Learn about the most common tactics to bypass security in inboxes.
Although there are increasingly advanced controls, cybercriminals are constantly improving their techniques to circumvent the security of the systems used by companies. After all, how do cybercriminals get into corporate emails?
Through credential phishing attacks, compromise of commercial emails (BEC) and different forms of malware that are constantly spread on the Internet, hackers make unsuspecting users click on traps without even being suspicious.
Between October 2018 and March 2019, researchers at the Phishing Defense Center of the American company Cofense analyzed 31,429 malicious emails. In this survey, released by the Information Week blog , 23,195 credential phishing attacks were detected. This was the most frequent type of attack, followed by malware delivery (4,835), BEC (2,681) and fraud (718). Subtle tactics like changing file types or using shortened URLs continue to be very successful.
Phishing attacks are hackers' favorites
“We continue to see them evolve with simple tweaks,” says Cofense co-founder and CTO Aaron Higbee. Credential phishing emails using fake login pages are difficult to stop at the gateway because often the infrastructure associated with them does not appear malicious.
For example, some campaigns send emails from genuine Office 365 tenants using already compromised credentials or legitimate accounts. A fake login page hosted on Microsoft's infrastructure is nearly impossible to distinguish.
Researchers report that many secure email gateways do not scan every URL. They only focus on the type of URL people click on. With more phishing attacks taking advantage of single-use URLs, corporate risk increases. Hackers only need a set of legitimate credentials to break into a network, which is why credential phishing is such a popular attack technique.
Cloud adoption is changing the game for attackers to get employee login data. Companies are changing the location of their login pages and, consequently, access to network credentials.
Cybercriminals enter emails by subtle cybercrime techniques
As organizations move to cloud services, attackers are after the credentials of this cloud,” says Higbee. “We also see cybercriminals using popular cloud services like SharePoint, OneDrive, Windows.net to host phishing kits. When criminals are able to obtain credentials, they can log into the hosted service as a legitimate user.”
It is difficult for organizations to defend against threats to cloud-based systems because they do not always have the same visibility to logs and infrastructure as data centers.
More attackers are using different and atypical file types to bypass email gateway attachment controls. The researchers point as an example when Windows 10 changed the handling of files to .ISO. This gave hackers an opportunity to get rid of .ZIP or .RAR files that are normally inspected by security tools.
In April 2019, Cofense detected attackers renaming .ISO files to .IMG to transmit malware through secure gateways. “The gateway sees this as a random attachment, but when you download the file to the device, Windows 10 treats it as a file and opens it in Explorer, allowing the victim to click on the content,” says Higbee. “Nothing has changed in the malware, just the file extension name.”
Fake .img and .pdf files put email security at risk
There is a challenge in defending against these types of threats because there are types of legitimate attachments that you cannot block without interrupting the daily workflows of businesses. “We see this with PDF files that include links to malicious websites, which could be a fake login page where you can capture credentials,” adds Higbee. Companies simply cannot fully block these file types.
The survey also found that cybercriminals who sent malware via malicious attachments showed a strong preference (45%) for exploiting the Microsoft Office memory corruption vulnerability (CVE-2017-11882). In previous years, hackers used malicious macros massively, which accounted for only 22% of malware delivery tactics in the current survey.
Anyway, it's really more and more challenging for companies to be able to control how cybercriminals get into corporate emails. It is up to managers to promote team awareness so that, although threats cannot be fully controlled, at least they are minimized.