Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Microsoft 365. Show all posts
Tycoon
Gmail malware MFA Bypass Microsoft 365 multifactor authentication phishing kit Safety Security Tycoon

'Tycoon' Malware Kit Bypasses Microsoft and Google Multifactor Authentication

 

An emerging phishing kit called "Tycoon 2FA" is gaining widespread use among threat actors, who are employing it to target Microsoft 365 and Gmail email accounts. This kit, discovered by researchers at Sekoia, has been active since at least August and received updates as recent as last month to enhance its evasion techniques against multifactor authentication (MFA).

According to the researchers, Tycoon 2FA is extensively utilized in various phishing campaigns, primarily aimed at harvesting Microsoft 365 session cookies to bypass MFA processes during subsequent logins. The platform has amassed over 1,100 domain names between October 2023 and late February, with distribution facilitated through Telegram channels under different handles such as Tycoon Group, SaaadFridi, and Mr_XaaD.

Operating as a phishing-as-a-service (PhaaS) platform, Tycoon 2FA offers ready-made phishing pages for Microsoft 365 and Gmail accounts, along with attachment templates, starting at $120 for 10 days, with prices varying based on the domain extension. Transactions are conducted via Bitcoin wallets managed by the "Saad Tycoon Group," suspected to be the operator and developer of Tycoon 2FA, with over 1,800 recorded transactions as of mid-March.

The phishing technique employed by Tycoon 2FA involves an adversary-in-the-middle (AitM) approach, utilizing a reverse proxy server to host phishing webpages. This method intercepts user inputs, including MFA tokens, allowing attackers to bypass MFA even if credentials are changed between sessions.

Despite the security enhancements provided by MFA, sophisticated attacks like Tycoon 2FA pose significant threats by exploiting AitM techniques. The ease of use and relatively low cost of Tycoon 2FA make it appealing to threat actors, further compounded by its stealth capabilities that evade detection by security products.

Sekoia researchers outlined a six-stage process used by Tycoon 2FA to execute phishing attacks, including URL redirections, Cloudflare Turnstile challenges, JavaScript execution, and the presentation of fake authentication pages to victims.

The emergence of Tycoon 2FA underscores the evolving landscape of phishing attacks, challenging the effectiveness of traditional MFA methods. However, security experts suggest that certain forms of MFA, such as security keys implementing WebAuthn/FIDO2 standards, offer higher resistance against phishing attempts.

To assist organizations in identifying Tycoon 2FA activities, Sekoia has published a list of indicators of compromise (IoCs) on GitHub, including URLs associated with Tycoon 2FA phishing campaigns.
Read more »
Technology
AI technology Artificial Inteligence Microsoft 365 Microsoft Copilot Technology

Microsoft is Rolling out an AI Powered Key

 


Prepare for a paradigm shift as Microsoft takes a giant leap forward with a game-changing announcement – the integration of an Artificial Intelligence (AI) key in their keyboards, the most substantial update in 30 years. 

This futuristic addition promises an interactive and seamless user experience, bringing cutting-edge technology to the tips of your fingers. Explore the next frontier of computing as Microsoft redefines the way we engage with our keyboards, setting a new standard for innovation in the digital age. The groundbreaking addition grants users seamless access to Copilot, Microsoft's dynamic AI tool designed to elevate your computing experience. 

At the forefront of AI advancements, Microsoft, a key investor in OpenAI, strategically integrates Copilot's capabilities into various products. Witness the evolution of AI as Microsoft weaves its intelligence into the fabric of everyday tools like Microsoft 365 and enhances search experiences through Bing. 

Not to be outdone, rival Apple has long embraced AI integration, evident in Macbooks featuring a dedicated Siri button on their touch bar. As the tech giants vie for user-friendly AI interfaces, Microsoft's AI key emerges as a pivotal player in redefining how we interact with technology. 

Copilot, the star of Microsoft's AI arsenal, goes beyond the ordinary, assisting users in tasks ranging from efficient searches to crafting emails and even generating visually striking images. It's not just a tool; it's your personalised AI companion, simplifying tasks and enriching your digital journey. Welcome to the era where every keystroke opens doors to boundless possibilities. 

By pressing this key, users seamlessly engage with Copilot, enhancing their daily experiences with artificial intelligence. Similar to the impact of the Windows key introduced nearly 30 years ago, the Copilot key marks another significant milestone in our journey with Windows, serving as the gateway to the realm of AI on PCs. 

In the days leading up to and during CES, the Copilot key will debut on numerous Windows 11 PCs from our ecosystem partners. Expect its availability from later this month through Spring, including integration into upcoming Surface devices. 

This addition, which simplifies access to Copilot, has already made waves in Office 365 applications like Word, PowerPoint, and Teams, offering functionalities such as meeting summarization, email writing, and presentation creation. Bing, Microsoft's search engine, has also integrated Copilot. 

According to Prof John Tucker from Swansea University, the introduction of this key is a natural progression, showcasing Microsoft's commitment to enhancing user experience across various products. Despite Windows 11 users already having access to Copilot via the Windows key + C shortcut, the new dedicated key emphasises the feature's value.

Acknowledging the slow evolution of keyboards over the past 30 years, Prof Tucker notes that Microsoft's focus on this particular feature illustrates its potential to engage users across multiple products. Google, a dominant search engine, employs its own AI system called Bard, while Microsoft's Copilot is built on OpenAI's GPT-4 language model, introduced in 2022. 

The UK's competition watchdog is delving into Microsoft's ties with OpenAI, prompted by disruptions in the corporate landscape that resulted in a tight connection between the two entities. The investigation seeks to understand the implications of this close association on competition within the industry. 

As we anticipate its showcase at CES, this innovative addition not only reflects Microsoft's commitment to user-friendly technology but also sparks curiosity about the evolving landscape of AI integration. Keep your eyes on the keyboard – the Copilot key signals a transformative era where AI becomes an everyday companion in our digital journey.


Read more »
User Privacy
AI Tool Artificial Intelligence Cyber Security data security data security threats Microsoft Microsoft 365 User Privacy

Microsoft's Purview: A Leap Forward in AI Data Security

Microsoft has once again made significant progress in the rapidly changing fields of artificial intelligence and data security with the most recent updates to Purview, its AI-powered data management platform. The ground-breaking innovations and improvements included in the most recent version demonstrate the tech giant's dedication to increasing data security in an AI-centric environment.

Microsoft's official announcement highlights the company's relentless efforts to expand the capabilities of AI for security while concurrently fortifying security measures for AI applications. The move aims to address the growing challenges associated with safeguarding sensitive information in an environment increasingly dominated by artificial intelligence.

The Purview upgrades introduced by Microsoft have set a new benchmark in AI data security, and industry experts are noting. According to a report on VentureBeat, the enhancements showcase Microsoft's dedication to staying at the forefront of technological innovation, particularly in securing data in the age of AI.

One of the key features emphasized in the upgrades is the integration of advanced machine learning algorithms, providing Purview users with enhanced threat detection and proactive security measures. This signifies a shift towards a more predictive approach to data security, where potential risks can be identified and mitigated before they escalate into significant issues.

The Tech Community post by Microsoft delves into the specifics of how Purview is securing data in an 'AI-first world.' It discusses the platform's ability to intelligently classify and protect data, ensuring that sensitive information is handled with the utmost care. The post emphasizes the role of AI in enabling organizations to navigate the complexities of modern data management securely.

Microsoft's commitment to a comprehensive approach to data security is reflected in the expanded capabilities unveiled at Microsoft Ignite. The company's focus on both utilizing AI for bolstering security and ensuring the security of AI applications demonstrates a holistic understanding of the challenges organizations face in an increasingly interconnected and data-driven world.

As businesses continue to embrace AI technologies, the need for robust data security measures becomes paramount. Microsoft's Purview upgrades signal a significant stride in meeting these demands, offering organizations a powerful tool to navigate the intricate landscape of AI data security effectively. As the industry evolves, Microsoft's proactive stance reaffirms its position as a leader in shaping the future of secure AI-powered data management.


Read more »
Technology
AI Assistant AI Chatbot AI-powered tool Copilot Microsoft Microsoft 365 Microsoft Copilot Technology

Microsoft Copilot: New AI Chatbot can Attend Meetings for Users


A ChatGPT-style AI chatbot, developed by Microsoft will now help online users summarize their Teams meetings by drafting emails, and creating Word documents, spreadsheet graphs, and PowerPoint presentations in very little time. 

Microsoft introduced Copilot – its workplace assistant – earlier this year, labelling the product as a “copilot for work.”

Copilot which will be made available for the users from November 1, will be integrated to the subscribers of Microsoft 365 apps such as Word, Excel, Teams and PowerPoint – with a subscription worth $30 per user/month.

Additionally, as part of the new service, employees at companies who use Microsoft's Copilot could theoretically send their AI helpers to meetings in their place, allowing them to miss or double-book appointments and focus on other tasks.

‘Busywork That Bogs Us Down’

With businesses including General Motors, KPMG, and Goodyear, Microsoft has been testing Copilot, which assists users with tasks like email writing and coding. Early feedback from those companies has revealed that it is used to swiftly respond to emails and inquire about meetings. 

According to Jared Spataro, corporate vice president of modern work and business applications at Microsoft, “[Copilot] combines the power of large language models (LLMs) with your data…to turn your words into the most powerful productivity tool on the planet,” he said in a March blog post. 

Spataro promised that the technology would “lighten the load” for online users, stating that for many white-collar workers, “80% of our time is consumed with busywork that bogs us down.”

For many office workers, this so-called "busywork" includes attending meetings. According to a recent British study, office workers waste 213 hours annually, or 27 full working days, in meetings where the agenda could have been communicated by email.

Companies like Shopify are deliberately putting a stop to pointless meetings. When the e-commerce giant introduced an internal "cost calculator" for staff meetings, it made headlines during the summer. According to corporate leadership, each 30-minute meeting costs the company between $700 and $1,600.

Copilot will now help in reducing this expense. The AI assistant's services include the ability to "follow" meetings and produce a transcript, summary, and notes once they are over.

Microsoft, in July, noted that “the next wave of generative AI for Teams,” which included incorporating Copilot further into Teams calls and meetings.

“You can also ask Copilot to draft notes for you during the call and highlight key points, such as names, dates, numbers, and tasks using natural language commands[…]You can quickly synthesize key information from your chat threads—allowing you to ask specific questions (or use one of the suggested prompts) to help get caught up on the conversation so far, organize key discussion points, and summarize information relevant to you,” the company noted.

In regard to the same, Spataro states that “Every meeting is a productive meeting with Copilot in Teams[…]It can summarize key discussion points—including who said what and where people are aligned and where they disagree—and suggest action items, all in real-time during a meeting.

However, Microsoft is not the only tech giant working on making meeting tolerant, as Zoom and Google have also introduced AI-powered chatbots for the online workforce that can attend meetings on behalf of the user, and present its conclusions during the get-together.  

Read more »
Security
attackers Cyber Attacks Data Safety data security EvilProxy Hackers Microsoft Microsoft 365 Microsoft Office Safety Secure Data Security

EvilProxy Phishing Campaign Targets Microsoft 365 Executives Worldwide

 

Cybercriminals have launched an EvilProxy phishing campaign with the aim of infiltrating thousands of Microsoft 365 user accounts across the globe. 

Over a span of three months from March to June, the attackers distributed a barrage of 120,000 phishing emails targeting more than 100 organizations worldwide. The primary objective of this operation was to compromise high-ranking executive accounts, paving the way for subsequent, deeper attacks within these enterprises.

Researchers from Proofpoint have shed light on the ongoing campaign, revealing that it employs a range of phishing strategies, including brand impersonation, scan blocking, and a multi-step infection process. 

These tactics have enabled the attackers to successfully seize control of cloud accounts belonging to top-level executives. Notably, over the past half-year, there has been an alarming surge of over 100% in these takeover incidents. These breaches occurred within organizations that collectively represent 1.5 million employees globally.

The attackers leveraged the EvilProxy phishing-as-a-service platform, utilizing reverse proxy and cookie-injection methods. These techniques allowed them to bypass multi-factor authentication (MFA), which is often touted as a defense mechanism against phishing attacks. The use of tools like EvilProxy, which operate as reverse-proxy hacker tools, is making it increasingly feasible for malicious actors to overcome MFA.

Upon obtaining credentials, the attackers wasted no time in accessing executives' cloud accounts, achieving entry in mere seconds. Subsequently, they maintained control by employing a native Microsoft 365 application to incorporate their own MFA into the "My Sign-Ins" section. The favored method for this action was the "Authenticator App with Notification and Code."

Surprisingly, the researchers noted that there has been a rise in account takeovers among tenants with MFA protection. Their data suggests that at least 35% of all compromised users over the past year had MFA enabled.

The EvilProxy attack typically commences with attackers masquerading as trusted services such as Concur, DocuSign, and Adobe. They send phishing emails from spoofed addresses, purportedly originating from these services, containing links to malicious Microsoft 365 phishing sites.

Clicking on these links initiates a multi-step infection process involving redirects to legitimate sources like YouTube, followed by further redirects utilizing malicious cookies and 404 errors. This convoluted approach is designed to scatter the traffic, minimizing the chances of detection.

Ultimately, the user traffic arrives at an EvilProxy phishing framework—a landing page functioning as a reverse proxy. This page imitates recipient branding and third-party identity providers.

Despite the large number of attacks, the cybercriminals exhibited precision, specifically targeting top-tier executives. C-level executives were the focus in approximately 39% of the attacks, with 17% targeting CFOs and 9% aimed at presidents and CEOs.

The success of this campaign in breaching MFA and its extensive scale underscore the advancing sophistication of phishing attacks. This necessitates organizations to bolster their security measures and adopt proactive cybersecurity intelligence to detect anomalous activities, emerging threats, and potential vulnerabilities.

While the effectiveness of EvilProxy as a phishing tool is acknowledged, there remains a significant gap in public awareness regarding its risks and implications. 

Proofpoint recommends a series of steps to mitigate phishing risks, including blocking and monitoring malicious email threats, identifying account takeovers, detecting unauthorized access to sensitive cloud resources, and isolating potentially malicious sessions initiated through email links.
Read more »
Windows
Azure China CISA Cyber Security MFA Microsoft 365 Sensitive Data Leak User Data Windows

Microsoft Offers Free Security Features Amid Recent Hacks

Microsoft has taken a big step to strengthen the security of its products in response to the growing cybersecurity threats and a number of recent high-profile attacks. The business has declared that it will offer all users essential security features at no cost. Microsoft is making this change in an effort to allay concerns about the security of its platforms and shield its users from potential cyberattacks.

The Messenger, The Register, and Bloomberg all reported that Microsoft made the decision to offer these security capabilities free of charge in response to mounting demand to improve security across its whole portfolio of products. Recent cyberattacks have brought up important issues with data privacy and information security, necessitating the development of stronger protection methods.

A number of allegedly state-sponsored hacks, with China as a particular target, are one of the main drivers behind this tactical approach. Governments, corporations, and individual users all over the world are extremely concerned about these breaches since they target not only crucial infrastructure but also important data.

Improved encryption tools, multi-factor authentication, and cutting-edge threat detection capabilities are among the free security improvements. Users of Microsoft's operating systems, including Windows 10 and Windows 11, as well as cloud-based services like Microsoft 365 and Azure, will have access to these functionalities. Microsoft wants to make these crucial security features available to a broader variety of customers, independent of subscription plans, by removing the financial barrier.

Microsoft responded to the judgment by saying, "We take the security of our customers' data and their privacy extremely seriously. We think it is our duty to provide our users with the best defenses possible as threats continue to evolve. We believe that by making these security features available for free, more people will take advantage of them and improve their overall cybersecurity posture.

Industry professionals applaud Microsoft for choosing to offer these security measures without charge. This is a huge step in the right direction, said Mark Thompson, a cybersecurity analyst with TechDefend. Because these services are free, Microsoft is enabling its users to properly defend themselves against possible attacks as cyber threats become more complex.

The action is also in line with the work of other cybersecurity organizations, including the Cybersecurity and Infrastructure Security Agency (CISA), which has been promoting improved cooperation amongst IT businesses to battle cyber threats.

Although the choice definitely benefits customers, it also poses a challenge for other digital firms in the sector. Customers are expected to demand comparable initiatives from other big players in response to the growing emphasis on data security and privacy, driving the entire sector toward a more secure future.

Read more »
phishing
Cyber Attacks CyberCrime DDoS Email Microsoft 365 Microsoft Outlook Outlook phishing

Outlook Services Paralyzed: Anonymous Sudan's DDoS Onslaught

 


In the last few days, several distributed denial-of-service (DDoS) attacks have been launched against Microsoft Outlook, one of the world's leading email providers. Anonymous Sudan, a hackers' collective, has launched DDoS attacks against Microsoft Outlook. The attacks, which aim to disrupt services and create concerns about various issues, have disrupted Outlook users worldwide. Additionally, online platforms are quite vulnerable to cyber threats because they are hosted online. 

Several outages have been reported today on Outlook.com for the same reason as yesterday's outages. Anonymous Sudan, an Internet hacking collective, claims that it performs DDoS attacks against the service on hackers' behalf. 

It has been claimed, however, that the hacktivist group Anonymous Sudan is responsible for the attack. They assert that they are conducting a distributed denial of service (DDoS) attack on Microsoft's service in protest of US involvement in Sudanese internal affairs by operating cyberattacks against its infrastructure. 

Approximately 1 million Outlook users across the globe have been affected by this outage, which follows two more major outages yesterday. Due to this issue, Outlook's mobile app cannot be used by users in a wide range of countries as users cannot send or receive emails. 

There have been complaints on Twitter about Outlook's spotty email service. Users assert that it has impacted their productivity as a result. 

It was announced over the weekend that the hacktivist group would be launching a campaign against the US as a response to the US interference in Sudanese internal affairs recently as part of its anti-US campaign. They cited the visit made by Secretary of State Antony Blinken to Saudi Arabia last week, in which he discussed the ongoing humanitarian situation in the country. 

There has also been an announcement by the White House that economic sanctions will be imposed on various corrupt government entities in Sudan, including the Sudanese Armed Forces (SAF) and the Rapid Support Forces (RSF), which are considered responsible for the escalation of the conflict. 

In response to this, Anonymous Sudan launched a distributed denial of service attack in late November, targeting the ride-sharing platform Lyft, in an attempt to overload a site or server with bot requests, thereby essentially bringing it to a standstill. 

It is also worth noting that several regional healthcare providers across the country were also taken offline during the weekend campaign.

Email communication was interrupted by several disruptions, including delayed or failed delivery of messages, intermittent connectivity problems, and slow response times. This was as a result of this issue. Individual users were inconvenienced by these interruptions; however, businesses that rely on Outlook for their day-to-day operations were also facing challenges as a result of these disruptions. This attack demonstrates the vulnerability of online platforms and emphasizes the need for robust cybersecurity measures to guard against threats of this nature. This is to ensure online platforms remain secure. 

In many tweets posted to Twitter by Microsoft, the company has alternated back and forth between saying they have mitigated the issue and that the issue is back again, implying that these outages are caused by technical issues. 

A group called Anonymous Sudan is claiming responsibility for the outages, claiming they are out to protest the US infiltrating Sudanese internal affairs through its involvement in the DDoS attacks against Microsoft and claim responsibility for the outages as well.

As a result of the continuous DDoS attacks on Microsoft Outlook and Microsoft 365 services, the group has been taunting Microsoft in its statements in the past month. 

There is increasing evidence that Microsoft Outlook continues to suffer crippling attacks from Anonymous Sudan, which frequently result in the suspension of service and the growth of concerns about the security of the online environment due to DDoS attacks launched by Anonymous Sudan. It has been observed that these deliberate disruptions hurt the user experience and the online platform. This is because these disruptions expose them to cyber threats. 

This ongoing situation only confirms the importance of cybersecurity measures to safeguard critical online services. The necessity of introducing these measures would be essential to ensure their protection in the future. Additionally, it raises questions about the platform's ability to cope with persistent and coordinated attacks on its cybersecurity system. 

The case between Anonymous Sudan and Microsoft in a world where cybersecurity threats are increasing by the day, serves as a timely reminder of the importance of continuous vigilance. This is to prevent these threats from becoming stronger as they progress in a direction not fully understood by users.
Read more »
Technology
API Cyber Attacks CyberCrime Cybersecurity Education Microsoft 365 Phishing Attacks Technology

Microsoft 365 Phishing Attacks Made Easier With 'Greatness'

 


It is a method of stealing money, or your identity, by attempting to get you to reveal personal information through websites that pretend to be legitimate websites, such as credit cards, bank details, or passwords, that aim to get you to reveal your personal information. Cybercriminals often pose as reputable companies, friends, or acquaintances and send fake messages with a link to a phishing website.  

By enticing people to reveal personal information like passwords and credit card numbers, phishing attacks are intended to steal sensitive data or damage it by damaging users' computers. 

Even script kiddies have constructed convincing, effective phishing attacks against businesses using a service never heard of before, called phishing-as-a-service (PaaS). 

As many organizations around the world use the Microsoft 365 cloud-based productivity platform, it has become one of the most valuable targets for cybercriminals. These criminals use it to steal data and credentials to compromise their networks. 

During a Cisco Talos research update, researchers explained how phishing activity on the Greatness platform exploded between December 2022 and March 2023. This was when the platform was launched in mid-2022. 

Since the tool was introduced in mid-2022, it has been used in attacks on several companies across a variety of industries. These industries include manufacturing, healthcare, technology, and banking. 

At this point, approximately half of those targeted are in the United States. Attacks have also been carried out around Western Europe, Australia, Brazil, Canada, and South Africa, but the majority are concentrated in the US. 

As a result of these attacks, a wide range of industries, including manufacturing, healthcare, technology, education, real estate, construction, finance, and business services, are being targeted. 

It contains everything you will ever need to conduct a successful phishing campaign if you intend to play at being a phishing actor in the future. 

Using the API key that they have acquired for their service, the users will have access to the 'Greatness' admin panel and provided a list of email addresses that they wish to attack. 

It is the PhaaS platform, or as it is often called, that allocates the infrastructure needed to host the phishing pages and also to build the HTML attachments. This is like the server hosting the phishing pages. 

Afterward, the affiliate builds the content for the email and provides any other material needed, and changes any default settings if necessary. 

The process of taking on an organization is simple. A hacker simply logs into the enterprise using their API key; provides a list of target email addresses; creates the content of the email (and changes any other default details as they see fit). 

Greatness will authenticate on the real Microsoft platform based on the MFA code supplied by the victim once the MFA code is provided. This allows the affiliate to receive an authenticated session cookie through the Telegram channel provided by the service or through access to their web panel. 

As a result, many companies find that stolen credentials can also be used to breach their network security. This results in more dangerous attacks, like ransomware, being launched.
Read more »
Web Admin
Cyber Security Digital Infrastructure Microsoft 365 saaS Security Survey Web Admin

Influence of Digitalization on IT Admins

A SaaS software business named SysKit has released a report on the impact of digital transformation on IT administrators and the present governance environment. According to the report, 40% of businesses experienced a data breach in the last year. This can have a serious impact on an organization's productivity and lead to costly fines, downtime, and the loss of clients and certifications that are essential to its operations.

The research, held out in November, included 205 US IT managers who are in charge of overseeing the IT infrastructures of their firms, and it fairly depicts the target demographic. As per SysKit, improper zero trust and full trust implementation can result in data breaches. Based on the survey, 68% of respondents believe that the zero trust approach restricts the ability to collaborate, while 50% of respondents think that the full trust approach to governance is ideal.

The majority of IT administrators (82%) agree that non-technical staff who are resource owners must be more proactive in data reviews and workspace maintenance. Furthermore, when enquired about one‘s specific IT governance skills, 50% of the respondents stated that non-tech employees do not know how to properly apply external sharing policies, 56% believed they did not know how to properly apply provisioning policies, and 30% stated that their coworkers are not taking care of their inactive content. According to SysKit, this lack of knowledge can result in data leaks, unchecked workspace sprawl, and higher storage expenses.

The survey also revealed that excessive workloads, a lack of comprehension from superiors, and a misalignment of IT and business strategy are among the main issues for IT administrators. As technology continues to develop, organizations will face new opportunities and difficulties. Future applications of AI-based technologies have not yet been defined since they are still in their initial stages. 
Read more »
Microsoft 365
Cyber Attacks Cyber Phishing Cyber Threats Cyber-attacks Microsoft 365

Microsoft Upgrading Defender for 365 Users Teams

Last week, the technology giant Microsoft has announced that they are going to add some new advanced features to Microsoft Defender for Office 365 to allow Microsoft Teams users to alert their organization's security team of any deceitful messages they receive. 

Microsoft Defender for Office 365 (previously known as Office 365 Advanced Threat Protection or Office 365 ATP) works against malicious threats coming from malicious email messages, links, and collaboration tools to protect organizations. 

The new features are developing upon improvements announced in July 2021, allowing Microsoft Teams to automatically blocks phishing attempts. 

According to the given data on Microsoft's official website, this in-development feature will give power to admins to alter potentially dangerous messages targeting employees with malicious payloads or trying to redirect them to phishing websites. 

"End users will be able to report suspicious Microsoft Teams messages as a security threat just like they do for emails - to help the organization to protect itself from attacks via Microsoft Teams," Microsoft explains on the Microsoft 365 roadmap. 

Additionally, one of the users reported that Redmond is also developing new features for Office 365's Submissions experience to categorize the user-reported messages into individual tabs for Phish, Spam (Junk), and so on. 

However, as per the process, it is expected that the advance submission feature will be available to the general public next month, the new user reporting capability is now in preview and will most likely roll out to standard multi-tenants until the end of January 2023 to desktop and web clients worldwide. 

Microsoft extended Defender for Office 365 Safe Links protection to the Teams communication platform to help customers from malicious URL-based phishing attacks. 

"Safe Links in Defender for Office 365 scans URLs at the time of click to ensure that users are protected with the latest intelligence from Microsoft Defender,” Microsoft further told.
Read more »
Microsoft 365
Command and Control(C2) Crypto Cryptojacking Cyber Security LOL bins MFA Microsoft 365

Microsoft Facing a Growing Threat by Cryptojackers

 

Cryptojackers, are still invading computers all over the world while also getting more discreet and skilled at evading detection. The data was released by Microsoft's 365 Defender Research Team, which on Thursday posted a new analysis of cryptojackers on its blog.

Microsoft Defender Antivirus detects cryptojackers on more than 200,000 devices per day using a variety of sensors and innovative detection techniques, including its connection with Intel TDT. In campaigns, hackers strongly favor the exploitation of notepad.exe over several valid system utilities.

What are Cryptojackers?

Cryptojackers are mining viruses that hijack and use a target's device resources for the former's gain without the user's knowledge or approval. They are one of the threat categories that have emerged and thrived since the advent of cryptocurrencies. The threat data indicates that over the past year, companies have encountered millions of cryptojackers.

Furthermore, as per Microsoft, Javascript is frequently used in the creation of cryptojackers, which in this instance use browsers to infiltrate systems. The tech titan also cautioned against fileless cryptojackers, who mine in a device's memory and maintain persistence by abusing legal programs and LOLBins.

Cryptojacking operation

Among several legitimate system utilities, notepad.exe abuse is heavily favored by attackers in campaigns that have been observed. An improved version of the cryptojacker known as Mehcrypt was employed in this campaign. 
  • This is a significant improvement over the previous version, which used a script to access its command-and-control (C2) server and download additional components that later carried out malicious deeds. 
  • The new version also condenses all of its routines into a single script and connects to a C2 server in the final stage of its attack chain.
  • An archive file containing autoit.exe and a heavily obscured, arbitrarily named.au3 script serves as the threat's delivery vehicle. 
  • Autoit.exe is started when the archive file is opened, and it decodes the.au3 script in memory. 
  • When the script is executed, it continues to decode more obfuscation layers and loads more decoded scripts into memory.
  • The script then places a copy of itself and autoit.exe in a folder with an arbitrary name under C:ProgramData.
  • To run the script each time the device begins, the script inserts autostart registry entries and generates a scheduled task to destroy the original files.
  • The software then incorporates persistence methods, loads malicious code into VBC.exe using process hollowing, and establishes a connection to a C2 server to wait for commands. 
  • The software loads its cryptojacking code into notepad.exe using process hollowing based on the C2 answer.

The warning was issued just a few weeks after Microsoft released a study describing how a widespread phishing effort managed to steal sign-in credentials, hijack sign-in sessions, and bypass the authentication step even when multi-factor authentication (MFA) was turned on.
Read more »
Supply Chain Attack
Cyber Attacks Email Attacks Microsoft 365 Phishing Attacks Supply Chain Attack

Email Threat Report for 2022 via Abnormal Security

The premier AI-based cloud-native email security platform, Abnormal Security, today published its H2 2022 Email Threat Report. The study examines the state of the email threat landscape. It provides data on the most recent events in email attack methods, such as the emergence of brand impersonation in credential phishing and the expansion of business email compromise.

According to the report, email attacks have increased by 48% in the last six months, and 68.5% of them have links that steal credentials. In 15% of phishing emails, fraudsters impersonated well-known companies in addition to internal staff and executives, relying on the familiarity and goodwill of the brands to persuade employees to divulge their login information. Microsoft items and social networks were the two 265 brands that were most frequently impersonated in these attacks.

"Most cybercrime nowadays is successful because it preys on the individuals using the computer. By compromising individuals rather than networks, attackers may more easily get beyond standard security precautions" stated Crane Hassold, head of threat intelligence at Abnormal Security.

LinkedIn was perhaps the most frequently impersonated brand, although 20% of all attacks also included Outlook, OneDrive, and Microsoft 365. Since employee email accounts are frequently hacked through phishing emails, these attacks are hazardous. By gaining Microsoft login information, fraudsters can gain access to the entire range of linked goods, access sensitive information, and use the account to launch business email compromise attacks. 

Findings from the report entail:
  • The target of more than a third of brand-impersonation-based credential phishing attacks was a school or a place of worship.
  • BEC attacks rose by 150% year over year, proving the growing risk of these truly severe threats to financial stability. 
  • BEC attacks target every area, but advertising and marketing organizations continue to be the most vulnerable, with an 83% weekly chance of being the target.
  • Nearly every level of business is being targeted by financial supply chain hacks, with 89% of major enterprises experiencing at least one vendor assault each week.
"We generally understand that email attacks target businesses of all sizes and in all sectors, but these findings just serve to confirm our suspicions. Since the most sophisticated attacks are very difficult to distinguish from a genuine email from that brand, brand impersonation is particularly concerning for cybersecurity leaders," according to Mike Britton, a chief information security officer at Abnormal Security.

Abnormal Security has also introduced Abnormal Intelligence, a research and data hub devoted to offering insight into emerging new threats across the threat landscape, in support of its objective to shield enterprises from cybercrime. 

This portal, which showcases some of the most inventive assaults targeting Abnormal consumers, is made to assist firms in staying informed of new trends and attacks. The website offers threat intelligence content in the form of blog entries, downloadable materials, and webinars in addition to the daily feed of actual attacks. 
Read more »
Vulnerabilities and Exploits
domains Microsoft 365 Phishing Attacks Snapchat URL Vulnerabilities and Exploits

Phishing Scam Exploit's American Express, Snapchat Open-Redirect Threats

Phishing emails aimed at users of Google Workspace and Microsoft 365 have been sent as a result of open-redirect vulnerabilities affecting the American Express and Snapchat domains.

The term "open redirects" refers to a software vulnerability that makes it simpler for hackers to point users toward harmful resources they control.

Vulnerabilities :

Open redirect occurs when a website doesn't validate user input, allowing hackers to modify the URLs of domains with stellar reviews to route consumers to malicious sites. Because the initial domain name in the altered link is a well-known one, like American Express or Snapchat, victims will believe it.

The link may seem secure to an untrained eye because the first domain name in the modified link is actually the domain name of the original site. According to email security firm INKY, the trusted domain, such as American Express or Snapchat, serves as a temporary landing page before redirecting the user to a malicious website.

DocuSign, FedEx, and Microsoft were used as baits in phishing emails distributed to the Snapchat group, which led to sites that harvest user credentials. Researchers from Inky claim that 6,812 phishing emails sent from Google Workspace and Microsoft 365 hacked over the course of two and a half months used the Snapchat open redirect.

On August 4, 2021, professionals informed Snapchat of a vulnerability through the Open Bug Bounty site, but nothing has been done to fix it.

The matter was made worse by the discovery of the American Express open-redirect vulnerability in more than 2,000 phishing emails in only two days in July. The vulnerability has since been patched, as per the report, and any user who opens the link now is led to an error page on the company's legitimate website.

Prevention cautions

Roger Kay of INKY provided easy measures for preventing open redirect attacks:
  • Domain owners can undertake a few easy actions if they want to further reduce open redirect attacks. First, don't use redirection at all in your site architecture. Domain owners can, however, build an allowlist of permitted safe links to reduce open-redirect misuse if it's required for business reasons.
  • Additionally, domain owners have the option to display caution about external links before forwarding viewers to external websites.
  • Users should be on the lookout for URLs that include things like "url=," "redirect=," "external-link," or "proxy" as they explore websites online. These strings can suggest that a reputable domain might reroute traffic to another website.
  • Additionally, recipients of emails with links should look for repeated instances of "http" in the URL, another possible sign of redirection.

Read more »
Microsoft Web Server
Code Execution Flaw Cyber Security ECS Instances MFA Microsoft 365 Microsoft Web Server

Microsoft Hit by Huge Service Outage


This week's 6-hour-long global outage of Microsoft 365 was caused by a flawed Enterprise Configuration Service (ECS) deployment, as per a preliminary post-incident review. This deployment caused cascade errors and availability effects across numerous locations.

ECS is an internal central configuration repository created to allow Microsoft services to make targeted updates, such as particular configurations per tenant or user, as well as broad-scope dynamic changes affecting many services and features.

According to Microsoft, a recent deployment that featured a "broken link to an internal storage service" was the most likely reason for an outage that prevented many customers from accessing or using a variety of Microsoft 365 products for several hours.

Access to several Microsoft services, including Microsoft Teams, Exchange Server, Microsoft 365 admin center, Microsoft Word, and other Office programs, was slowed down as a result of the service issues, which began on Wednesday, July 20 in the evening and persisted into Thursday morning. Microsoft Managed Desktop and other services were also not able to auto-patch due to the problem.

Overview of the outage

Through its public Twitter statements, Microsoft failed to mention the location of the disruptions. According to comments in Microsoft's Twitter statement, the Teams outage appears to have impacted users in Los Angeles, Dallas, New York City, Hong Kong, and Eastern Australia.

With its cloud computing, Microsoft does have a complex service level agreement. Accordingly, the sole form of compensation for any downtime that an organization can receive is a service-time credit. Additionally, since it is not automatically applied, they must ask for the service credit.

"Telemetry shows that this incident had an impact on about 300,000 calls. Due to business hours falling inside the effect timeframe, the Asia Pacific (APAC) region was the most impacted. Direct Routing and Skype MFA were also significantly affected," the company explained.


What sparked the outage?

In the end, the incident had an impact on users seeking to use one or more of the Microsoft 365 apps and services, according to Bleeping Computer.

The botched Enterprise Configuration Service (ECS) deployment was the initial root cause of this outage, as stated by Redmond in their incident report. "Backward compatibility with services that use ECS was impacted by a deployment of the ECS service that had a code flaw. The end result was that it would send inaccurate configurations to all of its partners for services using ECS " the firm stated.

As a result, downstream services received a status response with the code 200, suggesting that the pull was successful, but it just included a JSON object that was poorly formatted. How each Microsoft service used the flawed configuration supplied by ECS determined the impact's severity. Impact varied from services collapsing, like Teams, to low or no impact on other services.

Microsoft claims that as a result of this incident, they are working to strengthen the Microsoft Teams service's resilience so that it may fall back to a previous version of the ECS configuration in the case of a future ECS failure.


Read more »
Vishing
CAPTCHA Security Cisco Cyber Security FBI Japan Malicious actor Microsoft 365 Phishing emails URL Vishing

Phishing Emails Faking Voicemails aim to Steal Your Data

 

Vishing is the practice of sending phishing emails to victims that appear to be voicemail alerts to acquire their Microsoft 365 and Outlook login information. Researchers at Zscaler's ThreatLabz said this email campaign, which resembles phishing emails from a few years ago, was discovered in May and is still active. 

The researchers stated this month that the recent wave targets US organizations across various industries, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain. 

An email is where it all begins

Attackers inform recipients of missed voicemails via email notifications that contain links to web-based attachments. Although many people don't check voicemail, audio messages on LinkedIn and WhatsApp have been there for a while, so using them to deceive consumers into clicking a link in an email can be successful. 

Naturally, when the target clicks the link, they are taken to a credential phishing web page hosted on Japanese servers rather than a voicemail at all. The user gets directed to the Microsoft Office website or the Wikipedia page if the encoded email address at the end of the URL is missing.

The user is shown the final page, which is an Office 365 phishing page after they have correctly supplied the CAPTCHA information. The 2020 campaign Zscaler tracked using the same approach. 

"Since they can persuade the victims to open the email attachments, voicemail-themed phishing attacks continue to be an effective social engineering strategy for attackers. This, together with the use of evasion techniques to get around automatic URL inspection tools, aids the threat actor in acquiring the users' credentials more successfully "reports Zscaler ThreatLabz

Microsoft 365 Remains a Popular Victim 

In a 2022 Egress research titled "Fighting Phishing: The IT Leader's View," it was found that 40% of firms utilizing Microsoft 365 reported becoming victims of credential theft, and 85% of organizations using Microsoft 365 reported being victims of phishing in the previous 12 months. 

As the majority of businesses quickly transitioned to a primarily remote-work style, with many workers working from their homes, phishing usage continued to increase. It peaked during the peak of the COVID-19 pandemic in 2020 and 2021. 

A substantial majority of credentials have been successfully compromised by the effort, which can be utilized for a number of different cybercrime endgames. These consist of taking control of accounts to gain access to files and data theft to send malicious emails that appear to be from a legitimate organization, and implanting malware,. The goal is to trick victims into using the same passwords for several accounts by adding the user ID/password combinations to credential-stuffing lists. 

A rich mine of data that may be downloaded in bulk can usually be found in Microsoft 365 accounts, according to Robin Bell, CISO of Egress. Hackers may also use compromised Microsoft 365 accounts to send phishing emails to the victim's contacts in an effort to boost the success of their attacks.
Read more »
Yahoo
API GitHub malware Microsoft 365 Microsoft Azure TLS Certificates URL Yahoo

To Mimic Microsoft, Phishing Employs Azure Static Web Pages

 

Microsoft Azure's Static Web Apps service is being exploited by phishing attacks to acquire Microsoft, Office 365, Outlook, and OneDrive passwords. Azure Static Web Apps is a Microsoft tool that allows to build and deploy full-stack web apps to Azure using code via GitHub or Azure DevOps.

MalwareHunterTeam, a security expert, uncovered the campaign. Attackers might imitate custom branding and website hosting services to install static landing phishing sites, according to the study. Users using Microsoft, Office 365, Outlook, and OneDrive services are being targeted by attackers who are actively mimicking Microsoft services. 

Several of the web pages and login pages in these phishing attempts are nearly identical to official Microsoft pages. Azure Static Web Apps is a program that uses a code repository to build and publish full-stack apps to Azure. 

Azure Static Apps has a process that is customized to a developer's everyday routine. Code changes are used to build and distribute apps. Azure works exclusively with GitHub or Azure DevOps to watch a branch of their choice when users establish an Azure Static Web Apps resource. A build is automatically done, and your app and API are published to Azure every time they post patches or allow codes into the watched branch. 

Targeting Microsoft users with the Azure Static Web App service is a great strategy. Because of the *.1.azurestaticapps.net wildcard TLS certificate, each landing page gets its own secure page padlock in the address bar. After seeing the certificate granted by Microsoft Azure TLS Issuing CA 05 to *.1.azurestaticapps.net, even the most skeptical targets will be fooled, certifying a fraud site as an official Microsoft login screen in the eyes of potential victims.

Due to the artificial veil of security supplied by the legitimate Microsoft TLS certs, such landing sites are also useful when targeting users of other platforms, such as Rackspace, AOL, Yahoo, or other email providers. 

When trying to figure out if one is being targeted by a phishing assault, the typical advice is to double-check the URL whenever we're asked to enter one's account credentials in a login. Unfortunately, phishing efforts that target Azure Static Web Apps render this advice nearly useless, since many users will be fooled by azurestaticapps.net subdomain and genuine TLS certificate.
Read more »
saaS
cybercriminals Malicious Codes malware Microsoft 365 Ransomware attack saaS

In 2021, Ransomware Threats were Self-Installed

 

According to Expel, a managed detection and response (MDR) company, the majority of ransomware assaults in 2021 were self-installed. The revelation was made in the annual report on cybersecurity trends and predictions, 'Great eXpeltations'. 

Eight out of ten ransomware outbreaks were caused by victims unintentionally opening a zipped file containing malicious code. While, 3% of all ransomware cases were produced via abusing third-party access, and some 4% were caused by exploiting a software weakness on the perimeter. 

Ransomware is a sort of software that locks users out of the computer and demands payment in exchange for access. The data on the computer could be stolen, destroyed, or hidden, or the computer itself could be locked; some ransomware may try to infect other computers on the network.

BEC (business email compromise) efforts accounted for 50% of cases, with SaaS apps being the most common target. More than 90% of the attacks targeted Microsoft Office 365, with attacks against Google Workspace accounting for less than 1% of all events. Okta was the objective of the remaining 9%. 

Ransomware was responsible for 13% of all opportunistic attacks. Legal services, communications, financial services, real estate, and entertainment were the top five industries attacked. Furthermore, Expel discovered that 35 percent of web app hacks resulted in the deployment of a crypto miner.

Is the user at risk of being a victim of a ransomware assault due to security flaws?

  • The device in use is no longer cutting-edge. 
  • The device's software is out of date. 
  • No longer are browsers and/or operating systems patched. 
  • There is no suitable backup plan in place. 
  • Cybersecurity has received insufficient attention, and no solid plan has been put in place. 

How to Protect Oneself against Ransomware: 

  • Set up a firewall.
  • Have immutable backups. 
  • Staff Awareness Through Network Segmentation. 
  • Password Strengthening.
  •  Security Enhance Endpoint Security. 
  • Increase the Security of Your Email.
  • Use the Least Privilege Principle. 
  • Install ad blockers.

When it comes to combating ransomware, caution and the deployment of effective protection software, like with other forms of malware, are a good start. The development of backups is especially important when dealing with this form of malware, as it allows users to be well prepared even in the worst-case scenario.
Read more »
Windows
Anti Malware Tool Cyber Fraud Microsoft 365 Spam Warning Windows

Microsoft Defender Log4j Scanner Prompts False Positive Alarm


Microsoft Defender for Endpoint is presently displaying "sensor tampering" alarms for Log4j processes, which are related to the company's newly created Microsoft 365 Defender scanner.

Windows has been experiencing a variety of other alert difficulties with Defender for Endpoint since October 2020. This includes an alert that incorrectly identified Office documents as Emotet malware payloads, another that incorrectly identified network devices as Cobalt Strike infected, and still another that incorrectly identified Chrome upgrades as PHP backdoors. 

Microsoft 365 Defender not only unifies your perspective on security events across many advancements but also offers a slew of advanced connectivity and automation capabilities. 

This increases the effectiveness and viability of having a security investigator on staff. Microsoft has been working on the secret foundations for Microsoft 365 Defender for quite some time now, employing Microsoft 365 Defender will assist you with running inquiries that can recognize any or the entirety of the accompanying:

  •  Machines tainted with a particular payload.
  •  Altered letter drops.
  •  Malevolent action and the personalities in question. 
  • Weaknesses brought about by an uncovered CVE. 
Microsoft 365 Defender consolidates the telemetry and bits of knowledge drawn from the accompanying items: 
  • Microsoft Defender for Office 365 (recently known as Office 365 Advanced Threat Protection)
  • Microsoft Defender for Identity (recently known as Azure Advanced Threat Protection) 
  • Microsoft Defender for Endpoint (recently known as Microsoft Defender Advanced Threat Protection) 
  • Microsoft Cloud App Security (MCAS) 
  • Purplish blue Identity Protection (AIdP) 

Microsoft 365 Defender brings all of these advancements together in a single security task center. You can see how Microsoft 365 Defender associates and provides information from these advancements in the control center, and you may use crucial automated exercises to address them. 

Although the behavior of this Defender process is categorized as malicious, there is no need to be concerned because these are false positives, as per Tomer Teller, Principal Group PM Manager at Microsoft, Enterprise Security Posture,

Microsoft is presently researching the Microsoft 365 Defender issue and working on a patch that should be available to affected PCs soon. "This is a result of our efforts to detect Log4J instances on disc." "The team is looking into why this is causing the warning," Teller further added. 
Read more »
Trojan
Credential stealing malware Microsoft Microsoft 365 Qakbot Ransomware Sensitive data TrickBot Trojan

This Decade-old Malware has Picked Some Nasty New Tactics

 

Qakbot, a popular trojan for stealing bank credentials, has recently started delivering ransomware, making it more difficult for network defenders to identify what is and isn't a Qakbot attack. 

Qakbot is a particularly versatile piece of malware that has been active for over a decade and has survived despite Microsoft and other security firms' multi-year attempts to eliminate it. In 2017, Qakbot adopted WannaCry's lateral movement techniques, such as infecting all network shares and drives, brute-forcing Active Directory accounts, and creating copies of itself using the SMB file-sharing protocol. 

According to Kaspersky's new investigation of Qakbot, it is unlikely to go away very soon. As per its detection statistics for Qakbot, it infected 65 per cent more PCs between January and July 2021 than it did the previous year. As a result, it is becoming increasingly dangerous. 

Qakbot is modular, as per Microsoft, allowing it to masquerade as unique attacks on each device on a network, making it tough to identify, prevent, and remove by defenders and security tools. 

The Microsoft 365 Defender Threat Intelligence Team stated in its report, "Due to Qakbot's high likelihood of transitioning to human-operated attack behaviours including data exfiltration, lateral movement, and ransomware by multiple actors, the detections seen after infection can vary widely." 

Given the difficulty in identifying a common Qakbot campaign, the Microsoft team has profiled the malware's approaches and behaviours to aid security analysts in detecting it. Emailed attachments, links, or embedded images are the most common distribution methods. It is also known to attack machines using Visual Basic for Applications (VBA) macros and legacy Excel 4.0 macros. In July, TrendMicro examined a significant Qakbot campaign that employed this tactic. 

Qakbot hides harmful processes using process injection, creates scheduled activities that stay on the machine, and manipulates the Windows registry. Once installed on an infected system, it uses a variety of lateral movement techniques, as well as the Cobalt Strike penetration-testing framework and ransomware. 

Last year, the FBI warned that Qakbot trojans were spreading ProLock, a type of "human-operated ransomware." It was a concerning discovery since machines infected with Qakbot on a network must be separated because they act as a ransomware attack's bridge. Microsoft noted that Qakbot has used MSRA.exe and Mobsync.exe for process injection to conduct various network 'discovery' commands and steal Windows credentials and browser data. 

Other criminal groups can use Qakbot's Cobalt Strike module to deploy their own payloads, such as ransomware. As per Trend Micro, Qakbot has delivered MegaCortex and PwndLocker (2019), Egregor, and ProLock (2020), and Sodinokibi/REvil (2021).

"Qakbot has a Cobalt Strike module, and actors who purchase access to machines with prior Qakbot infections may also drop their own Cobalt Strike beacons and additional payloads," Microsoft noted. 

"Using Cobalt Strike lets attackers have full hands-on-keyboard access to the affected devices, enabling them to perform additional discovery, find high-value targets on the network, move laterally, and drop additional payloads, especially human-operated ransomware variants such as Conti and Egregor." 

Activating Office 365 phishing protection, enabling SmartScreen and network in the Edge browser, and ensuring runtime macro scanning by turning on Windows Antimalware Scan Interface (AMSI) is among Microsoft's recommended mitigations to reduce Qakbot's impact. Microsoft Defender antivirus and other third-party antivirus vendors support AMSI. AMSI support for Excel 4.0 macros was added in March, so it's still a new feature.
Read more »
Phishing Campaign
Cyber Security Login Credentials Microsoft 365 Multi-factor authentication Phishing Campaign

Proofpoint Phish Harvests Credentials from Microsoft Office 365 and Google Email

 

Phishers are posing as Proofpoint, a cybersecurity company, in order to steal victims' Microsoft Office 365 and Google email credentials. According to Armorblox analysts, one such effort was launched against an undisclosed global communications business, with roughly a thousand personnel targeted solely within that company. 

“The email claimed to contain a secure file sent via Proofpoint as a link,” they explained in a posting on Thursday. “Clicking the link took victims to a splash page that spoofed Proofpoint branding and contained login links for different email providers. The attack included dedicated login page spoofs for Microsoft and Google.” 

A file apparently related to mortgage payments was the email's bait. The subject line, "Re: Payoff Request," was designed to trick targets into thinking it was part of an ongoing conversation, offering validity to the proceedings while also adding urgency. Users were led to a splash page with Proofpoint branding and login spoofs if they clicked on the "secure" email link embedded in the message. 

“Clicking on the Google and Office 365 buttons led to dedicated spoofed login flows for Google and Microsoft respectively,” researchers explained. “Both flows asked for the victim’s email address and password.”

Researchers discovered another phishing campaign that appears to be abusing an Amazon service called Amazon Simple Email Service (SES), which allows developers to send email messages from their apps. According to Kaspersky, the campaign was based on a now-revoked stolen SES token used by a third-party contractor during the testing of the website 2050.earth. The 2050.earth website is a Kaspersky initiative that includes an interactive map depicting the future impact of technology on the Earth, as predicted by futurologists. Because the 2050.earth site is housed on Amazon's infrastructure, the stolen SES token is linked to Kaspersky and SES. 

Noreply@sm.kaspersky.com is one of the sender addresses used in these emails. The security alert cautioned that they come from a variety of sources, including Amazon Web Services infrastructure. The stolen SES token was only utilized in a restricted way, according to the company, as part of a larger campaign that targeted many brands. 

Social engineering, brand impersonation, and the utilization of genuine infrastructure are used in attacks like these to get through typical email security filters and consumers' eye checks. Armorblox made the following suggestions to protect against similar campaigns: 

 • Be wary of social engineering: Before opening an email, users should perform a visual inspection that involves looking at the sender's name, email address, language, and any logical flaws. 

 • Improve password hygiene: Implement multi-factor authentication (MFA) on all potential corporate and personal accounts, avoid the usage of the same password across several sites/accounts, and avoid passwords that are linked to publicly available data.
Read more »
Subscribe to: Posts (Atom)