What Happened?
Hackers found an exploit in organizations that use Office 365 and Proofpoint. The exploit allowed the hackers to send authenticated emails with digital signatures identical to emails sent by those organizations. The list of exploited organizations includes Disney, Coca-Cola, IBM, Nike, Best Buy, and many others.
Using this exploit, hackers sent over at least seven months, an estimated average of 3 million emails per day, with peaks reaching as high as 14 million emails per day. That is an estimated half a billion to one billion perfectly spoofed phishing emails.
We don’t know the number of credit cards, credentials, identities, and other information hackers stole. However, some attacks took advantage of the services sold by the companies they forged, sending customers to purchasing pages with recurring charges on their credit cards.
Significance
Authenticated emails sent via Office 365 and Proofpoint are identical to emails sent by those companies, and customers cannot tell the difference. However, phishing attacks often dup customers without leveraging high-quality forgeries, so the biggest problem is different.
Such emails have very high deliverability rates and sending rates. All email providers and spam filters allow millions of emails per minute from those organizations, and they will not get into the spam folder. Coupled with their authenticity, this creates powerful phishing attacks.
Additionally, many organizations tag external emails to alert employees of potential phishing attempts. These authenticated emails will bypass such warnings as the emails are identical to emails sent by the organization. That makes it highly likely that employees will fall prey to a targeted phishing attack.
Supply chain attacks and Cloud services
Supply chain attacks are a major concern since they expose organizations to threats they are unaware of and cannot address. Supply chain attacks also have a scary potential since hackers can exploit vulnerabilities in any organization that leverages that supplier.
The supply chain problem increases exponentially in cloud-based services. Hackers can exploit supply chain cloud vulnerabilities without accessing the corporate network or triggering alarms. As demonstrated by this attack, many large organizations were victims of a large-scale attack they did not know about.
Email Security
Email security is almost an oxymoron, and this attack is another proof of our inability to secure it. Authenticating and signing emails with DKIM, SPF, and DMARC is beneficial and valuable, but it is an effort that cannot prevent even simple phishing attacks. It makes things better but extremely far from perfect.
Organizations must accept email is unsafe, that many employees and customers fall prey to phishing, and, as a result, that successful phishing attacks occur regularly.
We should make reasonable efforts to protect the perimeter. It is meaningful because it reduces the number of attacks. However, you cannot prevent intruders from penetrating it and gaining access to the corporate network. Therefore, increased investments in perimeter protection have diminishing returns, especially ineffective ones like email security.
Layered approach with Data-centric defenses
Given our limited ability to protect the corporate network, we must implement a layered security approach with data-centric defenses that prevent a data breach when a hacker inevitably penetrates the perimeter.
By understanding how a data breach occurs and implementing an appropriate security strategy, organizations can significantly reduce their risk of falling victim to attacks.
Core Audit is a fundamental component in the battle against data breaches, providing the visibility and control necessary to protect your organization against attacks and emerging threats. Contact us to learn more, discuss your organization’s unique environment, and understand your security needs. Let us help you be successful.
If you want to know more, contact us at info@bluecoreresearch.com
