Attackers exploiting email security delays

🚨 𝗡𝗲𝘄 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗧𝗲𝗰𝗵𝗻𝗶𝗾𝘂𝗲 𝗔𝗹𝗲𝗿𝘁 A sneaky new attack method is making waves — exploiting 𝗲𝗺𝗮𝗶𝗹 𝘀𝘆𝘀𝘁𝗲𝗺𝘀 by "𝗮𝘁𝗼𝗺𝗶𝘇𝗶𝗻𝗴" 𝗺𝗲𝘀𝘀𝗮𝗴𝗲𝘀 to bypass 𝘁𝗿𝗮𝗱𝗶𝘁𝗶𝗼𝗻𝗮𝗹 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗰𝗵𝗲𝗰𝗸𝘀! 🔍 𝗛𝗼𝘄 𝗜𝘁 𝗪𝗼𝗿𝗸𝘀 : • Attackers split a single 𝗲𝗺𝗮𝗶𝗹 into multiple 𝗳𝗿𝗮𝗴𝗺𝗲𝗻𝘁𝘀 ("𝗮𝘁𝗼𝗺𝘀") before it reaches the inbox. • Each 𝗮𝘁𝗼𝗺 looks harmless alone — no full malicious payload is visible at once. • When the 𝗳𝗿𝗮𝗴𝗺𝗲𝗻𝘁𝘀 𝗮𝗿𝗲 𝗿𝗲𝗮𝘀𝘀𝗲𝗺𝗯𝗹𝗲𝗱 by the 𝗲𝗺𝗮𝗶𝗹 𝗰𝗹𝗶𝗲𝗻𝘁, the full phishing or malicious email is revealed. • This bypasses 𝗦𝗣𝗙, 𝗗𝗞𝗜𝗠, and 𝗗𝗠𝗔𝗥𝗖 𝗽𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗼𝗻𝘀, making the email appear 𝗹𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲. 🎯 𝗪𝗵𝗼’𝘀 𝗕𝗲𝗶𝗻𝗴 𝗧𝗮𝗿𝗴𝗲𝘁𝗲𝗱? • Enterprises relying on 𝗲𝗺𝗮𝗶𝗹 𝗴𝗮𝘁𝗲𝘄𝗮𝘆𝘀 and 𝘀𝘁𝗮𝗻𝗱𝗮𝗿𝗱 𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗰𝗵𝗲𝗰𝗸𝘀. • Organizations with 𝘄𝗲𝗮𝗸 𝗲𝗺𝗮𝗶𝗹 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗽𝗼𝗹𝗶𝗰𝗶𝗲𝘀. 🛡️ 𝗛𝗼𝘄 𝘁𝗼 𝗦𝘁𝗮𝘆 𝗦𝗮𝗳𝗲 : • Apply 𝘀𝘁𝗿𝗶𝗰𝘁 𝗶𝗻𝗯𝗼𝘂𝗻𝗱 𝗲𝗺𝗮𝗶𝗹 𝗽𝗼𝗹𝗶𝗰𝗶𝗲𝘀 — 𝗲𝘀𝗽𝗲𝗰𝗶𝗮𝗹𝗹𝘆 𝗳𝗼𝗿 𝗳𝗿𝗮𝗴𝗺𝗲𝗻𝘁𝗲𝗱 𝗲𝗺𝗮𝗶𝗹𝘀. • Monitor 𝗲𝗺𝗮𝗶𝗹 𝗯𝗲𝗵𝗮𝘃𝗶𝗼𝗿, not just static properties like 𝗵𝗲𝗮𝗱𝗲𝗿𝘀. • Educate teams about spotting suspicious 𝗳𝗿𝗮𝗴𝗺𝗲𝗻𝘁𝗲𝗱 𝗰𝗼𝗺𝗺𝘂𝗻𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀. • Strengthen 𝗲𝗺𝗮𝗶𝗹 𝘃𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗼𝗻 and 𝗮𝗻𝗼𝗺𝗮𝗹𝘆 𝗱𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝘁𝗼𝗼𝗹𝘀. ⚡ This isn’t just bypassing a filter — it’s a whole new way to weaponize the very structure of email itself. - #CyberSecurity #Phishing #EmailSecurity #ThreatIntel #InfoSec #AtomizedAttack #SPF #DMARC

AdvisorDefense: The Silent Persistence of BEC - When Expelling the Attacker Isn’t the End Business Email Compromise (BEC) remains one of the most devastating cyber threats to organizations worldwide. While many assume that kicking a threat actor out of their systems ends the attack, a recent Invictus Incident Response case proves otherwise. Sometimes, attackers persist even after being expelled. The Attack: A Sophisticated Adversary-in-the-Middle Tactic The attack began with a well-crafted phishing email disguised as a Dropbox invoice notification. The recipient, believing it to be legitimate, clicked the ‘View on Dropbox’ button and landed on a fake Dropbox login page. Here’s where the real trouble started: ✅ Credentials Captured – The victim entered their login details. ✅ MFA Compromised – The attacker also captured an MFA code, allowing them to bypass additional security layers. ✅ Persistence Achieved – With access to the email account, the attacker configured eM Client, a third-party email application, enabling them to maintain control even after passwords were reset. ✅ Forwarding Rules Set Up – To further maintain access, they created email forwarding rules, ensuring they could continue monitoring inbox activity unnoticed. The victim eventually caught on. After 3 weeks, IT stepped in to reset passwords, remove forwarding rules, revoke active sessions, and uninstall eM Client. The attacker was expelled, or so they thought! The Attack Didn’t End There… Days later, the attacker leveraged the victim’s email identity in new ways: 🚨 Created a Dropbox account using the victim’s email to send fraudulent invoices to the victim’s contacts. 🚨 Set up a WeTransfer account with the victim’s details to distribute more malicious emails. 🚨 Continued the scam, exploiting the trust associated with the victim’s email. Key Lessons: BEC Attacks Go Beyond the Inbox 1️⃣ MFA Alone Isn’t Enough – Many assume that MFA stops BEC attacks, but attackers are evolving. Adversary-in-the-middle (AiTM) tactics allow them to steal both credentials and MFA codes in real time. 2️⃣ Expelling an Attacker Doesn't Always Mean the End – Even after revoking access, attackers can reuse stolen identities elsewhere to continue fraud. 3️⃣ Continuous Monitoring – Check for newly created accounts using corporate email domains and implement dark web monitoring to detect compromised credentials. How to Protect Your Organization from BEC Attacks 🔒 Adopt phishing-resistant MFA solutions. 🔒 Use Conditional Access & Impossible Travel Policies to detect anomalous login activity. 🔒 Regularly review third-party email applications connected to business accounts to spot unauthorized apps. 🔒 Enable DMARC to prevent domain spoofing. 🔒 Educate employees on phishing techniques. Attackers Are Persistent — Your Defense Should Be Too! #Cybersecurity #BEC #EmailSecurity #ThreatIntelligence #Microsoft365Security https://lnkd.in/eNZcDd4X

As Incident Responders, we’re seeing an increase in attacks using classic smokescreen tactics, so I thought I’d share a few snippets that hopefully help you stay safe! The initial point of compromise is a phishing email. Nothing particularly sophisticated, just well-timed and well-crafted enough to have a target team member enter their login credentials into a spoofed site and prompt them for their MFA token. If all runs smoothly, for the bad eggs, the attackers are able to successfully proxy the MFA response, intercept the session token, and then bypass the victim’s “super secure” two-factor authentication. They use a real-time phishing kit like Evilginx2, which allows them to ride in on the back of a legitimate login session. So no brute force, no malware dropper, no obvious indicators until it’s too late. Once inside, the attackers monitor for an opportune time to strike, typically when a large payment is to be sent or due. They modify the payment instructions of one of the parties to make payment to a mule account they control. But they didn’t stop there! In order to mask their activity, because multiple users within the authorisation chain are on CC to the payment instruction, they launch a classic smokescreen campaign by flooding every inbox at the firm with hundreds of spam messages at the exact same time the crime is being committed. And this is ongoing and relentless.  The goal is simple: bury the wire transfer confirmation email in noise so it won’t get seen or detected, delaying any potential mitigation action. Effectively, the bad eggs are throwing a digital smokescreen. It worked. And is working across a multitude of cases we’ve seen. The transfer goes through, unnoticed, and the funds are gone before a team even has a chance to react.  Urgently add active monitoring for behavioural anomalies post-authentication, such as impossible travel, sudden privilege escalation, or new device profiles making high-value changes. Otherwise, you’re flying blind. For payment authorisation, MFA is not a panacea, especially for email accounts handling payment instructions. Implement manual processes to double and cross-check payments. Or reach it if you want to hear more about an automated payment protection solution we’ve built that fixes this. Not in full release but we’d love to hear your thoughts as we build it out. Stay sharp out there.

Cybersecurity Alert: Proofpoint Settings Exploited in Massive Phishing Campaign In a concerning development for email security, threat actors have found a way to exploit Proofpoint's email protection service to distribute millions of phishing emails daily. This sophisticated attack takes advantage of misconfigured Proofpoint settings, allowing malicious actors to bypass security measures and deliver potentially harmful content to unsuspecting recipients[1]. The exploit works by abusing the "On-Behalf-Of" (OBO) feature in Proofpoint, which is typically used for legitimate purposes such as allowing executive assistants to send emails on behalf of their managers. However, when improperly configured, this feature can be manipulated to send emails that appear to come from trusted domains[1]. Key points of the attack: - Attackers are sending up to 5 million phishing emails per day - The emails often impersonate well-known brands to increase credibility - Malicious content includes fake login pages and malware-laden attachments - Over 1,000 domains have been observed being abused in this campaign To protect against this threat, organizations using Proofpoint should: 1. Review and tighten their OBO configurations 2. Implement strict authentication policies 3. Regularly audit email security settings 4. Train employees to recognize phishing attempts This incident serves as a stark reminder that even trusted security solutions can become vectors for attack if not properly configured and maintained. As cyber threats continue to evolve, it's crucial for businesses to stay vigilant and regularly assess their security posture[1]. Citations: [1] https://lnkd.in/gQAq-_Bh

More novel research from Varonis Threat Labs. "The Varonis researchers identified two ways attackers use MatrixPDF: In the first, they exploit Gmail’s preview function. The PDF they generate can slip past security safeguards and filters because it only contains scripts and an external link, not a standard URL hyperlink typically associated with malware. The PDF renders normally, but document text is blurred, and users get a prompt to “Open Secure Document,” which is essentially a phishing lure. When the victim clicks the button, an external site opens in their browser. Researchers even found one example where the embedded link pointed to a download for a legitimate SSH client hosted on a public site. The method evades Gmail’s security because malware scanning finds nothing “incriminating,” the researchers point out; malicious content is only fetched when the user actively clicks, which Gmail interprets as user-initiated and therefore not dangerous. Further, the file download occurs outside the email platform’s antivirus sandbox, so security filters can’t intervene. The technique reveals how attackers can split an attack across an email (the delivery) and the web (the payload retrieval) to avoid detection, according to the researchers."