Attackers exploiting email security delays

As Incident Responders, we’re seeing an increase in attacks using classic smokescreen tactics, so I thought I’d share a few snippets that hopefully help you stay safe! The initial point of compromise is a phishing email. Nothing particularly sophisticated, just well-timed and well-crafted enough to have a target team member enter their login credentials into a spoofed site and prompt them for their MFA token. If all runs smoothly, for the bad eggs, the attackers are able to successfully proxy the MFA response, intercept the session token, and then bypass the victim’s “super secure” two-factor authentication. They use a real-time phishing kit like Evilginx2, which allows them to ride in on the back of a legitimate login session. So no brute force, no malware dropper, no obvious indicators until it’s too late. Once inside, the attackers monitor for an opportune time to strike, typically when a large payment is to be sent or due. They modify the payment instructions of one of the parties to make payment to a mule account they control. But they didn’t stop there! In order to mask their activity, because multiple users within the authorisation chain are on CC to the payment instruction, they launch a classic smokescreen campaign by flooding every inbox at the firm with hundreds of spam messages at the exact same time the crime is being committed. And this is ongoing and relentless.  The goal is simple: bury the wire transfer confirmation email in noise so it won’t get seen or detected, delaying any potential mitigation action. Effectively, the bad eggs are throwing a digital smokescreen. It worked. And is working across a multitude of cases we’ve seen. The transfer goes through, unnoticed, and the funds are gone before a team even has a chance to react.  Urgently add active monitoring for behavioural anomalies post-authentication, such as impossible travel, sudden privilege escalation, or new device profiles making high-value changes. Otherwise, you’re flying blind. For payment authorisation, MFA is not a panacea, especially for email accounts handling payment instructions. Implement manual processes to double and cross-check payments. Or reach it if you want to hear more about an automated payment protection solution we’ve built that fixes this. Not in full release but we’d love to hear your thoughts as we build it out. Stay sharp out there.

Cybersecurity Alert: Proofpoint Settings Exploited in Massive Phishing Campaign In a concerning development for email security, threat actors have found a way to exploit Proofpoint's email protection service to distribute millions of phishing emails daily. This sophisticated attack takes advantage of misconfigured Proofpoint settings, allowing malicious actors to bypass security measures and deliver potentially harmful content to unsuspecting recipients[1]. The exploit works by abusing the "On-Behalf-Of" (OBO) feature in Proofpoint, which is typically used for legitimate purposes such as allowing executive assistants to send emails on behalf of their managers. However, when improperly configured, this feature can be manipulated to send emails that appear to come from trusted domains[1]. Key points of the attack: - Attackers are sending up to 5 million phishing emails per day - The emails often impersonate well-known brands to increase credibility - Malicious content includes fake login pages and malware-laden attachments - Over 1,000 domains have been observed being abused in this campaign To protect against this threat, organizations using Proofpoint should: 1. Review and tighten their OBO configurations 2. Implement strict authentication policies 3. Regularly audit email security settings 4. Train employees to recognize phishing attempts This incident serves as a stark reminder that even trusted security solutions can become vectors for attack if not properly configured and maintained. As cyber threats continue to evolve, it's crucial for businesses to stay vigilant and regularly assess their security posture[1]. Citations: [1] https://lnkd.in/gQAq-_Bh

AdvisorDefense: The Silent Persistence of BEC - When Expelling the Attacker Isn’t the End Business Email Compromise (BEC) remains one of the most devastating cyber threats to organizations worldwide. While many assume that kicking a threat actor out of their systems ends the attack, a recent Invictus Incident Response case proves otherwise. Sometimes, attackers persist even after being expelled. The Attack: A Sophisticated Adversary-in-the-Middle Tactic The attack began with a well-crafted phishing email disguised as a Dropbox invoice notification. The recipient, believing it to be legitimate, clicked the ‘View on Dropbox’ button and landed on a fake Dropbox login page. Here’s where the real trouble started: ✅ Credentials Captured – The victim entered their login details. ✅ MFA Compromised – The attacker also captured an MFA code, allowing them to bypass additional security layers. ✅ Persistence Achieved – With access to the email account, the attacker configured eM Client, a third-party email application, enabling them to maintain control even after passwords were reset. ✅ Forwarding Rules Set Up – To further maintain access, they created email forwarding rules, ensuring they could continue monitoring inbox activity unnoticed. The victim eventually caught on. After 3 weeks, IT stepped in to reset passwords, remove forwarding rules, revoke active sessions, and uninstall eM Client. The attacker was expelled, or so they thought! The Attack Didn’t End There… Days later, the attacker leveraged the victim’s email identity in new ways: 🚨 Created a Dropbox account using the victim’s email to send fraudulent invoices to the victim’s contacts. 🚨 Set up a WeTransfer account with the victim’s details to distribute more malicious emails. 🚨 Continued the scam, exploiting the trust associated with the victim’s email. Key Lessons: BEC Attacks Go Beyond the Inbox 1️⃣ MFA Alone Isn’t Enough – Many assume that MFA stops BEC attacks, but attackers are evolving. Adversary-in-the-middle (AiTM) tactics allow them to steal both credentials and MFA codes in real time. 2️⃣ Expelling an Attacker Doesn't Always Mean the End – Even after revoking access, attackers can reuse stolen identities elsewhere to continue fraud. 3️⃣ Continuous Monitoring – Check for newly created accounts using corporate email domains and implement dark web monitoring to detect compromised credentials. How to Protect Your Organization from BEC Attacks 🔒 Adopt phishing-resistant MFA solutions. 🔒 Use Conditional Access & Impossible Travel Policies to detect anomalous login activity. 🔒 Regularly review third-party email applications connected to business accounts to spot unauthorized apps. 🔒 Enable DMARC to prevent domain spoofing. 🔒 Educate employees on phishing techniques. Attackers Are Persistent — Your Defense Should Be Too! #Cybersecurity #BEC #EmailSecurity #ThreatIntelligence #Microsoft365Security https://lnkd.in/eNZcDd4X

EchoSpoofing exploits a design vulnerability in Proofpoint's email protection service to send perfectly spoofed phishing emails. Attackers use a simple SMTP server to create spoofed emails, which are then relayed through a compromised Microsoft Office365 account. This Office365 account is configured to forward emails to a specific Proofpoint customer's outbound email server. Due to a permissive configuration made my many Proofpoint customers (including Disney - oops!), Proofpoint's server accepts these forwarded emails as legitimate emails from the sending domain, even if they originated from a different Office 365 account. It then processes them as legitimate, adding proper SPF and DKIM signatures before dispatching them. This allows the attacker to impersonate any domain protected by Proofpoint, bypassing standard email authentication protocols. The spoofed emails are then delivered with fully valid authentication, appearing completely legitimate to recipients and security systems alike. As someone who has faced similar blowback from weaknesses inherent in SMTP authentication, I can empathize with the team at Proofpoint dealing with the fallout from the EchoSpoofing issue, which surely is generating a lot of questions from large important customers. While it's easy to criticize from the outside, the managing complex email infrastructures for thousands of customers is incredibly challenging. What may seem like a simple configuration issue can have far-reaching consequences due to the intricate nature of email protocols and the diverse needs of different clients. The very specification for SMTP, RFC5321, acknowledges that the protocol is fundamentally insecure and advises against trying to enforce authentication solely within its framework. Instead, it emphasizes the importance of end-to-end security measures that focus on the message content itself. This perspective helps explain why, despite our best efforts and those of companies like Proofpoint, trusting the veracity of the sending domain of an email message is risky business. It's a reminder that while transport-level security measures are valuable, they should complement rather than replace robust end-to-end authentication methods such as S/MIME. https://lnkd.in/giFcss7i