Connected Third-Party Applications Widen Attack Surface Area

Third-party apps present increased cyberattack risks to email environments via app permissions. Traditional email can't handle the challenge, but Abnormal can.
August 2, 2023

Inbound email attacks are a mainstay for cybercrooks, but criminals are shifting tactics to exploit third-party applications as a new method for gaining entry into an organization’s email environment. This is getting easier due to the popularity of software as a service (SaaS) and apps. In fact, we’ve seen a 128% increase since 2020 in the number of unique applications leveraged by the Abnormal customer base, now totaling more than 26,000 unique apps.

Connected third-party applications aren’t problems in themselves. These tools offer collaboration and efficiency essential for today’s dispersed workforce. But more integrations mean more opportunities for infiltration.

And according to the latest research from IBM, vulnerabilities in third-party software accounted for 13% of all breaches in 2022—costing organizations an average of $4.55 million per incident. Organizations need to understand these vast threat environments to more aptly defend against attacks.

Third-Party Apps Expand the Surface Area for Cyberattacks

Traditional cybersecurity operates like a drawbridge, letting through legitimate emails and preventing malicious emails from entering the organization. Phishing, malware, and social engineering scams would still get through without proper security protocols, but they all entered through the inbox—the front door. Unfortunately, third-party applications provide side doors for attackers to compromise email accounts without detection.

There are a few ways attackers can use third-party apps to breach your organization, but some of the most prevalent include:

  • Stealing API keys and installing malicious applications with high-risk permissions

  • Tricking employees via social engineering into installing‌ legitimate apps that secretly provide attackers with access

  • Stealing customer data from infiltrated and compromised applications

And unfortunately, this isn’t just theoretical. Media giant News Corp—owner of The Wall Street Journal and the New York Post—suffered an undetected cyberattack for two years. During that time, attackers stole a plethora of email data from journalists. How did this happen? A malicious application integrated with their Microsoft 365 cloud email provided attackers with a side door to access sensitive information without detection. And the number of side doors continues to grow.

Threat Blog1

While News Corp might have been specifically targeted, every organization houses valuable information coveted by cybercriminals. The larger the organization, the larger its app portfolio, and thus the larger the surface area for exploitation.

For example, organizations with fewer than 3,000 mailboxes average only a few hundred integrated applications to assist their employees. But organizations hosting more than 30,000 mailboxes use an average of 4,000 applications—demonstrating the herculean task for security teams to protect against incursion.

Threat Blog2

These attacks are devastating and difficult to detect because they bypass traditional inbound email security tools. The threat surface presented by these apps is ever-expanding, but that doesn’t mean the problem is unstoppable. Securing organizations requires first understanding what applications are connected to email—and what each application has permission to do

Understanding Third-Party App Permissions and Associated Risks

Every time an employee authorizes a third-party application, they grant it a number of permissions. Many of these operations are legitimate, but when apps are compromised, they give attackers access to things they shouldn’t have. Security teams must recognize the risk level associated with each of these permissions.

Each third-party application is a potential entry point into your mailboxes. So it’s vital to understand which permissions are most risky. For example:

  • Permissions to view calendars are fairly innocuous

  • Permissions giving read access to email content is a medium risk since mailboxes, often hold sensitive business information

  • Permissions to create or delete content, change permissions, or privilege escalations present high risks

But surely applications don’t actually need all those high-risk permissions, right? Of the top 30 permissions seen by Abnormal, more than 37% are considered high-risk, while another 37% are considered medium-risk.

Threat Blog3

Recognizing that each application provides attackers with a side door into your email environment is the first important step to securing your organization. Piqued your curiosity? You can see the full list of common applications and their associated risk levels in the report.

Stand Up to the Full Spectrum of Attacks Against Your Email Environment

Whether bad actors attack through the front door with an inbound email or a side door via a connected third-party application, organizations must defend themselves. Legacy email security tools simply cannot stand up to the challenge.

Protect yourself completely against the full spectrum of attacks with the best in email security. Abnormal can detect even minor deviations in behavior to identify suspicious activity and proactively block attacks. Matching behavioral science with risk-adaptive detection provides full protection for your email environment including new third-party apps, changes in permissions, or privilege escalations. If the News Corp attack taught us anything, it’s that it’s time to protect your entire email environment—inboxes and connected apps alike.

Take a deep dive into the data with our latest threat report, Applications Abound: Average Organization Now Integrates 379 Third-Party Applications with Email.

Connected Third-Party Applications Widen Attack Surface Area

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B 07 22 24 MKT624 Images for Paris Olympics Blog
Threat actors are targeting French businesses ahead of the Paris 2024 Olympics. Learn how they're capitalizing on the event and how to protect your organization.
Read More
B Cross Platform ATO
Cross-platform account takeover is an attack where one compromised account is used to access other accounts. Learn about four real-world examples: compromised email passwords, hijacked GitHub accounts, stolen AWS credentials, and leaked Slack logins.
Read More
B Why MFA Alone Will No Longer Suffice
Explore why account takeover attacks pose a major threat to enterprises and why multi-factor authentication (MFA) alone isn't enough to prevent them.
Read More
Learn how Abnormal uses natural language processing or NLP to protect organizations from phishing, account takeovers, and more.
Read More
B DK Compromise 7 11 24
Discover the top five ways hackers compromise accounts, from exploiting leaked API credentials to SIM swapping partnerships, and more. Learn how these techniques enable account takeover (ATO) and pose risks to enterprises.
Read More
B Sans Recap 7 11 24
Discover trends among modern SOC teams, including misaligned budgets, increased automation, unsatisfactory AI tools, staffing issues, and more.
Read More