Redefining Cloud Email Security to Protect Against Emerging Email Platform Attacks

A simple yet powerful quote states, “When one door closes, another opens.” While applicable to numerous technological advancements throughout the last century, it couldn’t be more relevant to the mindset of threat actors when it comes to cyberattacks. Even going back as far as just a decade, we can see the evidence of this mindset as cyberattackers evolve their methods in an attempt to stay one step ahead of the technology put in place to thwart them.

Generic phishing, basic malware, and emails embedded with malicious links and downloads were the predominant method of attack a decade ago. But as secure email gateways (SEGs) designed capabilities to effectively stop these types of attacks, and the door of traditional email attacks closed on the attackers, they found a different one open up for them. This new form, shown most effectively by the massive increase in financial losses due to business email compromise, allowed them to take advantage of human emotion alongside the wide embrace of cloud email across enterprises worldwide.

Attackers recognized that the wide adoption of cloud email by every user—employees, customers, and vendors—on any device from any location had opened new possibilities for them. The ubiquitous availability and reachability of email in the new cloud world had significantly altered the normal behavior of users and the usage patterns of email. The “new normal” consisted of emails that were sent outside of regular business hours, originating from new geolocations as users could be at an airport, a cafe, at home, or anywhere they chose. And the result of people using email for longer durations, at any time of the day, from any location and device? Increased reliance on the assumption of trust. People simply believed that they were communicating with the person they believed they were, and threat actors took advantage.

Additionally, information about relationships, organizational hierarchy, and related attributes became readily available to attackers through professional and personal social media platforms. Knowing real pieces of information like vendor relationships or reporting structure allowed attackers to further exploit the implicit trust assumption of email users. This gave rise to targeted and sophisticated modern email attacks such as business email compromise, executive impersonation, invoice fraud, and more—all of which are wreaking havoc today in the world of cybercrime. According to the FBI, business email compromise alone has contributed to $43B in cybercrime losses since 2016 and is the number one cause of financial losses The fact that traditional SEGs have not evolved to block these modern inbound email attacks has resulted in a huge payday for attackers.

While SEGs didn’t evolve to stop socially-engineered attacks, modern AI-based cloud email security solutions have been extraordinarily effective in blocking these targeted and sophisticated inbound email attacks. Solutions such as Abnormal are uniquely focused on learning the behavior of every identity within and outside of an organization, building enhanced context, and applying the enriched identity and context awareness to effectively evaluate the risk of every event and block the attacks that demonstrate hard-to-detect and abnormal behavior. This new technology has resulted in high efficacy protection against the most dangerous attacks of the past few years.

But as more organizations adopt these modern AI-based cloud email security solutions, the wide-open door of inbound email attacks is starting to close. As a result, attackers are feverishly looking for new ways to infiltrate cloud email—bypassing the front door of inbound email and searching for side channels.

This time, attackers have turned to the open, extensible, and flexible design of cloud email platforms. Having established that inbound email attacks are only one of the ways to infiltrate cloud email platforms, they have discovered that they have multiple new attack avenues at their disposal. Here are two examples:

1. Third-Party Application Abuse: A wide spectrum of third-party applications, from the ones focused on improving user productivity to the ones that introduce personalized emojis, require full read/write consent by the user to their email. Session takeovers occur through stolen session cookies of these third-party apps, have persistent and authenticated sessions into the cloud email platform, and can significantly increase the attack surface area. Additionally, Microsoft has also recently reported the rising popularity of OAuth application abuse through a new tactic known as consent phishing.

2. Cloud Email Account Takeovers: Attackers are now directly attempting to compromise cloud email user accounts, and more specifically privileged accounts, for infiltrating and carrying out egregious attacks. Attack groups such as LAPSUS$ and APT29 are already employing this new tactic as per MITRE.

Simply stated, the redefined cloud email attack surface area is:

Cloud Email Attacks = Inbound Email Attacks + Email Platform Attacks

As security teams prepare to comprehensively protect their business against emerging email platform attacks, they need solutions that are:

1. Identity Aware: The solution learns the behavior of every identity, external and internal to the organization, by ingesting thousands of diverse signals using an API-based architecture. The identity-aware approach provides an in-depth understanding of the normal behavior of every identity and helps quickly detect anomalous behavior.

2. Context Aware: The solution develops enhanced context by organizing and providing direct visibility into the inter-relationships between identities and entities, such as third-party applications. This provides a baseline understanding of configurations, roles, permissions, and more based on an identity-centric approach.

3. Risk Aware: The solution can detect any drift from the baseline state in the configurations, roles, and permissions, and then surface risks or anomalous events. Using this context, they can provide simple workflows to quickly remediate risk based on the combined understanding of the identity and context.

When combined, these three underpinnings create a platform that provides comprehensive coverage across the email platform to ensure that organizations stay protected from all types of attacks.

To provide the most comprehensive protection against targeted inbound email attacks and advanced email platform attacks, we are excited to introduce three new Knowledge Bases as part of the Abnormal platform and the industry’s first Security Posture Management product for cloud email. These new platform capabilities and products allow Abnormal to uniquely:

1. Learn the behavior of every identity by ingesting thousands of signals through an API architecture. Abnormal understands sign-in events, geolocations, organizational roles and hierarchy, and more, across all identities.

2. Organize the vast and diverse amount of information across Knowledge Bases to develop an enhanced context. Our three new Knowledge Bases include:
   1. PeopleBase: Provides a directory of each of the active users in the environment. It uses contextual, behavioral data to build a dynamic user genome. PeopleBase also provides an activity timeline of recent events, including sign-on patterns, suspicious email activity, and more.
   2. TenantBase: Provides a catalog of each of the email tenants Abnormal Security protects, and the relevant permissions governing access to them.
   3. AppBase: Provides a running inventory of all of the third-party applications that have access to data within Microsoft 365, both add-in and enterprise. It offers a summary of important information about application permissions and data access, as well as an activity timeline of recent events.
3. Detect any drifts in configurations through the Security Posture Management add-on product, and provide simple workflows for security teams to remediate risky or anomalous events.

With the launch of these new Knowledge Bases and the Security Posture Management product, Abnormal is the only solution to comprehensively protect against the advanced inbound email attacks and the emerging email platform attacks. As we continue to evolve our platform to better protect our customers, we’re excited to redefine what Cloud Email Security means, and close yet another door for the attackers.

To learn more about our new Security Posture Management add-on product and the new platform Knowledge Bases, read our latest blog post.