As businesses move to the cloud, threat actors have kept pace, which makes their attacks harder to detect and more effective than ever.
The latest escalation of the cybersecurity arms race finds threat actors following their targets into the cloud as they start to launch difficult-to-detect attacks by leveraging trusted domains owned by companies like Google and Microsoft. According to a blog post from cybersecurity software company Proofpoint, cloud collaboration tools like Microsoft 365, Azure, OneDrive, SharePoint, G-Suite and Firebase are being used to launch an increasing number of cyberattacks, and their cloud-hosted nature makes them difficult to detect.
The perception of authenticity, Proofpoint’s Ryan Kalember wrote in the blog post, is an essential part of tricking users into opening malicious emails or files. In 2020, nearly 60 million malicious messages were sent from Microsoft 365 accounts, and over 90 million originated from Gmail. In Q1 of 2021 alone, 7 million messages were sent from Office 365 and a whopping 45 million were sent from Gmail, far exceeding per-quarter attacks launched from Gmail in 2020.
SEE: Security incident response policy (TechRepublic Premium)
The malicious email volume sent from Gmail and Office 365 in 2020 “exceeded that of any botnet in 2020, and the trusted reputation of these domains, including outlook.com and sharepoint.com, increases the difficulty of detection for defenders,” Kalember said.
Ninety-five percent of organizations, Proofpoint said, were targeted by cloud compromise attacks in 2020, with half falling victim to one of the attacks. Thirty percent of those experienced post-attack activity on their network, showing that attackers who gain access “can leverage credentials to log into systems as imposters, move laterally across multiple cloud services and hybrid environments, and send convincing emails cloaked as a real employee, orchestrating potential financial and data loss.”
Proofpoint provided several examples of malicious messages originating from Microsoft Office 365 and Gmail accounts. In one example, the attack originated from an “.onmicrosoft.com” address, a common extension for Office 365 accounts, and included a link to a Sharepoint document purported to be new company COVID-19 guideline policies. When loaded, the document opens a fake authentication page designed to harvest Office 365 credentials.
Attackers have also used trusted domains to steal Zoom accounts with fake authentication pages, and multiple campaigns using malicious attachments containing macros were found as well.
With attackers using trusted domains to evade email filters, it’s essential that security professionals realize that filtering messages isn’t the only approach that needs to be taken to protect employees and internal systems.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Trusted domains like Office 365, Gmail, Onmicrosoft and other non-company specific extensions can no longer be assumed safe or trustworthy. Security software, email filters and security teams need to adjust their postures to account for this change, and users will need to adapt as well. Be sure to treat any public service email or link as a potential threat that should be verified to be safe by reaching out to the supposed sender through a separate communication platform, and never by responding to the sent email.