3 Types of Email Platform Attacks Targeting Organizations Today
Nearly half of all data breaches in 2022 occurred in the cloud, and as cloud adoption continues to accelerate, we can expect that these cloud breaches will as well. With cyber threats continually evolving, organizations must equip themselves with the latest cybersecurity knowledge, especially as they deal with a new, growing threat category across the cloud threat landscape: cloud email platform attacks.
Now, the phrase “email platform attack” may conjure up the image of sophisticated social engineering or spearphishing campaigns. And while those tactics certainly factor into many of the documented cases of email platform compromise, they fall into the more “traditional” bucket of business email compromise (BEC) or more broadly, inbound email attacks.
Email platform attacks, as we are defining them here at Abnormal, are threats to the cloud email platform itself. So, when we talk about “email platform attacks,” we are talking about attacks that exploit lax security configurations such as misconfigured conditional access or assuming that default security policies are enough. The issue is compounded by increasingly complex cloud platforms and a lack of posture visibility security teams have across their organization’s cloud email users, integrated applications, permissions, and connected mail tenants.
With that understanding in mind, let’s dig in further to three of the common tactics and attack types targeting cloud email platforms today.
1. Privileged User Account Compromise and Privilege Escalation
Hey you, get off my cloud! We all have users who need extra privileges to complete their work, but how much trouble can privileged accounts cause? According to the 2022 Anti-Phishing Working Group (APWG) Report, 36% of organizations indicated that inadequately managed privileges have resulted in a breach.
It is worth noting, a major concern of respondents to this report was around malicious insiders—employees or contractors within the organization attempting to escalate account privileges or use existing privileges to access and exploit sensitive data—showcasing that this issue of privileged account compromise is as much an insider issue as it is an external one. In recent cases, the insiders and the external threat actors saw significant overlap.
For example, you’ve probably heard of LAPSUS$. While a prolific threat group, they’re also well-known on Telegram as something of a toxic influencer, garnering 50,000 subscribers. Some of those subscribers were insiders at major organizations that sold their credentials directly to the threat group. LAPSUS$ then used those credentials to access and escalate the privileges of the compromised accounts. These types of user role changes went unnoticed by many organizations, allowing LAPSUS$ to infiltrate further, eventually resulting in a string of high-profile breaches.
2. Third-Party App Attacks
You’ve got mail(icous applications)! In September 2022, Microsoft published findings pertaining to a malicious spam campaign perpetrated by nation-state actors that targeted consumers. The attack took advantage of lax or non-existent multi-factor authentication (MFA) policies, allowing the threat actors to execute credential-stuffing attacks against unsecured Exchange accounts. These included admin accounts, which were then used to access Exchange Online mail tenants.
Once inside these tenants, the threat actors deployed malicious OAuth applications, which added inbound connectors to the mail server. From there, spam email blasts were launched, masquerading as sweepstakes invitations from trusted consumer brands and asking recipients to register to win the grand prize. In actuality, victims were registering for paid subscriptions to nothing.
While this is a recent example, malicious or compromised applications are fairly standard and established attack methods that hold major utility as entry points into cloud email platforms. With SaaS applications continuing to multiply, and misconfigured API integrations vulnerable to abuse, security teams that lack visibility into app installations and permission changes risk missing the signs of an attack in progress.
3. The Looming Threat of MFA Exploits
Find the imposter! The stat 99.9% seems to be thrown around a lot when discussing the efficacy of multi-factor authentication (MFA). Short of a SIM swap attack, MFA seems fairly impenetrable. And yet…
According to the 2022 Cyberthreat Defense Report, nearly 50% of surveyed organizations do not use MFA. That, in itself, is a misconfiguration—those organizations might as well be holding the door open for even semi-motivated attackers.
But surely, those who have configured MFA have nothing to worry about, right? In most scenarios, with the appropriate attention to detail, the answer is “yes.” But with security teams facing a lack of resources and a significant cybersecurity skills gap, details can be missed.
For example, in its default configuration, when an organization enables MFA in Azure Active Directory, users are prompted to enroll a device during that user’s next login. But that could take weeks! Threat group APT29 used this opening to its advantage, launching password-guessing attacks to access accounts and enroll an MFA device first, effectively hijacking the account. An organization lacking visibility into conditional access policies and configurations on their mail tenant—or again, lacking visibility into privilege changes on compromised accounts—could miss the opportunity to plug this hole proactively.
Preventing Email Platform Attacks
So, what can be done? As mentioned, cloud complexity, misconfigured security policies, and a lack of visibility into configuration changes are the common root of many of these attacks. To go a step further, we often hear in conversations with our own customers that posture management is primarily an IT responsibility, and even in organizations where the security team shares some of that burden, security practitioners lack insight into app permissions as they change, along with other crucial blindspots.
To combat this, Abnormal Security has reimagined how insight into security posture should be handled, integrating our new Security Posture Management product directly with our Inbound Email Security platform to provide deep insight into changes across your people, vendors, applications, and tenants.
Abnormal first arms you with information in our Knowledge Bases, such as event streams detailing occurrences and changes across applications via AppBase, mail tenants in TenantBase, and internal and external corporate users with PeopleBase. Security Posture Management then distills email platform event data into posture-specific configuration changes and provides real-time insight to administrators. These changes can be quickly acknowledged through an automated workflow so teams can stay aware of changes and mitigate risks when necessary.
There is little denying that threat actors work hard. But threat prevention, when done right, works harder. We’re excited to partner with you on this journey as we work together to prevent the email platform attacks of today—and of the future.
Want to learn more about how to protect your organization from email platform attacks? Check out the product demo today or request your personalized demo here.