by Jennifer Marsh | Aug 19, 2024 | Uncategorized |
The latest figures from Microsoft indicate that in 2024, around 1 million businesses worldwide are using Microsoft 365, and in the United States alone there are around 1 million users of its Office suite. That makes Microsoft 365 a big target for cybercriminals, and phishing is the main way that M365 users are targeted. Microsoft includes cybersecurity protections for its customers that can block phishing emails and malware, and those protections do a reasonable job of blocking malicious emails; however, threats do bypass defenses and reach end users, which is why many businesses choose to augment Microsoft’s protections with third-party anti-phishing and anti-malware solutions, and now there is another good reason to bolster protection.
Recent research has uncovered a flaw in Microsoft’s anti-phishing measures that allows cybercriminals to bypass its email safety alerts. Microsoft’s First Contact Safety Tip generates these warnings when a user receives an email from an unfamiliar email address to warn them that the email may be malicious. The email will include the message “You don’t often get emails from xxx@xxx.com. Learn why this is important.” That message warns the user to take extra care and if it is not shown in the email the user may assume that the message is legitimate.
That warning message is added to the body of the HTML email and the problem with that approach is it is possible to manipulate the message by embedding Cascading Style Sheets (CSS), which is what researchers at Certitude discovered. They demonstrated that by manipulating the CSS within the HTML of the email, they were able to hide that warning, They did that by hiding the anchor tags (<a>) so the link is not displayed, changing the font color to white, and forcing the email to have a white background, ensuring that the text is not displayed since it is also in white. While the warning is still included in the email this trick renders it invisible. They also showed that it is possible to spoof Microsoft’s encrypted and signed icons to make the email appear secure.
Microsoft has confirmed that the finding is valid but has chosen not to address the problem at this time. Microsoft has instead marked the issue for potential resolution through future product updates but there have been no known cases of this tactic being used in the wild and the issue was deemed to be sufficiently severe to qualify for immediate servicing.
This issue serves as a reminder about M365 cybersecurity. Microsoft produces some excellent products that are invaluable to businesses, but Microsoft is not a cybersecurity vendor and while protections have been added, they can be circumvented. Microsoft 365’s EOP and Defender solutions do a good job at blocking most threats, but malicious emails do get through to inboxes where they can be opened by end users. The Microsoft 365 spam filter only provides an average level of protection against email threats.
TitanHQ has developed cybersecurity solutions to address M365 security gaps and provide greater protection for Microsoft 365 users through the SpamTitan spam filter for M365 and PhishTitan anti-phishing solution, both of which integrate seamlessly with Microsoft 365 and add important extra layers of protection against phishing, scam emails, and malware.
The engine that powers the SpamTItan and PhishTitan solutions has been independently tested and confirmed to provide superior protection through advanced features designed to catch more malicious emails. Those measures include a powerful next-generation email sandbox for protecting against advanced email attacks. When emails pass initial checks and scans using twin antivirus engines, they are sent to the sandbox for deep inspection, which allows malware to be identified from its behavior rather than a signature. These solutions include AI and machine learning protection, where malicious emails can be identified based on how they deviate from the normal emails received by a business, improving protection against zero-day threats – phishing and business email compromise emails that have not been seen before.
The PhishTitan solution has been developed specifically for Microsoft 365 to provide unmatched protection against phishing threats. PhishTitan displays banner notifications in emails to warn end users about suspicious content, which will provide protection should Microsoft’s First Contact Safety Tip be hidden. Links in emails are rewritten to display their true destination, and the solution makes it quick and easy for security teams to remediate phishing threats throughout the entire email system.
The engine that powers these solutions has recently been shown to beat leading email security solutions such as Mimecast for catch rate, malware catch rate, and has far lower false positives. In the June Virus Bulletin Test, TitanHQ had a 99.99% phishing catch rate, a spam catch rate of 99.98%, a malware catch rate of 100%, and zero false positives. PhishTitan catches 20 unique and sophisticated threats per 80,000 emails received that Microsoft 365 misses. Give TitanHQ a call today to find out more about these solutions and how adding extra layers of protection can strengthen your business’s security posture.
by titanadmin | May 18, 2022 | Uncategorized |
A new malware-as-a-service operation has been identified named Eternity Project which is offering a modular malware with extensive capabilities, allowing threat actors to conduct a range of malicious activities based on the modules they pay for. The capabilities of the malware are being enhanced to include further modules. Currently, the threat group is offering an information stealer, clipper, miner, dropper, worm, and ransomware, with distributed-denial-of-service (DDoS) bots to be provided in an upcoming module.
The threat actors claim the stealer module will allow users to obtain passwords stored in multiple browsers, data from email clients, instant messaging services, password managers, VPN clients, gaming software, system credentials, cryptocurrency wallets, and more. The miner allows victim devices to become cryptocurrency mining slaves, the clipper allows data to be stolen from the clipboard, which specifically targets cryptocurrency wallets and replaces them with the threat actors’ crypto-wallet addresses, with the ransomware allowing data encryption, although no data exfiltration. The worm module allows the user to infect other devices on the network, with the dropper used to drop the payload of choice onto infected devices. The Eternity Project malware was analyzed by researchers at Cyble, who report that the malware is being offered via a Telegram channel which, at the time of publication, had over 500 subscribers, as well as on the threat group’s TOR website.
Malware-as-a-service operations such as the Eternity Project give unskilled hackers the capability to conduct a range of attacks that they would otherwise not be able to perform. According to Cyble, the malware modules are being offered from as little as $90 up to $490 for the most expensive module – ransomware. Those costs could easily be recovered from the capabilities provided. The methods used to distribute Eternity malware will depend on the capabilities of the threat actors that pay for the modules. Since multiple methods of distribution could be used, defending against Eternity malware and other malware-as-a-service offerings requires a defense-in-depth approach and for security best practices to be followed.
Email Security
Phishing remains the number one vector for delivering malware. Campaigns are easy and cheap to conduct, and phishing campaigns can be very effective. Email security solutions are fed threat intelligence and have anti-virus components, but many solutions rely on signature-based detection and are only effective at detecting known malware. Behavior-based detection methods are needed for detecting heavily obfuscated malware and zero-day threats. SpamTitan combines signature-based threat detection using dual AV engines and a Bitdefender-powered sandbox for identifying zero-day malware threats and allows the blocking of specified attachments such as zip files and executable files. SpamTitan protects against malicious links in emails and scans all inbound emails in real-time, using advanced threat protection methods such as Bayesian analysis, machine learning, greylisting, and heuristics which provide a market-leading 99.99% spam catch rate with a 0.003% false-positive rate
DNS Filtering
Defense-in-depth against phishing is critical for blocking malware threats. Protection can be significantly improved using DNS filtering. DNS filtering is used to block the web-based component of phishing attacks by providing time-of-click protection to prevent users from visiting malicious web pages linked in phishing emails. DNS filtering is used to filter out malicious websites by preventing users from visiting those sites when web browsing, blocking redirects to malicious sites, and category and keyword-based filters to control the content that users can access, preventing access to risky websites. DNS filters can also be used to block downloads of certain file types from the Internet, such as those associated with malware.
The WebTitan DNS Filter provides these capabilities without latency, and protections can be applied for users on or off the network, no matter where they access the Internet. WebTitan is fed threat intelligence from more than 500 million endpoints worldwide and provides AI-based protection against active and emerging phishing URLs and zero-minute threats.
Security Awareness Training & Phishing Simulations
Technical measures to block email and web-based threats are essential, but it is also important to provide security awareness training to the workforce on security best practices and to teach employees how to recognize and avoid threats such as phishing. Security awareness training should be provided regularly, and phishing simulations conducted to identify gaps in knowledge to allow them to be addressed before they can be exploited.
SafeTitan is the only behavior-driven security awareness solution that delivers security awareness training in real-time in response to specific user behaviors and includes an extensive library of training content that is delivered in easy-to-digest chunks for creating a human firewall to augment your technical cybersecurity measures.
Enforce Multifactor Authentication
Multifactor authentication should be implemented on all accounts and services to prevent compromised, stolen, or leaked credentials from being used to gain access to accounts. It is especially important to apply multifactor authentication to administrator accounts and for remote access services. Multifactor authentication requires an additional factor to be provided before access is granted, in addition to a password.
Backup Regularly
To protect against destructive malware attacks involving wipers and ransomware, it is essential to back up data regularly and to test backups to ensure that file recovery is possible. A good approach to take is the 3-2-1 method for backing up – make three copies, stored on at least two different media, and ensure that one copy is stored securely off-site. Backup files should also be encrypted.
Patch Promptly
You should ensure that updates for software and operating systems are applied promptly, with patching prioritized to address the most critical vulnerabilities first.
Change Default Credentials and Set Strong Passwords
Default credentials should be changed, as should the default configurations of off-the-shelf software and strong, unique passwords should be set to protect against brute force attacks. Threat actors can easily gain initial access to the network through brute force attempts to steal passwords, such as password spraying – using passwords compromised in previous data breaches.
