Brand protection and BEC attacks of 2021

The year started like 2020 did not end. Living in lockdown has proven to be fairly difficult for all of us and the cybercriminals are out there making it even worse. They are busy taking advantage of organizations trying to configure their journey to digital transformation, cloud adoption and remote working.

By combining the fast adoption of SaaS applications and the potential misconfiguration errors that inevitably arise, together with unknown vulnerabilities from third-party suppliers, we have a recipe for disaster for the good guys.

Recent cyberattacks

Let’s start by taking a look at the recently reported spoof attack against microsoft.com that reached over 200 million users. The Business Email Compromise (BEC) phish lured users to check for quarantined emails from a link within the email. Since the email came from a legitimate Microsoft domain, users assumed it was a legitimate message. The cybercriminals were then able to steal their O365 credentials when they accessed and inserted their credentials in a mirror page of the application. 

Attacks like this are not unique. If we look back 12 months earlier, Check Point Software reported that the Florentine Banker Attack started from an impersonation, this time from a look-alike domain to Microsoft. The adversaries were able to compromise O365 credentials and launch a man in the middle attack against two Financial Services organizations in the United Kingdom, eventually financially defrauding them of £1 million. 

Those attacks are becoming more prevalent, and I believe we will be seeing a lot more coming along. Verizon disclosed in its 2020 Data Breach Investigations Report that the top 3 sources of breaches were Phishing, Use of Stolen Credentials, and Misconfiguration. This is showing us a pattern of leveraging social engineering through advanced Business Email Compromise to steal credentials to cloud applications where businesses store or exchange sensitive information and data. 

In 2021, organizations must prioritize the protection of their domains against direct impersonation attacks and identifying then removing look-alike domains.

DMARC can combat spoofing

DMARC (Domain-based Message Authentication, Reporting & Conformance) uses two previously defined protocols, SPF and DKIM, to allow domain owners to explicitly tell the receiving email server what to do with an email that fails authentication. The enforcement of DMARC should be done both in the DNS and email gateway. When configuring a gateway with DMARC, you will be instructing your gateway to honour the policy of the sender’s domain, meaning it will ensure you are protecting your users against inbound impersonations of other domains. However, by enforcing DMARC on your DNS you will also be protecting your domains against direct spoofing attacks, thereby protecting your clients, business partners, internal users and wider supply chain. 

Check email DMARC setup

Gartner recently identified DMARC as a “Top 10 Security Projects for 2020-2021”. They determined that “organizations use email as the single source of verification, and users struggle to determine real messages from fakes.” The advice on the report is that organizations should look to implement and enforce use of the DMARC protocol to add an additional layer of trust and verification with the sender’s domain.

The implementation and enforcement of the protocol are crucial to closing the gap currently exploited by cybercriminals, however, it is only as part of a layered solution. With better targeted, well planned attacks and emails looking more similar to legitimate ones than ever before, it is highly important to empower internal users to identify malicious emails. Leveraging machine learning and behavioural analytics to highlight the potential threats within an user’s inbox is clearly the direction the industry is heading in to offer better protection against these types of threats.

It is also important to ensure that organizations use tools that complement one another and allow for a holistic view of its email attack surface. By gaining 360° visibility, the security operations team can have a more dynamic operating model that allows for faster detection and response, and ultimately, faster recovery from security incidents.

Attacks through supply chains, like SolarWinds are not far from what can happen through the impersonation of legitimate domains, and advanced Business Email Compromise. If you wish to discuss how Red Sift can help your organization protect its brand and domains against impersonation as well as its internal users against advanced Business Email Compromise, get in touch below.

PUBLISHED BY

Leo Do Carmo

16 Feb. 2021

SHARE ARTICLE:

Categories

BEC

Recent Posts

VIEW ALL
Email

The best tools to protect yourself from SubdoMailing

Francesca Rünger-Field

In late February 2024, ‘SubdoMailing’ became a trending search term overnight. Research by Guardio Labs uncovered a massive-scale phishing campaign that had been going on since at least 2022. At the time of reporting, the campaign had sent 5 million emails a day from more than 8,000 compromised domains and 13,000 subdomains with several…

Read more
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more
Email

Navigating the “SubdoMailing” attack: How Red Sift proactively identified and remediated a…

Rebecca Warren

In the world of cybersecurity, a new threat has emerged. Known as “SubdoMailing,” this new attack cunningly bypasses some of the safeguards that DMARC sets up to protect email integrity.  In this blog we will focus on how the strategic investments we have made at Red Sift allowed us to discover and protect against…

Read more
Email

Where are we now? One month of Google and Yahoo’s new requirements…

Rebecca Warren

As of March 1, 2024, we are one month into Google and Yahoo’s new requirements for bulk senders. Before these requirements went live, we used Red Sift’s BIMI Radar to understand global readiness, and the picture wasn’t pretty.  At the end of January 2024, one-third of global enterprises were bound to fail the new…

Read more