Business email compromise (BEC) and connected cybersecurity issues including advanced phishing, impersonation abuse, account takeover and accidental data loss were the top cybersecurity security risks that generated some of the biggest financial losses for organizations that use Microsoft 365, according to Proofpoint executives who discussed the software company during a webinar, “Strengthening Microsoft 365 with Human-Centric Security.”
Hosted by Proofpoint on June 26, 2024, Mark Harris, Proofpoint advisor and former Gartner senior director advisor, and Tim Bedard, director of product marketing for Proofpoint’s Threat Protection email security solution, talked about these threats to Microsoft’s security, citing the FBI’s 2023 Internet Crime Report, their own data and Verizon’s Data Breach Investigations Report. The executives also talked about the need to fortify Microsoft’s offerings with other third-party products and services that protect users from threats and mentioned Gartner and Forrester reports, which included Proofpoint as a recommended email security solutions vendor.
It’s All About People
“I think that the headline that is the top cyber security risks, it's all about people. One way or another, Verizon talk about nearly 50% of security breach is using stolen credentials. That's the target for the vast majority of the attackers. You know over three-quarters of ransomware start in email. I would say that probably it's more than that because (of) stolen credentials being used to, to leverage ransomware as well. Business email compromise is an interesting topic. And one of the things that always surprised me because according to the FBI that reports is BEC is expected to exceed all other cybersecurity losses combined. Now, that's quite an incredible amount, and it's billions of dollars. Part of the reason of that, I think is because people are more likely to report business email compromise because there is an opportunity to recover the money,” Harris said.
“Ransomware is, is some people won't report it. So I think there's a reporting thing there, but business email compromise is certainly a huge problem. And, you know, I always, my favorite phrases is, “Attacking the vulnerability between the chair and the keyboard.” It’s the person; that's the biggest vulnerability that attackers are using. So, you know, overall, 99% of all data loss incidents being human-driven is the overall stuff. The people are at the center of the problem. And that's why ultimately they're targeted,” Harris continued.
He added that he did not intend to “bash” Microsoft, but wanted to discuss how its security could be improved. Since the company is a market leader in enterprise, business productivity and email, it is a big target for attackers and not because it’s less secure.
Business Email Compromise
Courtesy: Proofpoint
Financial losses connected to business email compromise was $2.9 billion in 2023 according to the FBI’s 2023 Internet Crime Report, Bedard shared.
“And let me put this in perspective, right? So, we talk about BEC all the time. BEC losses represent an 80 times greater than ransomware. So think about that right now. Now, we all hear about ransomware, right? We all heard about everything that happened at MGM and Mirage and all these other places, right? The big headlines and shutting down people’s companies and not being able to do because they're being ransomed. But what you don't hear about are the business compromise. And the reason why you don't hear about the business email compromise is because they're not asking for millions of dollars, right? They're trying to siphon off 5,000, 10,000, a hundred thousand dollars here and there, right?
And they're doing it a much lower, they're doing it at a higher rate, but they're, but the dollars that they're asking for are much lower. So it flies below the radar. So, again, BEC historically has been involved about compromising emails; could be vendors that I mentioned previously. Could be requests for W-2 information, or they're targeting fraudulently for large amount of gift cards that I mentioned earlier. But what the FBI report has been saying in just having reread that report recently, they're now actually going after—the bad actor is going after custodial accounts that hold financial institutions, specifically in cryptocurrencies and exchanges, right? Or third-party payment processors themselves. They're trying to infiltrate there because they can get those credentials, right? And they're doing that through some type of compromise. And this is where they can get access to those funds quickly and get 'em out even faster,” Bedard said.
BEC examples could include spoofing an email from an employee within a company, addressing it to the payroll department and saying, “Hey, I've changed bank. Can you, can you send my pay to this account instead?” shared Harris. He also said someone could intercept an invoice and/or an email thread about monetary transactions after they take over an email account.
Advanced Phishing
Courtesy: Proofpoint
Phishing-based attacks have become more innovative. Bedard cited MFA bypass kits and ransomware where attackers use the phone and email to trick users.
“So, the first one (is) under identity threat. This is really quite an incredible evolution that I've seen where our Proofpoint research team has been tracking these type of MFA bypass kits or phishing kits themselves. And most recently they've seen the shift that's not just, you know, going and getting your credentials as a user username and password, right? They're now seeing kits that will go ahead and collect your session cookies or tokens themselves,” the Proofpoint executive explained.
“So this is where they not only get your credentials, but those session cookies, and they try to steal these because they want to bypass that trusted layer of security called MFA, right? And, you know, when I call these MFA natal phishing kits, you know, basically what they are is they're very, you know, transparent reverse proxy capabilities that allows basically a man-in-the-middle type of browser session that allows 'em to steal those credentials. And those session cookies themselves in real-time themselves.
….The other example is really around ransomware. And ransomware has been very interesting also because we've gone from a single stage like Loki or WannaCry. And we're moving to multi-staged type of attacks now from a ransomware where they're now getting to taking it out of the email channel and getting it more into a different channel like the phone, for example.
And what they'll do is they'll do a telephone, a TOAD stands for Telephone Oriented Attack Delivery. And what they're doing is they're saying, “Hey, call us to this number.” And that attack usually starts through an email, right? To a targeted individual with an urgent need. They want to create urgency. So you're not thinking on your feet and you're reacting and you're being very passionate about something, calling a phone number…Actually the attacker calls them and says, …."I need you to do something right away. I need you to go to this, this website that's malicious, and I need you to download this information or this document.” And then that's how the ransomware is actually installed and deployed, right? And because they're going against these, with these text-based TOAD-based account attacks, it's much harder to detect 'em and actually defeat them, right? So, in 2023, our own Proofpoint research team documented over 10 million TOAD-based attacks per month. And that's just unbelievable. You start doing the math really quick. 12 months a year, 10 million that a lot of text, TOAD-based attacks per month.”
Account Takeover
Bedard stated that Proofpoint researchers determined 95% of organizations are targeted for Microsoft email account takeovers. This happens when a bad actor acquires a user’s login credentials, generally through their cloud email account via a phishing attack. They can then change their password and user name and access and control their data from their victim’s applications and systems.
While using multi-factor authentication is recommended, it is not a “silver bullet,” said
Bedard.
“It's a good step to doing better security. But we've seen that 30% of multifactor authentication failures are because of account takeovers. And, what we've seen is you probably, you're asking yourself how can you know MFA be overridden? I'll give you an example. So one example was end of last year, we had found bad actors actually targeted Uber, specifically their Microsoft 365 users with a bunch of updates that they sent to them over their phones. Basically they were doing an MFA fatigue attack. And basically the bad actors were bombarding the users with two-factor authentication, push notifications all the time, and try and get them to log in or, or do those login attempts. If you're anything like me, if you get more than two or three, it gets really annoying. You get 10, it gets obnoxious. You get, you get more, it becomes more obnoxious. So essentially what happened was the bad actors exploited the Uber's employees and users’ behavior to gain access because at the end of the day they're like, fine, make this go away. I'm gonna log in. Unbeknownst to the Uber employees, they're logging into a malicious site, stole their credentials. Next thing you know, you've got bad actors all over your network and infrastructure.” (Bedard)
Impersonation Abuse
Courtesy: Proofpoint
Criminals have caused $50 billion in damage through impersonation abuse (based on Proofpoint’s calculation of BEC accumulated losses) said Bedard. This technique is used by bad actors who infiltrate a user’s account by spoofing a website domain or lookalike domain that enables that to get into their email account. They then impersonate the user and can contact their vendors, customers and other parties.
“And if you're not familiar, this is really another attack vector that these threat actors are really trying to avoid or not avoid, but take advantage of, as opposed to coming directly at your organization. What they're doing is they're kind of doing a backdoor on you, right? They're going after your suppliers and third parties and your ecosystem, compromise an account there, and then use that account as a launch point to come in through the side window into your organization in order to get to the crown jewels. Whether it's your data, your IP, whatever it may be, your IP, itself. And that's where you really have to be really conscious of that because at the end of the day when I look at that $50 billion number that's, you know, impersonation abuse when it comes to business communication, $50 billion since 2023, that's a lot of losses in that time,” Bedard said.
Harris added this type of attack technique is the hardest issue to identify and address after an account has been compromised and it is one of the key areas that Proofpoint is “investing” in.
Accidental Data Loss
Courtesy: Proofpoint
Sending an email to the wrong person with the wrong file attachment and/or sending documents to unauthorized accounts was the last email-related issue the Proofpoint experts discussed.
“No one is not immune to it. It happens. And as you can see from this chart from the DBIR report data breaches categorized under accidental email delivery is very high percentage in a lot of these different verticals. And as you can see, you know, verticals like financial service and, and healthcare are really high. And they are the biggest offenders. And that's really because they have a regulatory compliance to report these incidences themselves. I guess the only main point that I would say here is of all the ways your employees mishandled data, email is the lion's share, itself,” Bedard pointed out.
Comments