locker payload to encrypt files. A ransom demand is then dropped on the encrypted device, payment of which is required to recover files.

Ransomware groups are constantly changing their tactics, techniques, and procedures (TTPs) which is why it is so important to provide ongoing security awareness training to the workforce. This campaign is especially concerning because of the effort the threat actor is putting into the impersonation of a potential customer. Ransomware groups often copy each other’s tactics, and if this campaign proves to be successful, the same TTPs are likely to be used by other groups.

It is therefore recommended to incorporate these TTPs into your security awareness training and make sure that employees are made aware of this new method of attack. Companies that use TitanHQ’s SpamTitan solution can easily provide training to the workforce on specific tactics through short training modules and incorporate new tactics in their phishing simulations. Phishing simulations can be quickly and easily spun up through the platform in response to changing TTPs and administrators will be able to get instant feedback on the likelihood of employees falling for a campaign. A phishing simulation failure will immediately trigger a training module specific to the threat, ensuring employees are provided with the additional training they need to avoid similar threats in the future.

Call TitanHQ today for more information on the SafeTitan security awareness training and phishing simulation platform and find out how it can significantly improve your company’s security posture.

Chinese Hackers Compromising Patched Barracuda Email Security Appliances

The Federal Bureau of Investigation (FBI) has issued a warning that Chinese hackers are continuing to gain access to Barracuda email security appliances, even those that have been patched against a recently disclosed zero day vulnerability, and has urged organizations to immediately remove the appliances.

The vulnerability, tracked as CVE-2023-2868, affects Barracuda Network’s Email Security Gateway (ESG) appliances and occurs when the appliance screens email attachments. The vulnerability is a remote command injection vulnerability that allows the unauthorized execution of system commands with administrator privileges on the ESG appliance. Barracuda issued a patch to fix the flaw on May 20, 2023, after identifying hacks on May 19.

The vulnerability can be exploited via maliciously formatted TAR file attachments that are sent to an email address affiliated with a domain that has an ESG appliance connected to it. When the attachments are scanned it results in a command injection into the ESG, and system commands are executed with the privileges of the ESG. No user interaction is required to exploit the vulnerability.

According to the FBI, Chinese hackers have been exploiting the vulnerability since October 2022 as part of a state-run cyberespionage operation and have compromised hundreds of appliances. Mandiant assisted with investigating the hacks and said this is the broadest cyber espionage campaign conducted by Chinese state-sponsored hackers since the mass exploitation of a Microsoft Exchange vulnerability in 2021.

In a Flash Alert issued on Wednesday, the FBI recommended all affected devices be immediately replaced. “The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately,” and said the patches released by Barracuda to address the flaw were ineffective.

The advice follows that of Barracuda, which said in June that all hacked Email Security Gateway appliances should be immediately replaced, regardless of whether patches had been applied. Even after the patches had been applied, continued malicious activity was observed on the previously compromised devices. A new form of malware, dubbed Submarine, was deployed on compromised appliances, which resides in a structured query language (SQL) database on the appliance and is a backdoor that provides persistent access.

Vulnerabilities can exist in any software solution, even those that are meant to provide protection. This is why it is important to have multiple layers of protection. If one layer fails, others are there to detect and block threats. Many threats start with a malicious email, which is why email security is so important. Having SpamTitan Plus in place will provide a high degree of protection and will stop malware from reaching its intended recipient. SpamTitan Plus is a leading-edge, AI-driven anti-phishing and anti-malware solution with the newest “zero-day” threat protection and intelligence. The solution includes 100% coverage of all current market-leading anti-phishing feeds and provides 1.6x faster detection of threats than the current market leaders. SpamTitan Plus provides unrivaled protection against malicious links in emails and includes signature-based malware detection and behavioral detection through sandboxing. For more information on SpamTitan Plus, give the TiotanHQ team a call.

Simple, Yet Effective Phishing Campaign Targets Zimbra Collaboration Credentials

Phishing campaigns do not need to be especially sophisticated to be effective, as a recently identified campaign that targets Zimbra Collaboration credentials clearly demonstrates. Zimbra Collaboration, previously known as Zimbra Collaboration Suite, is a software suite that includes an email server and web client. Zimbra Collaboration email servers are targeted by a range of different threat actors, including state-sponsored hackers and cybercriminals for espionage, conducting phishing attacks, and gaining a foothold that can be used for a more extensive compromise of an organization.

This global campaign targets users’ credentials and does not appear to be targeted on any specific sector and the threat actor behind the campaign and their motives are not known. The highest number of attacks have occurred in Poland, Ecuador, and Italy. Like many phishing campaigns, the emails warn users about a security update, security issue, or pending account deactivation, and the emails appear to have been sent from an email server administrator.

The emails include an HTML attachment, which is opened as a locally hosted page in the user’s browser. The HTML file displays a Zimbra login prompt that is tailored for each organization and includes their logo and name, and the targeted user’s username is prefilled. If the user enters their password, the credentials are transmitted to the attacker’s server via an HTTPS POST request.

The campaign was identified by security researchers at ESET, who observed waves of phishing emails being sent from companies that had previously been targeted, which suggests that some of the attacks have allowed the threat actor to compromise administrator credentials and set up new mailboxes to target other organizations.

Despite the simplicity of the campaign, it has proven to be very effective, even though the login prompt in the HTTP file differs considerably from the genuine Zimbra login prompt, and the page is opened locally, which suggests a lack of security awareness training due to the failure to identify the red flags in the emails. The emails are also likely to have a low detection rate by email security solutions, as the only malicious element is a single link to a malicious host, which is within the HTML file rather than the email body,

Phishing remains one of the most effective ways for hackers to gain initial access to networks. Combatting phishing attacks requires a combination of measures. A spam filter such as SpamTitan should be used to block the emails and prevent them from reaching their intended targets. SpamTitan incorporates signature-based and behavioral detection mechanisms for identifying malware, link scanning, and reputational checks to ensure a high catch rate and low false positive rate.

No spam filtering solution will be able to block all malicious emails without also having an unacceptably high false positive rate, so it is important to also provide regular security awareness training to employees to teach them how to recognize and avoid malicious emails. Security awareness training should also incorporate phishing simulations to give employees practice at identifying threats. If a threat is not detected, it can be turned into a training opportunity. TitanHQ’s security awareness training platform – SafeTitan – delivers instant training in response to a failed phishing simulation, and also delivers training in response to other security mistakes, ensuring training is provided when it has the greatest impact. Training data shows that SafeTitan reduces employee susceptibility to phishing attacks by up to 80%, and combined with SpamTitan email security, ensures that businesses are well protected from phishing attacks and other cyber threats.

SpamTitan and SafeTitan, like all TitanHQ solutions are available on a free trial and product demonstrations can be arranged on request.

New Backdoor Malware Variants Deployed on Barracuda ESG Appliances

A zero-day vulnerability in Barracuda email security gateway (ESG) appliances was exploited to deliver three malware variants onto the devices. These previously unknown malware variants have been dubbed SeaSide, Saltwater, and Seaspy, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently reporting that an additional malware backdoor dubbed Submarine was also deployed. In the attacks.

Initially, Saltwater malware – a trojanized Barracuda SMTP daemon – was used and allowed the threat actor to perform several actions such as steal files, run shell commands remotely, and proxy traffic to evade intrusion detection systems. SeaSpy malware was deployed to provide persistence and monitor SMTP traffic, and SeaSide malware was used to establish reverse shells and connect with the attacker’s command-and-control server, which allowed remote code execution via SMTP HELO/EHLO messages and provided the attacker with complete control of the appliances, allowing additional malware payloads to be delivered.

According to CISA, “SUBMARINE is a novel persistent backdoor that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts that, in a multi-step process, enable execution with root privileges, persistence, command and control, and cleanup.”

The zero-day vulnerability in the Barracuda ESG is tracked as CVE-2023-2868 and is a remote command injection vulnerability, a patch for which has now been released. The vulnerability could be exploited remotely by a threat actor with a malicious email message – an email with a specially crafted .tar file attachment that masqueraded as a harmless .jpeg or .dat file. The attachment was used to exploit the vulnerability and gain access to ESG appliances.

The exploits of the vulnerability have been linked with a pro-China hacking group tracked as UNC4841, which was discovered to have conducted a series of attacks in May, although CISA reports that the threat actor may have been exploiting the vulnerability undetected since as early as October 2022 to gain access to ESG appliances and steal data.

With access to ESG appliances, the threat actor was free to remotely execute code for months. The ESG appliances are used across the public and private sectors, including government organizations, so the compromising of the appliances since October 2022 is of particular concern, as the threat actor may have been able to steal sensitive data for several months undetected. Many large companies also use Barracuda’s ESG appliances including Delta Airlines, Kraft Heinz, Samsung, and Mitsubishi, all of which were affected.

While the vulnerability has been patched, UNC4841 has proven to be very persistent, switching its persistence mechanisms when the attacks were detected. Indicators of Compromise and MD5 hashes were issued by Barracuda to help clients determine if their ESG devices had been compromised and Barracuda even offered its customers a new appliance, regardless of their patch status.

These attacks involved the discovery and exploitation of a previously unknown vulnerability in the ESG appliances and were the work of highly skilled hackers, although, like many attacks, the vulnerability was exploited via a malicious email. An extra layer of protection can be provided by SpamTitan Plus, which specifically combats phishing emails and incorporates signature-based and AI-based behavioral detection mechanisms to improve protection against zero-day threats, including novel malware variants.  Using SpamTitan Plus in addition to other security solutions will greatly improve the probability of detecting and blocking malicious emails and zero-day threats. These attacks demonstrate why it is important to have multiple layers of security, and not to rely on a single cybersecurity solution.

LokiBot Malware Distributed Email Campaign Exploiting Known Vulnerabilities

Cybercriminals are exploiting unpatched remote code execution vulnerabilities to distribute an information-stealing malware called LokiBot. LokiBot, also known as LokiPWS, primarily targets Windows systems and collects sensitive information from infected devices including usernames and passwords. The malware can also log keystrokes, capture screenshots, steal information from web browsers, and empty cryptocurrency wallets. LokiBot was discovered in 2016 and has been active since at least 2015, and is primarily spread via email, most commonly through malicious email attachments.

One of the latest campaigns exploits the Microsoft Office vulnerability, CVE-2021-40444, and the Microsoft Windows Support Diagnostic Tool (MSDT) vulnerability, CVE-2022-30190, to embed malicious macros in Office documents that deliver LokiBot. The campaign was detected by security researchers at FortiGuard Labs in May 2023, and the campaign is still active.

The infection process is different depending on which vulnerability is exploited. The Word document that exploits the CVE-2021-40444 vulnerability includes a GoFile link embedded in an XML file, which will download an HTML file that exploits the CVE-2022-30190 vulnerability, which will deliver a Visual Basic payload that delivers LokiBot. Alternatively, a Word file is used that contains a VBA macro that drops an INF file, through which a connection will be made to the command-and-control server and LokiBot will be loaded.

LokiBot may be an old malware variant, but it is regularly updated, and the methods used to distribute the malware regularly change. This campaign takes advantage of businesses that are slow to implement patches. Ensuring patches for known vulnerabilities or workarounds are implemented quickly is vital. Email anti-spam services will also protect against attacks such as these. It is important to use an email security solution that does not rely on signature-based detection methods. Malware variants are constantly updated and changed to evade signature-based detection methods, so AI-based solutions should be used that can detect novel malware variants by their behavior.

SpamTitan includes both detection methods and will scan for known malware variants and subject attachments to in-depth analysis in a sandbox to identify malicious actions, such as command-and-control center callbacks. SpamTitan also performs a barrage of front-end and advanced checks on all emails, including machine-based detection methods that can identify emails that deviate from those typically received by a business, ensuring security teams are rapidly alerted about potential threats. Security awareness training is also strongly recommended to educate end users about email-based threats and teach security best practices, such as always exercising caution with emails, email attachments, and messages containing external links.

If you want to improve your defenses against malware and other cyber threats, give the TitanHQ team a call. SpamTitan, along with other TitanHQ cybersecurity solutions, is available on a free trial to allow you to test the product in your own environment before deciding if it is right for your business.

TitanHQ Feature Updates Announced for SafeTitan, WebTitan, and SpamTitan

TitanHQ has made several enhancements to its suite of cybersecurity solutions this month, including an update to the SafeTitan security awareness training and phishing simulation platform to better meet the needs of Managed Service Providers (MSPs) and the release of a new version of the WebTitan DNS-based web filtering solution – Version 5.03, which is now being rolled out for all customers. SpamTitan spam-filter users are also due to get an upgrade, with version 9.01 of the platform due to be released.

The SafeTitan update added a new Auto Campaigns feature for MSPs to better meet the needs of their SMB clients and protect them against increasingly sophisticated phishing threats. While it is vital to have an email security solution such as SpamTitan in place to block email-based threats, workforces also need to be provided with security awareness training to ensure they have the skills to recognize and avoid the full range of cyber threats.

The SafeTitan platform can be used by SMBs for training their workforces and giving them practice at identifying threats and also by MSPs to meet the training needs of their clients. The new Auto Campaigns feature is an automation tool that allows MSPs to reduce the time spent planning and managing security awareness and phishing simulation campaigns for their SMB clients. The AI-driven feature helps MSPs streamline the security training process and improve efficiency while saving time and resources. The Auto Campaigns feature allows MSPs to create an annual set of phishing simulation campaigns for all clients within minutes.

WebTitan is an award-winning web filtering solution that is used by thousands of SMBs, enterprises, and MSPs for controlling access to the Internet and blocking web-based cyber threats. The latest version of the platform includes several new features and bug fixes.

Users now benefit from a new summary report page, the custom block page has a new layout, and several new features have been added. These include support for the customization of the global default policy on the MSP level, which allows the application of a custom default policy on the creation of a customer account. Support has been added for the customization of the default policy on the customer level, it is now possible to inherit the allowed & blocked domains from the customer default policy, and support has been added for allowing/blocking a top-level domain (TLD) on a customer policy and global domains.

SpamTitan is due for an imminent upgrade which will include several new, advanced MSP features. Version 9.01 will have a new history/quarantine feature for MSPs, that will allow them to quickly act on customer emails at the MSP level. Link Lock inheritance has been added at the MSP level to avoid having to drill down to individual domains to make changes, and a new pattern filtering feature has been added which simplifies SpamTitan administration for MSPs and allows them to secure all customers from one place. There is also a simplified mail view, which improves the user experience and makes email analysis simpler.

MSPs also have an Other Products option, which allows them to easily offer other products in the TitanSecure bundle to customers – ArcTitan email archiving, WebTitan web filtering, and SafeTitan security awareness training – and provide a comprehensive, multi-layered security defense system to customers.

New Mystic Stealer Malware Proves Popular with Cybercriminal Community

A new information stealing malware variant called Mystic Stealer is proving extremely popular with hackers. The malware is currently being promoted on hacking forums and darknet marketplaces under the malware-as-a-service model, where hackers can rent access to the malware by paying a subscription fee, which ranges from $150 for a month to $390 for three months.

Adverts for the malware first started appearing on hacking sites in April 2023 and the combination of low pricing, advanced capabilities, and regular updates to the malware to incorporate requested features has seen it grow in popularity and become a firm favorite with cybercriminals. The team selling access to the malware operates a Telegram channel and seeks feedback from users on new features they would like to be added, shares development news, and discusses various related topics.

Mystic Stealer has many capabilities with more expected to be added. The first update to the malware occurred just a month after the initial release, demonstrating it is under active development and indicating the developers are trying to make Mystic Stealer the malware of choice for a wide range of malicious actors. Mystic Stealer targets 40 different web browsers, 70 browser extensions, 21 cryptocurrency applications, 9 MFA and password management applications (including LastPass Free, Dashlane, Roboform, and NortPass), and 55 cryptocurrency browser extensions. The malware can also inject ads into browser sessions, redirect searches to malicious websites, and steal Steam and Telegram credentials and other sensitive data. The most recent version is also able to download additional payloads from its command-and-control server. The malware targets all Windows versions, does not need any dependencies, and operates in the memory, allowing it to evade antivirus solutions. The malware is believed to be of Russian origin since it cannot be used in the Commonwealth of Independent States.

Mystic Stealer has recently been analyzed by researchers at InQuest, ZScaler, and Cyfirma, who report that the malware communicates with its C2 server via a custom binary protocol over TCP, and currently has at least 50 C2 servers. When the malware identifies data of interest, it compresses it, encrypts it, then transmits it to its C2 server, where users can access the data through their control panel.

The main methods of distribution have yet to be determined, but as more threat actors start using the malware, distribution methods are likely to become more diverse. The best protection is to follow cybersecurity best practices and adopt a defense-in-depth approach, with multiple overlapping layers of security to protect against all of the main attack vectors: email delivery (phishing), web delivery (pirated software, drive-by downloads, malvertising), and the exploitation of vulnerabilities.

Email security solutions should be used that have signature and behavioral-based detection capabilities and machine learning techniques for detecting phishing emails (SpamTitan). Antivirus software should be used, ideally, a solution that can scan the memory, along with advanced intrusion detection systems. To protect against web-based attacks, a web filter (WebTitan) should be used to block malicious file downloads and prevent access to the websites where malware is often downloaded (known malicious sites/warez/torrent). IT teams should ensure that software updates and patches are applied promptly, prioritizing critical vulnerabilities and known exploited vulnerabilities. In the event of infection, damage can be severely limited by having a tested incident response plan in place.

Finally, it is important to train the workforce on the most common threats and how to avoid them. Employees should be trained on how to identify phishing attempts, be told never to download unauthorized software from the Internet, and be taught security best practices. The SafeTitan security awareness training and phishing simulation platform provides comprehensive training and testing to improve human defenses against malware infections and other cyber threats.

Free OnlyFans Content Used as a Lure in DcRAT Malware Campaign

Malicious actors are distributing malware under the guise of free access to paywall-protected OnlyFans content. OnlyFans is a popular Internet content subscription platform, where visitors can pay to receive premium content from a range of different content creators such as social media personalities, musicians, and celebrities, although the 18+ subscription platform is most commonly associated with X-rated content. The malware campaign targets individuals looking to access the latter for free.

The campaign uses fake OnlyFans content and X-rated lures promising access to private photos, videos, and posts without having to pay for the content. Users are tricked into downloading an executable file, that installs a remote access Trojan. A VBScript loader is contained in a ZIP file, and if executed, will deliver a variant of the AsynchRAT called DCRAT (aka DarkCrystal) -– a remote access Trojan that provides access to the user’s device. DcRAT allows remote access, but can also access the webcam, log keystrokes, manipulate files, steal credentials, cookies, and Discord tokens, and encrypt files for extortion.

Researchers at eSentire identified the campaign after a user attempted to execute the VBscript loader, although it is currently unclear how the ZIP file containing the VBScript loader is being distributed. As such, a defense-in-depth approach is recommended to block the most likely attack vectors. Phishing emails are commonly used for distributing malware. Any email that claims to offer free access to OnlyFans is a major red flag since the site requires paid subscriptions to access content. SEO poisoning may be used to get malicious websites to appear high in the search engine results for key search terms, and malvertising – malicious adverts – may be displayed on legitimate websites through third-party ad networks that direct users to URLs where free content is offered. Compromised social media accounts may be used to post offers of free access to OnlyFans content, and SMS and instant messaging service messages may advertise the offers and include links to malicious websites.

All of these ways of making contact with users can be combatted through phishing and security awareness training using the SafeTitan platform. SafeTitan includes an extensive library of training content for creating security awareness training programs to improve awareness of threats, teach security best practices, and train users how to identify phishing attempts. The platform also includes a phishing simulator for testing responses to phishing attacks, including phishing attempts with OnlyFans-related lures.

Email security solutions should be implemented to block any phishing attempts. SpamTitan incorporates signature and behavior-based detection mechanisms for identifying malicious attachments, link scanning, and machine learning capabilities to identify zero-day phishing attacks. WebTitan Cloud can be used to improve protection against web-based attacks, such as malicious file downloads from malicious and compromised websites and to prevent access to risky categories of websites and websites that serve no work purpose. IT admins should also consider implementing restrictions for script files, such as blocking VBScript and JavaScript from launching downloaded executable content or using Group Policy Management Console to create open with parameters for script files to ensure they are opened with notepad.exe. These measures will not only be effective at blocking this OnlyFans campaign but also for blocking attempts by other malicious actors to install malware and ransomware.

New SafeTitan Release Includes New Automated Campaign Feature for MSPs

TitanHQ has updated its SafeTitan security awareness training platform to better meet the needs of Managed Service Providers (MSPs) by adding a new feature – Automatic Security Campaigns. The new feature allows MSPs to create an annual set of phishing simulations for their clients to streamline security campaign planning.

All companies should be providing security awareness training to the workforce to improve awareness of the types of threats each employee is likely to face, and security awareness training programs should incorporate ongoing phishing simulations to give employees practice at identifying potential threats outside of a training setting. While the percentage of businesses providing security awareness training is increasing, many have yet to create a program, and those that have often find it is not as effective as they expected. This is an area where MSPs can help and ensure companies get the maximum return on their investment in training.

By signing up with TitanHQ, MSPs can provide security awareness training through the SafeTitan platform. SafeTitan includes an extensive library of training content that allows MSPs to create training programs to meet the needs of each company and tailor the training for different employee groups within the company to ensure it is relevant. The training content is proven to improve understanding of threats and reduce susceptibility to phishing and other social engineering attacks. Training courses can be created quickly and the provision of training automated, with employee progress tracked and client reports scheduled to keep them up to date on how training is progressing.

Conducting phishing simulations is also straightforward, but thanks to the new Automatic Security Campaigns feature, MSPs can create and run phishing simulations more efficiently, spend less time managing the campaigns, and boost the profitability of their security awareness and phishing simulation service. MSPs can use this feature to schedule phishing simulations using messages of varying types, at the desired required frequency, over the course of the year – a process that takes just a few minutes.

“By introducing automated campaign scheduling to SafeTitan, we are empowering our MSP partners to optimize their security training efforts, boost productivity, and deliver exceptional results to their clients,” said Ronan Kavanagh, CEO, TitanHQ. “This new feature aligns perfectly with our MSP First Strategy and provides innovative solutions that simplify the complexities of managing a client’s security awareness training.”

Phishing Remains the Most Common Method Used in Cyberattacks on Businesses

Phishing is still the most common method used by cybercriminals in attacks on businesses, as has been confirmed by a new survey of IT security and identity professionals. The Identity Defined Security Alliance recently conducted a survey on 529 IT security professionals and identity professionals at organizations with more than 1,000 employees and found 62% had experienced an identity-related incident in 2022, and out of those, 93% said they had experienced an email phishing incident.

Phishing is popular with cybercriminals as it is easy to conduct campaigns, which can be largely automated and require little skill. These campaigns are low cost and they are effective, as people can easily be fooled into disclosing their credentials or downloading malicious files. Email remains the most common vector used for phishing, with emails usually including a web-based component. Users are directed to malicious websites where malware is downloaded, or their credentials are harvested.

Phishing campaigns can be made even more effective if the emails are targeted. General phishing emails that are sent in massive spamming campaigns will attract a low number of responses but certainly enough to make these campaigns worthwhile; however, by targeting small numbers of individuals the response rate increases dramatically. Spear phishing involves tailoring emails for a specific group of people or researching individuals and sending personalized phishing emails. The survey revealed 49% of respondents had experienced spear phishing attacks in the past year.

Phishing is no longer solely conducted via email, and attacks involving other attack vectors have been steadily increasing. SMS and instant messaging platforms are commonly used for phishing. These phishing attacks are referred to as smishing attacks and phishing can occur over the phone – termed vishing. 27% of respondents said they experienced smishing or vishing attacks in the past year.

Phishing attacks can be extremely costly for businesses. These attacks are conducted to gain initial access to business networks to steal sensitive data, which can be used in a wide variety of ways. Once access to networks is gained and all valuable data has been stolen, access to those networks is often sold to other threat actors such as ransomware gangs for follow-on attacks. Businesses are also increasingly being sued for data breaches by employees and customers, the attacks take time to remediate causing business disruption and often result in significant reputational damage.

Phishing attacks are increasing in sophistication as well as number. While it was once sufficient to implement a spam filtering solution and antivirus software to block attacks, defenses have had to become more comprehensive and sophisticated and provide multiple layers of protection.

TitanHQ solutions can form the basis of a robust defense against phishing. TitanHQ offers three cybersecurity solutions that work seamlessly together that can be used by businesses to mount a formidable defense against phishing attacks, with each solution tackling the threat of phishing from a different angle.

The first layer of defense comes from SpamTitan Email Security – An advanced email security solution for blocking phishing and spam emails, including attacks seeking credentials and those delivering malware. SpamTitan incorporates anti-virus software (dual AV engines) for detecting known malware variants, and behavioral analysis through email sandboxing for detecting zero-day (unknown) malware threats.

Protection against the web-based element of phishing comes from the WebTitan DNS filter, which is used to prevent employees from visiting malicious websites and for controlling access to the Internet through category and keyboard-based web filtering. WebTitan blocks downloads of malicious files and risky file types, and secures the DNS to block command-control callbacks. WebTitan not only blocks phishing attacks via email but also phishing and other malicious websites encountered through web browsing, such as via redirects to malicious websites from online adverts (malvertising).

The third layer of protection is concerned with improving human defenses, which is vital considering that more than 80% of data breaches involve the human element (Verizon Data Breach Investigations Report). SafeTitan is used to create effective security awareness training, tailored to meet the needs of each business and individual. The platform includes a huge library of training content that can be tailored for user groups and individuals which covers all aspects of security. Through SafeTitan training, businesses can raise awareness of threats and eradicate bad security practices. The solution also includes a phishing simulator for testing employees, which delivers on-the-spot training in real-time in response to security mistakes.

Cybercriminals are unlikely to stop conducting attacks and they are only likely to increase in number and sophistication. Businesses therefore need to make sure their defenses are up to scratch. For more information on these TitanHQ solutions, contact the sales team today. You can also take advantage of free trials of these solutions to test them before deciding on a purchase.

RPMSG Attachments Used in Sophisticated Phishing Attacks to Steal M365 Credentials

A new phishing technique has been identified by security researchers that uses compromised Microsoft 365 accounts to send phishing emails that contain .RPMSG attachments, which are used in a sophisticated attack to gain access to Microsoft 365 accounts.

RPMSG files are used to deliver e-mails with the Rights-Managed Email Object Protocol enabled. In contrast to regular emails that are sent in plain text and can be read by anyone or any security solution, these files are encrypted and are stored as an encrypted file attachment. The files can also be used to limit the ability of users to forward or copy emails. The intended recipient can read the encrypted messages after they have been authenticated, either by using their Microsoft 365 credentials or a one-time passcode.

Phishing attacks using these files give the impression that the messages are protected and secured, as access is restricted to authorized users. If a user is unfamiliar with RPMSG files and they perform a Google search, they will quickly discover that these files are used for secure emails, giving the impression that the emails are genuine.

The use of RPMSG files in phishing attacks was discovered by researchers at Trustwave. In this scam, an email is sent from a compromised account, and since these accounts are at legitimate businesses, the emails appear genuine. For example, one of the scams used a compromised account at the payment processing company Talus Pay.

The emails are sent to targeted individuals, such as employees in the billing department of a company. The emails are encrypted, and credentials need to be entered before the content of the email can be viewed. In this campaign, the emails tell the recipient that Talus Pay has sent them a protected message, and the email body includes a “Read the message” button that users are prompted to click. The emails also contain a link that the user can click to learn about messages protected by Microsoft Purview Message Encryption.

If the recipient clicks the link to read the message, they are directed to a legitimate Office 365 email webpage where they are required to authenticate with their Microsoft 365 credentials. After authentication, the user is redirected to a fake SharePoint document, which is hosted on the Adobe InDesign service. If they try to open the file, they are directed to the final destination URL that shows a “Loading… Wait” message, and while on that URL, a malicious script runs and collects system information. When that process is completed, a cloned Microsoft 365 login form is displayed, which sends the username and password to the attacker’s command and control server if entered. The script collects information such as visitor ID, connect token and hash, video card renderer information, system language, device memory, hardware concurrency, installed browser plugins, browser window details, and OS architecture.

The problem with phishing attempts involving encrypted content is email security solutions are unable to decrypt the content. In this scam, the only URL in the email directs the user to a legitimate Microsoft service which is not malicious, making these phishing attempts difficult to block without also blocking legitimate Microsoft encrypted emails. The key to preventing this type of sophisticated phishing attack is education. Through security awareness training, employees should be warned never to open unsolicited encrypted messages, even if the messages appear to have been sent by a legitimate user. They should also be conditioned to report any such messages to their IT security team for further investigation.

The SafeTitan security awareness training program can be used by businesses to create training courses for employees, tailored to each individual’s role and the threats they are likely to encounter. The training content is engaging to improve knowledge retention and can be easily updated to include information on the latest threats, such as phishing attacks involving RPMSG files. The platform also includes a phishing simulator that can be used to automate phishing simulations on the workforce, and RPMSG phishing emails can easily be incorporated into the simulator to check whether employees are fooled by these sophisticated attacks. If a user fails a phishing simulation, they are automatically provided with training content in real-time relevant to the simulation they failed. This on-the-spot training is the most effective way of re-educating the workforce and ensures training is provided at the point when it is most likely to be effective.

For more information on SafeTitan Security awareness training and phishing protection, call the TitanHQ team today.

Business Email Compromise: The Biggest Cause of Losses to Cybercrime

Business email compromise (BEC) is big business. For several years, BEC attacks have been the leading cause of losses to cybercrime according to the Federal Bureau of Investigation (FBI). Over the past 5 years, BEC incidents have resulted in more than $43 billion in losses globally, with $83,883,493 in reported losses to BEC scams in 2022.

BEC, also known as email account compromise (EAC), is a sophisticated scamming technique that targets employees and the businesses they work for. These attacks can be conducted to obtain sensitive information such as W-2 forms, which can be used for large-scale tax fraud, but most commonly attempt fraudulent payments, where an employee is tricked into changing payment details for an upcoming payment.

BEC attacks usually start with phishing emails. These can be general phishing emails to gain access to any employee email account, which is then used to send further phishing emails within a company and to vendors to get the high-value email credentials that the attackers seek. Alternatively, spear phishing emails are crafted on well-researched targets, such as employees in the finance department of a company who are likely to have responsibility for making wire transfers or employees at vendors who handle customer accounts. Social engineering techniques are used in the phishing emails to trick the targets into disclosing their credentials.

When access is gained to a targeted email account, the attacker can learn a great deal about the company and can identify vendors/clients, view invoices, and learn about upcoming payments. The style of the target’s emails can be identified, so emails can be carefully crafted using a similar writing style and language to prevent the scam from being detected. A request is then made via email to change banking details for an upcoming payment to attacker-controlled accounts. These accounts are commonly created at overseas banks in Thailand, Hong Kong, China, Mexico, and Singapore.

When the payment is made, funds are rapidly transferred to other accounts or are withdrawn, often before the fraudulent payment is detected. The payments are often large – tens of thousands, hundreds of thousands, or millions of dollars. One common tactic used in BEC attacks is to impersonate construction companies. Research is conducted online to identify a company’s current work projects, and company email accounts are targeted.  When access to accounts is gained, the scammers identify contact information, bid information, and project costs.

Construction projects often involve regular payments during construction, so the attackers change bank account information for an upcoming sizable payment. The client of the construction company expects to make a payment, so a simple change of bank account information is unlikely to arouse suspicion, especially since the request comes from a genuine company domain and email account with the correct logos and footers. Oftentimes, the victim has been communicating with the construction company through the same email account. Email communications between the victim and the scammer can span several emails, with the attackers taking their time before making the request. Reports of losses to the FBI between 2018 and 2020 show the fraudulent payments range from around $10,000 to $4 million.

Defending against BEC attacks requires a combination of measures that aim to block the initial account compromise, detect any compromises, identify suspicious requests, and monitor accounts for any irregularities. Advanced phishing defenses are required to block the initial phishing attacks where account credentials are obtained.  SpamTitan performs a barrage of tests to identify and block phishing and spear phishing emails. These attacks can involve spoofing rather than email account compromise, and SpamTitan solutions can detect and block emails from fake accounts as well as malware, which is often used to gain initial access to networks before pivoting to email accounts.

SpamTitan also incorporates machine-learning detection mechanisms to identify deviations from the standard emails that a business usually receives, which can identify and block the initial phishing emails and fraudulent emails sent from compromised accounts, since checks are performed on inbound and outbound emails. 2-factor or multi-factor authentication should also be enabled for all company email accounts.

2-factor authentication processes should also be established for any changes to account information. Any request to change account information or change upcoming payments should be verified using a second authentication mechanism such as a telephone call to a verified contact number.  Staff should also be provided with security awareness training to alert them to phishing and BEC attacks. SafeTitan security awareness training has extensive training content on phishing and BEC attacks and allows training courses to be easily developed and automated for the specific employees who are likely to be targeted in these scams to provide them with advanced training on how to detect BEC attacks.

For more information on improving email security and security awareness training, contact TitanHQ. TitanHQ solutions are available on a free trial, with full access to customer support for the duration of the trial to help you get the most out of the products.

PDF File Attachments Used for Distributing QBot Malware

When Microsoft started blocking macros in Internet-delivered Office files, threat actors had to come up with new ways of distributing malware via email. Since then, there has been a rise in the use of OneNote files in phishing attacks. OneNote files allow scripts to be embedded and serve as an ideal replacement for Office files and macros; however, Microsoft has responded with security updates for OneNote to prevent this technique from being used for malware distribution. There has also been an increase in the use of container files to bypass protections, which include compressed files such as .rar and .zip, and .iso files.

Another method of bypassing these protections has been adopted to distribute QBot malware. QBot is used to gain initial access to business networks and is often used to drop malware payloads for other threat actors. QBot used to be delivered via phishing emails using malicious macros in Office file attachments, but that technique is no longer viable due to Microsoft’s updates. Instead, the threat actor is now using a combination of .pdf files and Windows Script Files. The phishing emails have a .pdf attachment, which downloads a .wsf file, which is used to deliver QBot.

The emails used in this campaign are reply chain emails, which makes it appear that the emails have been sent as a reply to a previous conversation. That increases the chances of the email being opened as employees are usually trained to be suspicious of unsolicited emails from unknown senders. If the attachment is opened, the PDF file states that the document is protected, and the user is required to click an ‘open’ link, which will trigger a download of a .zip file that includes a Windows Script file.

If the user double clicks that file, the script will be executed, which will run a PowerShell script that will deliver QBot from a hardcoded URL and execute the malware. QBot will be injected into the Windows Error Manager program and will run silently in the background. QBot will steal sensitive data and can move laterally and compromise other devices on the network. Once data has been stolen, access to QBot-infected devices is sold to ransomware gangs. A single device infected with QBot can easily end with large-scale data theft and a network-wide ransomware attack.

The latest campaign involves PDF file attachments, but the methods used for distributing malware such as QBot often change and will continue to do so. The key to improving security is to adopt a defense-in-depth approach, where there are multiple overlapping layers of security in place. If any one measure fails, others will be in place to continue to provide protection.

An email security solution such as SpamTitan is a good place to start. SpamTitan Email Security adds multiple layers of security to your defenses by performing extensive checks on all inbound and outbound emails. Message headers are checked, as is the reputation of the sender, and machine learning techniques are used to identify messages that deviate from the normal messages a user receives. Multiple scans are conducted on email attachments looking for malware and malicious scripts, including signature-based and behavior-based detection through dual antivirus engines and a Bitdefender-powered sandbox. Links are checked and followed to block phishing and malware downloads.

A web filtering solution is an important security measure for blocking the web-based component of these attacks. All attempts to connect with a URL – including automated attempts and clicks by users – will be assessed in real time and blocked if an attempt is made to connect to a known malicious URL. WebTitan can be configured to block downloads of executable files, such as .wsf files, and controls can be implemented to restrict access to websites to confirmed benign URLs.

Email-based attacks attempt to exploit human weaknesses so it is also important to improve your human defenses through security awareness training. The SafeTitan security awareness training platform can be used to automate workforce training and teach security best practices and eliminate risky behaviors, and make employees aware of the threats they are likely to encounter. The platform also includes a phishing simulator with hundreds of phishing templates to test employees to see how they respond to real-world threats, and automatically assigns further training modules if they fail a phishing simulation. These three solutions can be adopted by businesses to greatly improve their security posture against current and evolving threats. Speak with TitanHQ today to find out more.

Effective Workforce Training to Improve Cybersecurity in Healthcare

On March 30, 2022, the U.S. Senate Homeland Security Committee cleared the Healthcare Cybersecurity Act – new legislation that promises to strengthen the cybersecurity posture of the U.S. healthcare and public health sectors. The U.S. healthcare sector has taken a battering in recent years as cybercriminals have stepped up attacks on the sector. Healthcare organizations are an attractive target due to the vast quantities of sensitive data they store. The data can easily be monetized and used for identity theft and medical fraud, and preventing access to that data puts patients at risk, which increases the probability that extortion attempts will be successful. Cyberattacks on the healthcare sector have proven to be lucrative, with healthcare providers often forced into paying huge ransom demands to decrypt their files, prevent the exposure of stolen data, and get critical systems back up and running quickly to improve patient safety.

In 2020, healthcare cyberattacks increased by 55% breaking the record set the previous year. More than 26 million medical records were compromised that year, which increased to over 40 million records in 2021 and 2022. 2023 looks like it will see similar numbers of records compromised. Healthcare is a critical industry and healthcare cybersecurity is a patient safety issue. Action is desperately at the federal level to improve resilience to cyberattacks and the Healthcare Cybersecurity Act is a step in the right direction. The Healthcare Cybersecurity Act calls for the U.S. Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services to collaborate and come up with a plan for improving the security posture of the sector. Within a year of the legislation being passed, CISA is required to complete a detailed analysis of the risks to healthcare assets and data, identify the information security challenges faced by organizations in the sector and come up with a plan to address the shortage of cybersecurity staff, including making recommendations for cybersecurity training for the workforce and enhancing incident response. The legislation also calls for the creation of a Cyber Security Operations Center specifically for the healthcare sector to share real-time threat intelligence to help defend against and respond to cyberattacks.

In the meantime, the cyberattacks continue. While hospitals and health systems are investing heavily in cybersecurity and are improving their technical defenses, hackers are developing new methods to attack the sector, often by exploiting human weaknesses. The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers, health plans, and other covered entities to develop a security awareness training program for employees, but the legislation was signed into law two decades ago and provides little in the way of detail as to what such a program should include or how often training should be conducted. Follow the letter of the law and you will be compliant but will do little to improve your security posture. What is required is a comprehensive training program that can be easily tailored to all members of the workforce and training them on how to recognize the specific threats they are likely to encounter.

The ultimate goal of security awareness training is to develop a security culture, and that simply isn’t possible with an annual training session. Security awareness training needs to be ongoing, with employees up to date on the latest threats, and training needs to be reinforced. This is an area where TitanHQ can help. TitanHQ offers healthcare organizations an easy-to-use platform for developing healthcare-specific training courses covering a broad range of security topics. The platform includes training content on hundreds of topics, delivered through computer-based training courses, videos, and quizzes. The content is engaging and gamified and has been developed to be easy to fit into busy healthcare workflows, with the training content taking no more than 10 minutes per module.

Administrators can easily develop training courses for individual employees, roles, and departments to ensure it is relevant, and the platform is behavior-driven, with training content automatically generated based on specific employee behaviors such as failed phishing simulations and security errors, such as saving sensitive data in an insecure location. Since the training is generated instantly, it ensures employees receive the training when it is likely to have the maximum impact – immediately after a security mistake is made.

The platform also has enterprise-level reporting, which provides executives with a 360 view of the entire organization and the return on investment, with the data provided in an easily digestible format for management, and detailed reports for the compliance team to demonstrate full compliance with the training requirements of the HIPAA Security Rule.

If you want to improve your organization’s security posture, training the workforce to be more security aware is a great place to start. For more information on SafeTitan, to sign up for a free trial, get in touch with the TitanHQ U.S. team today.

Top Malware Threats and How to Prevent Infections

QBot, Emotet, and Formbook are currently the most prevalent malware threats according to new data from Check Point, all of which are mostly distributed using spam emails. Email is still one of the most common methods of malware distribution, and even Microsoft’s efforts to prevent the malicious use of macros have not changed that.

Last year, Microsoft disabled macros by default in Internet-delivered documents, and while this was a blow to cybercriminals who have relied on macros for their infection process, they simply changed tactics and used other methods for malware delivery. Macros were easy to abuse, as victims just needed to be tricked into enabling macros in documents and ignoring security warnings. Now that macros are disabled, cybercriminals have had to adopt new tactics for distributing malware via email, such as sending malicious links or using alternative attachments, such as OneNote files. The latter has been used to distribute Emotet, which has helped the malware return to the top of Check Point’s most wanted malware list.

OneNote files have proven popular for malware distribution as they allow scripts to be embedded and masked with overlays. The user is instructed to double-click a button in the OneNote file as they are told that the document is protected, when what they are actually doing is double-clicking an executable file embedded under the overlay, thus executing the script and triggering the downloading of a malicious payload. Microsoft has announced that this security issue will be tackled by May, but until then OneNote will continue to be used for malware delivery.

The top three malware variants share some of the same functionality but offer specialized features. QBot, also known as QakBot, was primarily a banking Trojan used to steal banking credentials but is now capable of stealing other credentials due to its keylogging capabilities. It has been in use since 2008 and is one of the oldest malware families currently in use.

Emotet has long been at the top of the most common malware variants and has survived a recent law enforcement takedown. Emotet started life as a banking Trojan but has evolved over the years and is now primarily used as a distributor of other malicious payloads under the malware-as-a-service model. Like QBot, Emotet is also extensively distributed via email, helped by its self-propagating capabilities, which allow it to hijack message threads and send copies of itself to the victims’ contacts.

FormBook has been used since at least 2016 and is an information stealer that is also marketed under the malware-as-a-service model. FormBook primarily harvests credentials from web browsers, but also logs keystrokes, collects screenshots, and can deliver additional files to infected devices. It is one of the most widely distributed malware due to its capabilities, relatively low cost, and strong evasion techniques.

These three malware variants have had a huge impact globally, with QBot infections detected at 10% of organizations worldwide and Emotet and FormBook each affecting 4% of organizations worldwide. Preventing infections requires a defense-in-depth approach involving multiple layers of protection, with one of the most important layers provided by a spam filter.

All three of these malware families are extensively spread via spam email, so blocking the initial attack vector is by far the best defense. SpamTitan incorporates several layers of protection against malicious emails, including emails with malicious attachments such as OneNote files and malicious links. SpamTitan performs a multitude of front-line checks including message headers and reputation checks and has dual anti-virus engines for detecting malware and sandboxing for behavioral analysis of email attachments. SpamTitan also scans links and uses machine learning algorithms to identify emails that deviate from the genuine emails typically received by businesses.

While a spam filter and endpoint protection solutions such as antivirus software were once sufficient, the speed at which new malware variants are being released and the evasion methods they use mean additional layers of protection are now required. TitanHQ recommends also deploying a web filter to block Internet-based threats. A web filter such as WebTitan augments the spam filter by blocking malware delivery via the Internet and improves protection against non-email-based threats, such as malicious links in text messages and instant messaging platforms.

Threats will occasionally bypass these protections, so it is important to provide security awareness training to the workforce. By educating the workforce on cyber threats, if one is encountered it can be recognized and avoided. Security awareness training allows businesses to train employees on security best practices and eradicate the risky behaviors that are often exploited by cybercriminals. SafeTitan is a comprehensive training platform covering all aspects of security and includes a phishing simulation platform for testing how employees respond to phishing threats and providing targeted training where it is needed.

For more information on these solutions and improving your security posture in the most cost-effective way, give the TitanHQ team a call today.

New Business Email Compromise Tactics Identified

Business email compromise tactics commonly change, so businesses need to ensure that they provide regular security awareness training to their workforce. Businesses that implement an ongoing security awareness training program can ensure that all employees are made aware of the emerging tactics so that when a threat is received, they will be able to identify it as such and report it to their security team.

BEC attacks typically involve spoofing an individual or company to get an individual to make a fraudulent wire transfer to an attacker-controlled account. The FBI has recently reported that tactics are becoming more sophisticated, and telephone numbers are also being spoofed. When the targeted individual calls to verify the authenticity of the emailed request, they speak with the scammer. It is vital to ensure that employees are told to verify the authenticity of any out-of-band requests for payments, changes to account details, requests for gift cards, and other common scam tactics but to ensure that verified contact information is used, and never the contact information supplied in the email.

Another BEC tactic that is becoming increasingly common attempts to obtain goods under false pretenses, instead of tricking people into making wire transfers. This tactic is often adopted by less advanced threat actors, as they do not have to recruit the money mules to accept the payments. According to the FBI, scammers are impersonating the email domains of U.S. companies and are spoofing emails with the real names of company employees, so if checks are performed, they will be passed.

The scammers trick vendors into believing they are conducting legitimate business transactions and fulfilling purchase orders for distribution to new customers. Scams identified by the FBI include the targeting of vendors of agricultural equipment, construction materials, computer hardware, solar energy products, and more. The goods are distributed and by the time the scam is identified, they have been moved on and cannot be traced or recovered. Since these purchase orders are often for bulk goods, thousands or hundreds of thousands of dollars can be lost.

Businesses often provide new customers with credit repayment terms such as net-30 or net-60, where they are not required to pay for the goods for 30 or 60 days. That means by the time the scam is identified the goods have long since been moved and sold. Businesses naturally conduct credit checks before offering those terms, but the attackers are supplying fake credit references and fraudulent W-9 forms to vendors to get the payment terms to allow them to purchase goods without any upfront payment.

The best way to protect against these scams is to ensure that you have an advanced email security solution in place – Such as SpamTitan – to block the initial contact via email. However, it is also important to provide security awareness training to the workforce.

SafeTitan is a modular training platform that allows businesses to develop custom training courses for different individuals, roles, and departments, and to ensure that the training provided is relevant. The platform includes hundreds of training modules and can be tailored to meet the needs of all organizations. The training content is regularly updated to include the latest tactics that are being used, allowing businesses to keep all members of the workforce 100% up to date on the latest threats.

Administrators can trigger training modules for all members of the workforce when new threats are identified. The modules are easy to fit into busy workflows and take no longer than 10 minutes. Through SafeTitan security awareness training, businesses can develop a security culture and greatly reduce susceptibility to phishing and BEC attacks. Data from the SafeTitan phishing simulation platform shows businesses can reduce susceptibility to email scams by up to 80% over time through email attack simulations.

For more information on SafeTitan Security awareness training and phishing simulations contact TitanHQ today.

BEC is Still A Leading Cause of Losses to Cybercrime and Attacks Continue to Increase

Business email compromise (BEC) may not be the most prevalent form of cybercrime, but it is one of the costliest. Over the last few years, BEC attacks have seen the greatest losses out of any form of cybercrime, and BEC attacks have been increasing. According to the Federal Bureau of Investigation (FBI), between July 2019 and December 2021, losses to BEC attacks increased by 65%, and between June 2016 and July 2019 there were 241,206 complaints about BEC attacks and $43,312,749,946 was lost to the scams. In 2022, there were almost 22,000 victims of BEC attacks and adjusted losses to these scams were more than $2.7 billion.

In a typical BEC scam, a criminal sends an email message to a targeted individual that appears to have come from a known source making a legitimate request. Commonly, a company that the victim regularly deals with sends an invoice with an updated bank account or mailing address. A scam may be conducted where the victim is asked to purchase gift cards and email the serial numbers. Scams often target homebuyers, where the message appears to come from the title company with instructions on how to wire the payment. An executive may be impersonated and the tax information of all employees may be requested. There are many variations of these scams, and they often result in thousands, hundreds of thousands, or even millions of dollars in losses.

BEC scammers often spoof an email account or a website, or they may compromise a legitimate email account through a phishing or spear phishing email. With access to email accounts, a scammer can search the accounts to find out more about the company and gain the information they need to conduct realistic scams. Malware may be sent via email that gives the attacker access to email accounts, which allows them to hijack message threads.

One of the most common types of BEC attacks involves the impersonation of an individual or company and a request to send fraudulent wire payments to attacker-controlled bank accounts. Historically, these scams have involved compromised vendor email accounts and a request to change bank account information for upcoming payments for goods and services. In its latest Internet Crime Report, the FBI said BEC scammers are increasingly targeting investment accounts, and utilizing custodial accounts held at financial institutions for cryptocurrency exchanges or requesting victims send funds directly to cryptocurrency platforms.

In the past, scammers have relied on their spoofing tactics but the scam fails if the targeted individual verifies the legitimacy of the request by phone. However, it is now becoming increasingly common for scammers to spoof legitimate business phone numbers and use these to confirm fraudulent banking details with victims. There have been many cases where the victims report they have called a title company or realtor using a known phone number, only to find out later that the phone number has been spoofed.

Defending against BEC attacks requires a combination of measures. First, since these attacks often start with a phishing email, a spam filtering service is essential. A spam filter will block the emails that allow credentials to be stolen and email accounts compromised. Spam filters can also detect and block spoofing and are the primary defense against these attacks. TitanHQ has developed SpamTitan Email Security to help businesses defend against BEC attacks, phishing, and other email-based attacks.

Unfortunately, email filtering alone is not sufficient. A spam filter will block the majority of email threats but additional measures need to be implemented. The key to defending against BEC attacks is defense-in-depth. These attacks target human weaknesses, so it is important to train the workforce to be aware of these scams and the changing tactics of BEC scammers. Employees need to be taught the red flags they need to look for in emails and the security best practices that can thwart these scams.

TitanHQ offers the SafeTitan security awareness platform to businesses which can be used to train employees to be more vigilant and tell them what they need to look for. The platform can be used to teach security best practices, such as carefully examining the email address, URL, and spelling used in any correspondence, and the importance of not clicking on anything in an unsolicited email or text message that asks them to update or verify account information.

The increase in spoofing means it is now essential to implement two-factor or multi-factor authentication, to add an extra level of security to protect accounts from unauthorized access. It is also vital to implement policies that require requests to be independently verified using confirmed contact numbers, not those provided via email.

Adopting such a defense-in-depth approach will help you protect against these financially damaging scams. Contact TitanHQ today to find out more about how you can cost-effectively improve email security and train your workforce.