Proofpoint’s data comes from an analysis of over 450 million malicious sessions detected throughout the second half of 2022 targeting Microsoft 365 cloud tenants. While Microsoft Teams is last on the list, it’s presence on the list alone signifies how attackers are pivoting to target heavily used applications on which many organizations rely to support hybrid work models.

The company says its researchers have discovered several new ways that attackers are using Microsoft Teams for malicious purposes, including using tabs for phishing users and instant malware downloads, and weaponizing meeting invites and messages via malicious links.

These actions essentially allow threat actors to conduct Microsoft 365 credential attacks, deliver malware and maintain persistence in a victim’s cloud environment.

Malicious tabs

According to Proofpoint, researchers have discovered that using undocumented Microsoft Teams API calls, tabs can be reordered and renamed so the original tab can be swapped with a new custom tab. The company says manipulating tabs “could be part of a potent and largely automated attack vector” following an account compromise.

Attackers could also use a native app, “Website,” to pin a chosen website as a tab at the top of a Teams channel or chat. After pinning a “Website” instance as a tab, attackers can manipulate the tab’s name, change it to an existing tab’s name, and reposition it to push the native tab out of view and increase the chances of a user clicking the fraudulent tab, which could bring users to a malicious site.

“This could be extremely attractive for attackers, seeing as, by design, a website tab’s URL is not displayed to users unless they deliberately visit the tab’s ‘Settings’ menu,” Proofpoint researchers write in a blog post.

The website tab could also be used to point to a file that causes Teams to automatically download the file to the user’s device, potentially inserting malicious droppers inside the victim environment.

Meeting invites

Proofpoint also identifies meeting invites as another tool attackers can use, as the Microsoft Teams platform syncs with a user’s calendar to display, create and edit scheduled meetings. When a Teams meeting is created, several links are generated and sent within the meeting’s description that allow users to join the meeting or download the Teams desktop client.

Hackers typically need access to Outlook or Exchange to manipulate the content of a meeting invite, but access to a user’s Teams account allows them to manipulate the invite using Teams API calls to swap default links with malicious ones that bring users to phishing pages or malware-hosting sites, Proofpoint researchers say.

Hyperlinks in messages

If attackers have access to a user’s Microsoft Teams token, they can also use Teams’ API or user interface to weaponize existing links sent in messages by replacing benign links with malicious ones, which wouldn’t change the presented hyperlink, Proofpoint says.

“Given that Teams API allows for the rapid and automatic enumeration and editing of links included in private or group chat messages, a simple script run by attackers could weaponize countless URLs within seconds,” researchers say.

After, a threat actor can utilize social engineering and send new messages to encourage unsuspecting users to click or revisit the weaponized link.

Guidance and recommendations

According to Proofpoint, Microsoft offered the following guidance after Proofpoint researchers disclosed their research: “Microsoft encourages users to observe security best practices in Microsoft Teams and to adopt industry-standard best practices for security and data protection including embracing the Zero Trust Security model and adopting robust strategies to manage security updates, antivirus updates, and authentication. More information on Zero Trust Security is available at https://aka.ms/zerotrust.”

Read the company’s blog for more information, including recommendations on how to prevent these attacks.

The post Research: Microsoft Teams Can Be Used for Malware Delivery appeared first on My TechDecisions.

However, new data from cybersecurity firm Proofpoint suggests that cybersecurity leaders are again at their wits’ end as 68% of chief information security officers (CISOs) now feel at risk for a material cyberattack, compared to just 48% in 2022.

The Sunnyvale, Calif.-based firm says in its 2023 Voice of the CISCO report that this is a shift back to 2021, when 64% of CISOs believed a material cyberattack was imminent.

Similarly, CISOs now feel that their organizations are less prepared for a cyberattack than last year, with Proofpoint’s research showing that 61% feel unprepared for an attack versus 50% that felt the same last year. In 2021, 66% of CISOs said their organizations were unprepared.

The report, the results of a survey from more than 1,600 cybersecurity leaders across 16 countries, essentially concludes that CISOs no longer feel the sense of calm they briefly experienced after the initial onslaught of attacks and distributed infrastructure during the pandemic.

Why are CISOs less confident than they were in 2022?

Proofpoint’s 2023 Voice of the CISO report finds that several factors are contributing to a less-than-ideal confidence among security leaders, including a possible economic downturn, employe turnover, increasing threats and unreasonable job expectations.

According to the study, email fraud, insider threats, cloud account compromise and DDoS attacks were the four most concerning threat categories cited by CISOs this year, and it is largely unchanged from last year.

However, the research also suggests that cyber awareness among employees continues to lack, as 60% of CISOs say human error is their organization’s biggest cyber vulnerability, compared to 56% and 58% who said the same in 2022 and 2021, respectively.

In addition, just 61% of CISOs believe employees understand their role in helping prevent cyberattacks.

CISOs also feel that the loss of sensitive data is exacerbated by employee turnover, with 63% of security leaders reporting having to deal with a material loss of sensitive data in the past 12 months. Of those, 82% agreed that employee turnover contributed to the loss.

Security leaders are clearly feeling more pressured, with 61% reporting they face unreasonable job expectations, a significant increase from 49% who said the same last year. That is leading to 62% saying they are concerned about personal liability and 60% reporting burnout in the past 12 months.

“Back to ‘business as usual’, they are less assured in their organization’s abilities to defend against cyber risk,” says Lucia Milică Stacy, global resident CISO at Proofpoint. “Our 2023 Voice of the CISO report reveals that amidst the rising difficulties of protecting their people and defending data, CISOs are being tested at a personal level with higher expectations, burnout, and uncertainty about personal liability.”

The post CISOs Are Less Confident in Their Organization’s Security in 2023 appeared first on My TechDecisions.

The company announced the news during the annual RSA Conference. In addition, the company announced new advanced features in all editions of Duo MFA, the Cisco’s access management solution.

What is Cisco’s new XDR offering?

According to the company, Cisco XDR is a cloud-first solution designed to simplify investigation of cyber incidents and enable security operations centers to immediately remediate threats.

Cisco XDR applies analytics to prioritize detections and moves the focus from endless investigations to remediating the highest priority incidents with evidence-backed automation, the company says.

Different from traditional security information and event management (SIEM) solutions, Cisco says its new XDR solution focuses on telemetry-centric data and delivers much faster outcomes by natively analyzing and correlating six telemetry sources that are critical to SOC operations.

The company calls Cisco XDR “as close to real-time as possible,” by dealing with high-fidelity data with insight into ever mailbox, forward, packet and process.

Those six telemetry sources are endpoint, network, firewall, email, identity and DNS, according to Cisco.

For endpoints, Cisco XDR leverages insight from 200 million endpoints with Cisco Secure Client, formerly AnyConnect, to provide process-level visibility of where the endpoint meets the network, the company says.

On the endpoint specifically, Cisco XDR leverages insight from 200 million endpoints with Cisco Secure Client, formerly AnyConnect, to provide process-level visibility of where the endpoint meets the network.

Integrations with third-party security vendors

According to Cisco, the XDR solutions integrates with many third-party vendors to share telemetry and increase interoperability, with an initial set out out-of-the-box integrations that include:

• Endpoint Detection and Response (EDR): CrowdStrike Falcon Insight XDR, Cybereason Endpoint Detection and Response, Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, SentinelOne Singularity, Trend Vision One
• Email Threat Defense: Microsoft Defender for Office, Proofpoint Email Protection
• Next-Generation Firewall (NGFW): Check Point Quantum, Palo Alto Networks Next-Generation Firewall
• Network Detection and Response (NDR): Darktrace DETECT and Darktrace RESPOND,  ExtraHop Reveal(x)
• Security Information and Event Management (SIEM): Microsoft Sentinel

By sharing data across vendor lines and applying advanced analytics on that telemetry, Cisco XDR can quickly find and respond to sophisticated attacks, the company says.

When is Cisco XDR available?

According to the company, the XDR solution is currently in Beta and will be generally available in July 2023.

Duo MFA enhancements

Cisco says it is adding Trusted Endpoints to all of its paid Duo editions. This was previously only available in Duo’s highest tier, but are now available starting May 1.

According to Cisco, Trusted Endpoints allows only registered or managed devices to access resources. Trusted Endpoints is now offering alongside Single Sign On, MFA, Passwordless and Verified Push within the entry-level Duo Essential edition.

The post What You Need to Know About Cisco XDR appeared first on My TechDecisions.

According to the company, the new innovations further enhance its threat and information protection platforms, in addition to its newly formed Identity Threat Defense business (formerly known as Illusive), to help organizations augment and safeguard their productivity investments, such as Microsoft 365, with maximum deployment flexibility.

“Proofpoint continues to deliver on innovations that empower organizations to break the attack chain,” said Ryan Kalember, executive vice president, cyber security strategy, Proofpoint in a statement. “By providing our customers a unified path to solve for risk across email, cloud, identity and data, CISOs gain unparalleled visibility into and protection against the tactics that attackers rely on most.”

Proofpoint’s Aegis Threat Protection Platform

Proofpoint Aegis Threat Protection Platform is an AI/ML-powered threat protection platform that disarms attacks, such as business email compromise (BEC), phishing, ransomware, supply chain threats. With flexible deployment options using both APIs and inline architecture, Aegis delivers AI-powered, cloud-based protection that complements native Microsoft 365 defenses, says Proofpoint.

By combining the company’s proprietary behavioral analytics and threat intelligence, Proofpoint is delivering new capabilities that provide visibility into account takeover-based attacks from both within an organization’s environment and outside suppliers.

Supplier Threat Protection

Supplier relationships are a growing attack vector: 69% of organizations experienced a supply chain attack within the past year, and CISOs rate it as one of their top concerns, according to Proofpoint research. With Proofpoint’s Supplier Threat Protection, organizations can detect compromised supplier accounts so that security teams can swiftly investigate and remediate.

This new product proactively monitors for and prioritizes known compromised third-party accounts, simplifies investigation with details on why the account is suspected compromised and which employees recently communicated with the account in question, enabling security teams to seamlessly defend against prevalent third-party attacks such as BEC and phishing.

Targeted Attack Prevention Account Takeover (TAP ATO)

Threat actors successfully override MFA in 30% of all targeted cloud and email account takeover attacks according to Proofpoint threat research. Once inside, malicious actors can hide undetected in an organization’s environment, waging sophisticated attacks at will.

Proofpoint TAP ATO, available at the end of Q2 2023, provides visibility across the entire email account takeover attack chain. It accelerates response investigation and remediates accounts, malicious mailbox rule changes, and manipulations of third-party apps and data exfiltration across email and cloud environments.

Identity Threat Defense (formerly known as Illusive)

From ransomware to APTs, 90% of attacks rely on compromised identities, says Proofpoint. The complexity of managing Active Directory (AD) has resulted in the presence of exploitable privileged identity risks in all organizations at a rate of one in six endpoints.

These identity risks include unmanaged local admins with stale passwords, misconfigured users with unnecessary privileges, cached credentials left exposed on endpoints and much more. When an attacker compromises an endpoint with these privileged identity risks, deploying malicious software and stealing data is easy. Privileged identities represent the keys to the kingdom, which attackers exploit to steal the crown jewels. Unfortunately, most organizations are unaware of this risk – until they are attacked.

Leveraging new advanced identity risk analytics and automated detection, Proofpoint has further bolstered its Identity Threat Defense platform – undefeated in more than 150 red team exercises – to provide organizations with comprehensive identity risk protection and remediation:

 Spotlight Risk Analytics

The new advanced risk analytics in the Spotlight dashboard allows users to gain an executive view of an organization’s risk trends as well as exposure across various risk categories and risk exposure levels. It also provides recommendations for possible user admin action.

Spotlight Risk Analytics simplifies decision makers’ workload while ensuring organizational leaders can make informed decisions to remediate modern and sophisticated identity risks. With availability expected late Q2 2023, decision makers will also be able to follow risk trends to track their organization’s risk posture improvements over time.

Proofpoint Spotlight Cross Domain & Trust Visibility

For organizations with complex infrastructure, including multinational, multi-business and merging organizations, identity infrastructure is often stitched together without broader visibility.

Spotlight Cross Domain & Trust Visibility provides insight to understand where AD domains across companies have too much bi-directional trust, which can result in identity risk and lateral movement by attackers. Business leaders can gain a centralized view into the broadest organizational structure’s domains and trusts to better prevent identity risk exposure in a holistic fashion.

Sigma Information Protection Platform

Since its introduction in early 2020, Proofpoint’s information protection business has grown a remarkable 107%, making the company the second largest data loss prevention (DLP) vendor globally and by revenue according to Gartner. Driven by the accelerated adoption of work-from-anywhere practices, the Proofpoint Sigma Information Protection platform is now deployed to over 5,000 customers and 46 million users worldwide, analyzing 45 billion events each month, and trusted by nearly half of the Fortune 100.

Proofpoint’s Information Protection platform merges content inspection, threat telemetry and user behavior across channels in a unified, cloud-native interface.

Privacy by Design Data Loss Prevention

As international organizations work to meet new and changing local privacy and data sovereignty requirements, Proofpoint now hosts its Sigma Information Protection platform in regions such as the European Union, Japan, and Australia in addition to the U.S.

Proofpoint is also further investing in privacy-related capabilities so that organizations can mask sensitive data in the console to limit its exposure and create custom data access policies to address privacy and compliance needs. 

Additional features are available in beta, with general availability expected in Q3 2023, enabling organizations to anonymize identifying user information so analysts can investigate without bias and with better privacy for the user.

Administrators will also be able to set up metadata for anonymization and approval workflows for de-anonymizing the metadata during investigation.

The post Proofpoint Unveils New Innovations to Combat Increasingly Common Threats appeared first on My TechDecisions.

In fact, email-based phishing attacks remain a thorn in the side of IT professionals, with 84% of organizations in a recent Proofpoint survey reporting that they had at least one successful email-based phishing attack against them last year. Despite an increased emphasis on cybersecurity in the wake of several widespread breaches and highly publicized incidents, that number actually grew a percentage point from 2021, according to the email security company’s survey.

Why phishing continues to be successful

Phishing remains successful for several key reasons, including an end-user awareness that still falls woefully short of adequate, and the fact that attackers are just as innovative as defenders and developers creating the security software organizations use to prevent attacks, says Sara Pan, a marketing manager at Proofpoint.

“They’re constantly upping their game,” Pan says of attackers. “While they’re still heavily relying on social engineering tactics, they always come up with different things.”

Attackers are still using the tried-and-true method of crafting their phishing emails about topics in the news or social media. For example, COVID-19-themed phishing lures lead to a 17% failure rate, according to Proofpoint’s analysis of phishing simulations.

Similarly, attackers are spoofing trusted brands such as Microsoft, Amazon, DocuSign, Google and others that provide widely used enterprise tools. According to Proofpoint, the company observed about 1,600 brand impersonation campaigns, with Microsoft the most abused brand. Over 30 million messages used Microsoft branding or featured a Microsoft product such as Office or OneDrive.

Simulated phishing attack data shows that Microsoft OneDrive-related email attacks had a 7% failure rate, while DocuSign and FedEx impersonations had an 11% failure rate. Since it only takes one user to lead to an organization-wide compromise, those statistics are alarming.

“They will go beyond just email and will use various threat vectors, such as call centers or text messages,” Pan says. “Attackers are definitely very creative, but at the same time, their primary target has always been people–and people remain vulnerable.”

New phishing tools to bypass security controls

While phishing, ransomware and brand impersonation remain major culprits, new classes of threats are emerging, including telephone-oriented attack delivery and multifactor authentication (MFA) bypass techniques such as adversary-in-the-middle (AiTM).

According to Pan, threat actors now have access to a range of methods to bypass MFA. The cybercrime industry is thriving, with service providers similar to legitimate tech firms offering phishing-as-a-service and MFA bypass tools in their off-the-shelf kits.

While multifactor authentication is quickly becoming a standard security practices across industries, attackers are already pivoting and remain a step ahead of these tools.

Phish kits being adopted by hackers include a transparent reverse proxy to conduct a man-in-the-middle attack on a browser session and steal credentials and session cookies in real time, Pan says.

Instead of the traditional phishing attack directing users to fake websites, attackers direct users to legitimate websites but are able to gather all the information they need to compromise a user’s account.

While this technique has been in use for several years, security researchers are just now starting to see MFA bypass phishing kits deployed at scale, Pan says.

“It’s not like this is a new way of attacking, but we’re just seeing these MFA phishing kits deployed at scale in 2022,” Pan says. “This makes security even more difficult for defenders.”

In addition, attackers are also using less sophisticated MFA bypass methods, such as MFA fatigue in which attackers spam a user’s MFA app until the user perhaps has a lapse in judgement and approves the request, says Eric Hart, manager of subscription services for cybersecurity firm LogRhythm.

There were several examples of these attacks last year, including the Uber breach. The ridesharing giant said in September 2022 that an attacker had the credentials of an external contractor and tried to log in several times, prompting two-factor login approval requests that the contractor eventually approved after multiple requests.

Then, the attacker accessed several other employee accounts that ultimately ended with the attacker gaining elevated permissions to a number of tools, such as G-Suite and Slack.

“Attackers are clever,” Hart says.

Why training and awareness seriously need to change

Despite cybersecurity incidents making international headlines in recent years, awareness remains critically insufficient, with just 40% of users telling Proofpoint that they know what ransomware is. In addition just 58% of users know what phishing is, and even lower amounts of users can identity phishing emails. Further, just 70% of organizations say they conduct formal training, and less than 55% make their security awareness training available to every user, not just privileged users, or users with access to sensitive resources.

Users still struggle to spot phishing emails, per the survey, with 21% saying they don’t know that an email can appear to be from someone other than the sender. In addition, 44% say they don’t know that a familiar brand doesn’t mean the email is safe, and 63% say they don’t know that an email link text might not match the website it goes to.

Like the software developers and programmers building some of the most advanced tools in history, attackers are also constantly innovating and finding new ways to do things, so security awareness training should evolve simultaneously, Hart says.

“The landscape is always shifting, and the attacker can pivot anytime they want,” Hart says.

Due to the variety of attacks, IT and security professionals are having a hard time staying up to speed on creating quality training tools that go beyond the stale five-minute training video and test.

While phishing simulations can help establish a baseline of awareness, those emails are relatively easy to spot since the people administering them “have a moral background” and don’t go for the low blow-type social engineering attack, Hart says.

“With your internal campaigns, you’re generally throwing softballs,” Hart says.

Security training and awareness recommendations

Hart and Pan lay out several recommendations for organizations conducting security awareness and training programs:

• Make training programs relevant to the end user. Inform users about the type of threats that could be targeting them, their industry and their occupation specifically.
• Conduct more frequent training to keep it fresh in end users’ minds.
• Incentivizing phishing simulations by offering rewards for top performers, and requiring training for a failed simulation, but not any further penalties.
• Communicate these issues to end users. IT and end users often don’t communicate until something breaks, but IT and security teams can be more proactive by educating users on the actual threats their organization is facing and why it is important for users to be vigilant. Regular, engaging communication between IT leaders and end users on these issues can help make awareness a priority.
• Educate users about the security of their home tech use. End users working from home are increasingly becoming targets, with attackers finding success accessing loosely secured home routers and devices.

The post Security Awareness Training Needs to Change. Here’s Why. appeared first on My TechDecisions.

The Sunnyvale, Calif.-based company’s’ State of the Phish report finds that email-based phishing attacks remain a thorn in the side of IT and security professionals, with 84% of organizations surveyed saying they had at least one successful email-based phishing attack against them in 2022.

Those phishing attacks are impacting the bottom line, with the amount of organizations reporting financial losses as a direct result of phishing attacks increasing by 76% compared to 2021.

New phishing attack methods emerge

While phishing, ransomware, brand impersonation and cyber fraud remain major culprits, Proofpoint highlighted a range of emerging threats, including telephone-oriented attack delivery (TOAD) and multifactor authentication bypass such as adversary-in-the-middle (AiTM).

In the report, Proofpoint says those phishing methods “made waves” in the threat landscape.

The company defines a TOAD attack as one in which targets receive a message, typically containing a fake invoice or alert, that includes a phone number for customer service for questions. If the victim calls the number, they are connected directly to the attacker, who then tries to convince the victim to download malware, transfer money or enable remote access.

In addition, threat actors now have a range of methods to bypass MFA, and some phishing-as-a-service providers already include MFA bypass in their off-the-shelf phishing kits, the company says.

“Unknown to most users, these techniques gave cyber attackers a new advantage,” Proofpoint says in its report. “At their peak, TOAD and MFA bypass saw hundreds of thousands of attacks sent per day—ubiquitous enough to threaten most organizations.”

Specifically, attackers made about 400,000 telephone-based phishing attempts on average per day, with attacks peaking at 600,000 per day in August 2022.

While the report didn’t include data on the number of MFA bypass attacks, one recent case involving Uber spells out the danger. The rideshare giant disclosed in September 2022 that it was the target of a cyberattack.

According to Uber, an Uber external contractor’s account was compromised by an attacker, and the contractor’s corporate credentials were likely purchased on the dark web after the contractor’s personal device was infected with malware.

The attacker then tried to log in to the contractor’s Uber account several times, prompting a two-factor login approval request to be sent to the contractor’s device. Two-factor authentication worked in preventing unauthorized access, but the contractor eventually accepted a login approval request, opening the door for the threat actor.

Then, the attacker accessed several other employee accounts that ultimately ended with the attacker gaining elevated permissions to a number of tools, such as G-Suite and Slack. This is how the attacker was able to communicate with Uber employees via Slack. With free reign, the attacker reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites, according to the company.

Phishing still works really well

With these more sophisticated phishing methods and advanced social engineering, phishing attacks are still highly successful, according to Proofpoint.

Attackers are smart, and they know how to convince users to click on links and open attachments in emails. This includes impersonating trusted brands such as Microsoft, Amazon, DocuSign, Google and other companies that provide widely-used enterprise tools.

According to Proofpoint, the company observed about 1,600 brand impersonation campaigns, with Microsoft the most abused brand. Over 30 million messages used Microsoft branding or featured a Microsoft product such as Office or OneDrive.

Simulated phishing attack data shows that Microsoft OneDrive-related email attacks had a 7% failure rate, while DocuSign and FedEx impersonations had an 11% failure rate. Since it only takes one users to lead to an organization-wide compromise, those statistics are alarming.

However, an even more successful phishing lure is COVID-19, with pandemic-themed phishing simulations leading to a 17% failure rate. COVID also appeared twice in the company’s list of “trickiest” themes, which is defined as attacks with the highest failure rate regardless of how many times the template was used.

Awareness still lacks

Despite renewed emphasis around end-user training and awareness, end users still struggle to understand basic cybersecurity concepts, regardless of the phishing methods used.

According to Proofpoint’s report, only 40% of users know what ransomware is, although that is a 9% jump from 2019. In addition, just 58% of users said they know what phishing is, which is a 5% increase from 2021 but a decrease of 3% from 2019.

In addition, users still struggle to spot phishing emails, with 21% saying they don’t know that an email can appear to be from someone other than the sender, 44% saying they don’t know that a familiar brand doesn’t mean the email is safe, and 63% saying they don’t know that aee mail link text might not match the website it goes to.

Nearly 30% of users are still reusing passwords for multiple work-related accounts, and 80% of home and work Wi-Fi users didn’t change the default admin password from their routers, which is slightly worse than 2021.

With organizations continuing to embrace remote and hybrid work, that lack of security awareness is alarming. This could lead to substantial risks for organizations and their data, says Alan Lefort, senior vice president and general manager of security awareness training at Proofpoint.

“As email remains the favored attack method for cyber criminals and they branch out to techniques much less familiar to employees, there is clear value in building a culture of security that spans the entire organization,” Lefort says.

The post Phishing Remains a Favorite Hacking Tool as New Methods Emerge appeared first on My TechDecisions.

Now, hackers are experimenting with other file types, including using virtual hard disk, compiled HTML and OneNote, according to new research from enterprise security software company Proofpoint.

The Sunnyvale, Calif.-based firm says in a new blog that their researchers have noticed an increase in the use of OneNote documents to deliver malware via email to end users. Proofpoint researchers says in December it observed six campaigns using OneNote attachments to deliver AsyncRat malware. In January, Proofpoint observed more than 50 OneNote campaigns with different malware payloads, including AsyncRAT, Redline, AgentTesla and DOUBLEBACK.

The use of OneNote to deliver malware, Proofpoint writes, is unusual. However, it comes as Microsoft continues to take steps to prevent its tools to be used for malicious purposes, such as blocking Office macros by default. Now, attackers are experimenting with different attachment types. Proofpoint came to a similar conclusion in July 2022, saying attackers were already experimenting with other file types when Microsoft first announced the move.

“The technique may be effective for now,” Proofpoint researchers wrote in the Feb. 1 blog. “At the time of analysis, multiple OneNote malware samples observed by Proofpoint were not detected by numerous anti-virus vendors on VirusTotal. Proofpoint continues to assess these activity clusters and does not attribute them to a tracked threat actor.”

The company says malware campaigns leveraging OneNote share similar characteristics, such as unique messages to deliver malware and the lack of threat hijacking. Messages typically contain OneNote attachments with themes such as invoice, remittance, shipping and seasonal themes including Christmas bonuses.

One group, TA577, a cybercrime group tracked by Proofpoint since 2020 that delivers payloads such as Qbot, IceID, SystemBC, SmokeLoader, Ursnif and Cobalt Strike, has been conducting similar campaigns using OneNote since late January.

According to Proofpoint, OneNote documents used maliciously contain embedded files, which are often hidden behind a graphic that looks like a button. When a user double clicks on the embedded file, they are prompted with a warning. If the user clicks “continue,” the file executes.

These malicious OneNote attacks have increased significantly between December 2022 and the end of January 2023. While the company only saw OneNote campaigns deliver AsyncRAT in December, researchers saw seven other malware payloads distributed via OneNote attachments last month, with targets located globally, including in North America and Europe.

Multiple threat actors are believed ot be using the OneNote attachment tactic in an attempt to bypass threat detections, and more sophisticated actors may begin using OneNote attachments soon, Proofpoint concludes.

TA577’s adoption of OneNote is particularly worrisome, as the group is an initial access broker that facilities follow-on infections for additional malware, including ransomware, Proofpoint researchers say.

“Based on data in open-source malware repositories, initially observed attachments were not detected as malicious by multiple anti-virus engines, thus it is likely initial campaigns had a high efficacy rate if the email was not blocked,” the company says, noting that its own customers were protected since Proofpoint detected the malicious emails. “It is likely more threat actors will adopt OneNote attachments to deliver malware.”

The post Hackers Are Pivoting to OneNote Documents for Malware Delivery appeared first on My TechDecisions.

Microsoft investigating threat actor consent phishing campaign

Microsoft says it is investigating a consent phishing campaign involving threat actors fraudulently impersonating legitimate companies when enrolling in the Microsoft Cloud Partner Program.

According to a Microsoft Security Response Center blog post, the actor used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure Active Directory (Azure AD). The applications created by the threat actors were then used in a consent phishing campaign that tricked users into granting permissions to the fraudulent apps.

Victims were primarily based in the U.K. and Ireland. Microsoft says all fraudulent applications have been disabled and impacted customers have been notified.

Read Microsoft’s blog for more information. Cybersecurity firm Proofpoint, which says it notified Microsoft about the attacks, also has a blog about the incident.

Google FI warns customers of data breach

Google FI, Google’s U.S.-based telecommunications and mobile internet service, told customers this week that personal data was exposed by a data breach at one of its primary network providers, and some customers have been impacted by SIM swapping attacks, according to reports.

Bleeping Computer reports that Google sent notices of a data breach to Google Fi customers, informing them that the incident exposed their phone numbers, SIM card serial numbers, account status, account activation date and mobile service plan details. However, other sensitive information such as full names, email addresses, payment information, SSNs, tax and government IDs, passwords or SMS and call content was not accessed.

Read Bleeping Computer’s story for more information.

New Gmail user interface

Google is rolling out a new user interface and customizable integrated view for Gmail that brings apps like Gmail, Chat and Meet in one unified location. The new Gmail look will become the standard experience, with no option to revert to the original user interface, the company says.

The rollout began last week and is expected to be completed Feb. 3.

Read Google’s Workspace Updates blog for more information.

New AV products at ISE

Integrated Systems Europe (ISE) took place in Barcelona, Spain, and in conjunction with the large tradeshow, winners of the 8th annual Top New Technologies (TNT) Awards@ISE were announced by TechDecisions’ sister publications Commercial Integrator and CE Pro.

The awards span several categories, including conferencing tools, cameras, interactive whiteboards, microphones, digital signage, video walls, automation software, audio processors and more.

Read about the TNT Award winners here.

The post This Week in IT: Google, Microsoft Cyberattacks; Gmail UI; ISE 2023 appeared first on My TechDecisions.

With the acquisition, Proofpoint says it will enhance its threat and information protection platforms by adding proactive identity risk discovery and remediation as well as post-breach defense capability, providing a unified solution that extends protection across the entire attack chain for critical threats like ransomware​ and data breaches.

The global increase in cyberattacks has been enabled by attackers shifting their tactics and focus to identity-based attacks, with 84% of organizations falling victim to an identity-related breach in the past year. These attacks traverse through identities – from privilege escalation to lateral movement and abuse of Active Directory and cloud environments, such as Microsoft 365. With Illusive, Proofpoint’s visibility into the identities that are attacked and vulnerable across an organization will equip enterprises with insights into their privileged access attack surface, the companies say.

“It’s currently far too easy for an attacker to turn one compromised identity into an organization-wide ransomware incident or data breach,” said Ryan Kalember, executive vice president, cybersecurity strategy, Proofpoint, in a statement. “The acquisition of Illusive reinforces Proofpoint’s commitment to innovation and growth, bringing market-defining technology to make threat actors’ jobs as difficult as possible.”

Illusive’s solutions are used by multinational corporations, protecting some of the world’s best-known brands by taking away what attackers need to complete their crime: privileged account access.

“Illusive is solving a problem that others cannot by focusing on protecting identity security vulnerabilities and stopping the menace of ransomware, which has galvanized worldwide demand for our solution,” said Ofer Israeli, founder and CEO, Illusive. “We are thrilled to join Proofpoint and add our unique approach to ITDR to its people-centric security vision, helping organizations remediate privileged identity risks and understand potential ramifications of compromise, such as access to critical data and intellectual property.”

Together, Proofpoint and Illusive will deliver identity security as part of Proofpoint’s threat protection platform including:

• Automatic discovery and remediation of identity vulnerabilities before attackers exploit them with Illusive Spotlight: with its agentless approach, Illusive Spotlight delivers visibility into vulnerable identities by scanning directory structures (e.g., Active Directory), privileged access management (PAM) solutions, endpoints, servers and services, revealing the gaps between the intention of an organization’s identity security policies and the reality of their environment.
• Detection and response to identity threats to stop privilege escalation and lateral movement to critical assets with Illusive Shadow: unlike other deception technologies that deploy agents or honeypots which can tip off or be exploited by the attacker, Illusive Shadow’s agentless architecture prevents attacker detection and is undefeated in over 150 red team exercises. It allows organizations to deterministically accelerate threat detection by identifying threats based on attacker interaction with deceptions, not probabilistic controls based on signatures or behaviors.

The post Proofpoint to Acquire ITDR Company Illusive appeared first on My TechDecisions.

Billionaire and CEO of Tesla and SpaceX Elon Musk finalized his $44 billion acquisition of Twitter late last month, and has since made sweeping changes at the company, including mass layoffs and new subscription-based verification. This much upheaval at one of the most influential social media platforms to ever exist is now leading to phishing scams and other security problems.

Reports of phishing scams came late last month as this news first emerged. According to TechCrunch and others, a phishing campaign last month attempted to lure Twitter users into posting their credentials on an attacker website disguised as a Twitter help form.

TechCrunch reported that one phishing email was sent from a Gmail account and linked to a Google Doc with another link to a Google Site that attempted to create layers of obfuscation to make it more difficult to detect threats.

But the page itself contains an embedded frame from another site, hosted on a Russian web host Beget, which asks for the user’s Twitter handle, password and phone number — enough to compromise accounts that don’t use stronger two-factor authentication.

Google took down the phishing site a short time after TechCrunch alerted the company. A Google spokesperson told TechCrunch: “Confirming we have taken down the links and accounts in question for violations of our program policies.”

According to Sherrod DeGrippo, vice president of threat research at email security firm Proofpoint, the company has seen a notable increase in Twitter-related phishing campaigns that attempt to steal Twitter credentials.

Multiple campaigns have used lures related to Twitter verification or the new Twitter Blue product, with some emails claiming to include a Twitter Blue billing statement. These campaigns have used both Google Forms for data collection and URLs that direct users to threat actor-hosted infrastructure, DeGrippo says.

Campaigns are largely targeting media and entertainment entities such as journalists who are verified on Twitter. The email address often matches the Twitter handle used or the user’s email address available in their Twitter bio.

“It is not surprising threat actors are using Twitter-related lures,” DeGrippo says. “Cybercriminal threat actors regularly use themes that are related to major news items and relevant to human interests as that may increase the likelihood of someone engaging with social engineering content.”

While the future of Twitter may be in doubt with Musk continuing to make wholesale changes to the social media giant, gaining access to Twitter accounts can still be lucrative for threat actors, DeGrippo says.

“Legitimately verified Twitter accounts typically have larger audiences than the average user, and compromised accounts can be used to spread misinformation, urge users to engage with additionally malicious content like fraudulent cryptocurrency scams, and can be used to further phishing campaigns to other users,” DeGrippo says.

These security risks can also lead to brand reputation or financial damages if an attacker is able to successfully compromise a brand’s Twitter account, the can wreak havoc on that company’s image, says Matt Chiodi, chief trust officer at zero trust architecture firm Cerby.

“Social media accounts are generally managed by marketing teams and can have access to hundreds of millions of corporate dollars for advertising,” Chiodi says. “Not only could criminals siphon off that cash, they could defame a company’s Twitter profile with offensive content.”

Chiodi says that while organizations should still conduct security training to educate end users, many technologies are still built without security in mind, including social media platforms.

“None of the prominent social media platforms offer enterprise-grade authentication options to their billions of business and professional users,” he says. “This is unacceptable for tools that are so widely used by consumers and critical to enterprises and democracy.”

The post Beware of Twitter Phishing Scams As Musk Takeover Unfolds appeared first on My TechDecisions.