Business Cybersecurity Essentials

If you looked at this email fast, you’d swear it came from Microsoft. Same logo, layout, tone - everything checks out. Except for one thing: The sender’s domain was rnicrosoft(.)com instead of microsoft(.)com That tiny swap of “rn” instead of “m” is what’s called typosquatting. Attackers register near-identical domains to catch people who skim their inbox too fast. What makes this effective is how subtle it is. On mobile, you barely see the full address. On desktop, your brain autocorrects it. It feels right and that’s all they need. These kinds of tricks are showing up more often in credential phishing, vendor invoice scams, even internal HR impersonations. How to handle these cleanly (real, practical steps): - Expand the full sender address every time before you click. - Hover the link to view the real href, or long-press the link on mobile to reveal the URL. - Check the Reply-To header -- scammers often route replies elsewhere. - If it’s a password reset you didn’t request, open a new tab and log in from the official site rather than clicking the email. - Forward the phish to your security team or report it (company phishing inbox / your provider’s report feature). Examples of look-alikes to watch for: swapped letters (rn → m), zero for o (micros0ft), added hyphens or extra subdomains (microsoft-support[.]com). Small habit change, big payoff. Teams that rehearse these scenarios stop reflexively clicking.

Scammers see tax season as open hunting season Don't be their easy prey 7 things nobody tells you about staying safe from phishing during tax season: 1. Be Skeptical of Unexpected Emails → Even if it looks like it’s from your CPA, trust your gut. → Unexpected emails? Delete them immediately. 2. Generic Senders Are Risky → Addresses like donotreply@domain.com are a scammer’s favorite disguise. → Always verify directly with your provider’s online portal. 3. Never Click Unverified Links → Don’t shortcut security by clicking links in emails. → Log in directly via your browser to avoid phishing traps. 4. Upgrade Your Email Security → Free email services lack robust phishing protection. → Consider upgrading to paid plans with built-in security features. 5. Don’t Ignore Email Settings → Even premium platforms like Google Workspace need periodic reviews. → Verify your settings to ensure optimal protection. 6. Scammers Target E-Signature Platforms → The rise of e-signatures has made them prime phishing targets. → Authenticate every document before signing or opening. 7. Think Before You Open Emails → Got an unexpected tax document? Call your provider directly. → No shortcuts, no stress, no scams. PS) Scammers are clever, but they’re also lazy. Make them work harder than it’s worth.

If your organization is using Microsoft Outlook you need to patch now, as Proof of Concept exploits for the #MonikerLink #RCE vulnerability are now available. MonikerLink is a vulnerability specific to Microsoft COM APIs, published last week by CheckPoint. The current Outlook vulnerability has been assigned serial number CVE-2024-21413 and has CVSS 9.8, but CheckPoint hints that there may be other similar ways to exploit COM APIs. As this is being written I am looking at a proof of concept for MonikerLink published on GitHub by a researcher. The vulnerability is as simple as adding "!something" to a hyperlink in an email, and it is triggered in the preview pane, with no user interaction needed. The screenshot below shows a WireShark capture, provided by the researcher mentioned above, in which NTLM local credentials are being sent to a remote network address, as a result of this exploit being activated on a vulnerable Outlook client. Although Microsoft rates this vulnerability as "exploitation unlikely", you should assume that sophisticated threat actors are already using this exploit and harvesting the leaked NTLM local credentials. What can be done about this? 1. Apply the official patch from Microsoft, released last Tuesday. 2. Consider email filtering software, to scan for suspicious links. 3. Block outbound SMB connections from leaving your corporate network. Note: this vulnerability should not be confused with the current Exchange server vulnerability designated CVE-2024-21410, also a CVSS 9.8, which also causes leaking of NTLM local credentials - what a week!

The recent inadvertent exposure of classified U.S. military plans by top defense and intelligence leaders serves as a stark reminder that even the most capable cybersecurity tools and well-defined policies can be rendered meaningless if ignored or misused. In this case, senior leaders relied on the Signal messaging app to communicate sensitive data but unintentionally exposed critical information to unauthorized parties. The leaked details—time-sensitive plans for a military operation—could have not only placed personnel in greater danger but also undermined the mission by alerting adversaries to an imminent attack. While #Signal is a widely respected, consumer-grade, end-to-end encrypted communication tool, it does not provide the same level of security as classified government systems. National security organizations typically utilize Sensitive Compartmented Information Facilities (SCIFs) to safeguard classified data from leaks and eavesdropping. However, SCIFs and other highly-secure methods are not as convenient as less secure alternatives—such as personal smartphones. In this instance, Signal's encryption was not the issue; rather, the exposure occurred when an unauthorized individual was mistakenly added to the chat. This human error resulted in sensitive information being disclosed to a reporter. Lessons Learned: This incident highlights critical cybersecurity challenges that extend beyond the military and apply to organizations everywhere: 1.     Human behavior can undermine even the most robust security technologies. 2.     Convenience often conflicts with secure communication practices. 3.     Untrained personnel—or those who disregard security protocols—pose a persistent risk. 4.     Even with clear policies and secure tools, some individuals will attempt to bypass compliance. 5.     When senior leaders ignore security policies, they set a dangerous precedent for the entire organization. Best Practices for Organizations: To mitigate these risks, organizations should adopt the following best practices: 1.     Educate leaders on security risks, policies, and consequences, empowering them to lead by example. 2.     Ensure policies align with the organization’s evolving risk tolerance. 3.     Reduce compliance friction by making secure behaviors as convenient as possible. 4.     Recognize that even the strongest tools can be compromised by user mistakes. 5.     Anticipate that adversaries will exploit behavioral, process, and technical vulnerabilities—never underestimate their persistence to exploit an opportunity. #Cybersecurity is only as strong as the people who enforce and follow it. Ignoring best practices or prioritizing convenience over security will inevitably lead to information exposures. Organizations must instill a culture of cybersecurity vigilance, starting at the top, to ensure sensitive information remains protected. #Datasecurity #SCIF #infosec

Your ‘meeting reminder’ just stole your password and it came as a picture file. "When an image isn’t just an image… 🎯" SVG files: the clean, scalable graphics we use for sleek websites, have quietly stepped into the dark side. Researchers at Seqrite Labs, Soumen Burma and Rumana Siddiqui, recently uncovered a crafty phishing technique where .SVG files hide embedded JavaScript. The moment such a file is opened in a browser, it can silently redirect the user to a pixel-perfect phishing page designed to steal credentials. Why this is raising eyebrows across the security community: > Often slips past email filters and cloud storage checks. > Opens in browsers by default, triggering malicious code instantly. > SVG files can evade security checks by appearing harmless. > JavaScript in SVGs enables hidden payloads and phishing redirects. > CAPTCHAs add credibility and bypass automated detection. > Using trusted clouds (Dropbox, OneDrive) increases click rates. Paired with convincing lures, fake “Meeting Reminder” invites, near-perfect Microsoft 365 login forms. It’s a reminder that in cybersecurity, even the most innocent-looking file format can be a fully weaponised delivery vehicle. Detection needs to go beyond surface-level checks, and awareness must include these less obvious attack paths. The full blog also shares IOCs and practical tips to help identify and defend against this kind of emerging threat. Kudos to Soumen Burma and Rumana Siddiqui for their deep-dive research that’s getting global traction. 📌 Link to the full blog is in the 1ST comment, worth a read if you want to see the attack chain in detail. #CyberSecurity #ThreatIntel #Phishing #MalwareAnalysis #IncidentResponse #SVG #SeqriteLabs #CyberAwareness #SVGPhishing #ThreatIOCs Seqrite Quick Heal

On the (lack of) agency in an email address, and its relevance in cases of fraud:- A recent appeal on costs – unusually, a successful one – included some interesting insights into the underlying, unreported claim. In M&S Restorations v Santander [2024] EWHC 2724 (KB), Dexter Dias J granted an appeal against a costs order made by a Circuit Judge following trial. The claim was made by a company against its bank, following the bank’s compliance with emailed instructions from fraudsters to make payments out of the company’s account. The judgment explains that the bank received an email from the account of the company’s director, directing it to make certain payments. The bank complied with this instruction. However, the instruction was given by fraudsters who (it was said) had hacked the director’s email account. The bank was liable to reimburse its customer for the sums paid out of its account. A few points of general interest arise: (1) Play the person, not the email address. The bank sought to argue that this was a case of impersonation, where (presumably) the bank considered itself entitled to rely on emails sent from the genuine email address of the company’s director. However, on well-understood principles of agency law, an email address does not have any authority. The question is whether the person sending the email had relevant authority on behalf of the customer. Plainly, a third party fraudster does not. (2) Keep claims simple. Both judges, at first instance and on appeal, explained that this was a straightforward case of breach of mandate. However, the claimant had needlessly complicated the case by raising alternative claims for breach of the Payment Services Regulations 2009, breach of contract, breach of contractual or tortious duties of care, breach of the Quincecare duty, and breach of the duty not to facilitate fraud. These claims were not relevant and the Claimant’s decision to advance them had negative costs consequences for it. (3) Don't assume system breach. It was stated that the director’s emails were hacked, suggesting that the fraudster used the genuine email account. From my experience of other cases, parties often believe that an email account has been compromised, but sometimes what has instead happened is that the email has been ‘spoofed’  - this is a relatively easy way of making an email from account A appear as though it has been sent by account B. I cannot say whether or not this happened in this instance, but raise it as a point to investigate in any situation of an apparent email ‘hack’. 

My EasyDMARC team encountered multiple cases where Microsoft tenants received spoofing emails from their own domain to their own domain, even with DMARC set to p=reject. Microsoft now enforces DMARC reject in EOP. - Older tenants may still have Anti-Phishing policies that were never updated and must be reviewed: https://lnkd.in/dV7S6hS - Newer tenants have the correct defaults, but a loophole remains if an admin created an allowlist. In testing we confirmed that when a rule or policy forces SCL:-1, the message is marked as trusted and skips filtering. (SCL:-1 means “bypass spam filtering and treat this message as safe.”) This allows spoofed mail to reach the inbox despite a DMARC reject policy. SCL:-1 is NOT added by the attacker. It is stamped by the tenant. Common causes include: - An admin sets a mail flow rule to “always trust” messages from a certain entity, skipping spam checks. - The organization’s own domain is added to the allowed senders/domains list - Someone clicks “Allow” in Microsoft’s Spoof Intelligence panel - An inbound connector is configured to treat all mail as if it came from inside the organization If you see SCL:-1 on a spoof, the problem is NOT DMARC but configuration. Organizations should audit mail flow rules, remove their own domains from allowlists, review Anti-Phishing policies, and correct connector settings. Relying on whitelists for convenience undermines DMARC and gives attackers the exact opening they need. Security controls only work if we let them do their job. ‼️Read the full article: https://lnkd.in/ezCxnT-F #Microsoft #DMARC #EOP

📧 Today’s Suggestion: Master Email Security. Your Gateway Against Modern Threats 🛡️ Email remains the #1 vector for phishing, malware, data leaks, and fraud and attackers are only getting smarter. I just reviewed “Mastering Email Security” by Dashrath Jamadar, and it’s one of the most practical field guides for anyone defending organizational communication. 🧠 What You’ll Learn: How modern email gateways work: From real-time threat detection to policy enforcement and SIEM integration Essential log types & SIEM use-cases: Track every delivery, block, quarantine, and DLP event Key defense tactics: Sandboxing, URL rewriting, attachment scanning, and NLP for social engineering Incident response in action: Step-by-step workflows for both inbound and outbound threat scenarios Vendor landscape for 2025: Proofpoint, Mimecast, Microsoft, Cisco, Barracuda, Fortinet, Trend Micro, Symantec, Zscaler, Google Workspace, and more 💡 Bonus: 12 actionable use cases from BEC and zero-day exploits to insider threat detection, DLP, and advanced threat intel integration. 🔄 Why it matters: Email is your digital front door. From technical controls to policy and user training, layered defenses are the only way to stay ahead. 🚨 Scenario-driven response: The guide breaks down real alert triage — how to validate, investigate, contain, escalate, and prevent both outgoing data leaks and inbound malware/phishing. Want the full PDF or ready to swap use cases and best practices? Let’s connect! 🖊️ Prepared by: Dashrath Jamadar #EmailSecurity #Phishing #CyberSecurity #SIEM #DLP #SOC #IncidentResponse #InfoSec #Mimecast #Proofpoint #MicrosoftDefender #ZeroDay #SecurityAwareness #EmailGateway #Malware #DataLossPrevention #ThreatIntel

❌ Stop thinking spoofing only happens to big organizations or tech companies. You should learn from these real-life examples instead. 👀 Is this you right now? You see headlines about email scams, fake websites, and caller ID fraud. You think your business or personal accounts are too small to be a target. But here’s the truth: Spoofing can hit anyone—any business, any individual, at any time. 🔑 Here’s the strategy you should adopt to protect yourself and your organization from spoofing attacks: 1️⃣ Always verify suspicious communication → Many spoofing attacks rely on you not double-checking details. → Verify email addresses, phone numbers, and URLs before responding or clicking. 2️⃣ Strengthen email security → Spoofed emails can trick even the most seasoned professionals. → Implement SPF, DKIM, and DMARC to protect your domain from email spoofing. 3️⃣ Educate your team → Awareness is your best defense. → Regularly train employees to spot signs of spoofing—like subtle changes in email addresses or unusual requests. 📌 Bonus tip for you: Use multi-factor authentication (MFA) → Even if attackers steal login credentials, MFA adds a layer of protection → Enable it wherever possible to stay one step ahead. 👀 Ready to stop spoofing in its tracks? Start by adopting these strategies and stay vigilant. Spoofing is preventable if you take the right steps now. #CyberSecurity #Spoofing #EmailSecurity #DataProtection