The IT Nerd

Leading research firm Enterprise Strategy Group (ESG) and email security company Armorblox released the results of a research survey of 490 IT and security professionals with a focus on the challenges organizations face in securing the abundance of communication and collaboration tools used today. 

Results of the study showed that the majority of organizations use six or more communication tools, across channels, with email remaining the channel seen as the most vulnerable to attacks (38%).

Even though email has advanced over time, it still has significant weaknesses in terms of security. According to 38% of survey respondents, email is considered the most vulnerable channel for threat actors. This notes the substantial risk associated with email communication and the constant vulnerabilities of outdated security tools against advanced threats.

Key findings of the survey:

• 39% of respondents stated spam/malware and 34% of respondents stated phishing/spear phishing/malicious links evaded security controls
• 27% of respondents stated misaddressed emails slipped past native security layers
• 26% of respondents indicated threats that penetrated security controls included wire transfer fraud, payroll fraud, payment fraud, other BEC attacks
• 23% of respondents stated internal account compromise/takeover was the result of threats bypassing legacy layers
• 23% of respondents indicated threats resulted in unintentional sensitive data leakage

For the full analysis on challenges organizations face in security communication channels, download the ESG report here.

Armorblox has released its latest research diving deep into a new two-way attack dubbed, VIP Invoice Authentication Fraud, that aids bad actors in executing financial fraud, specifically payment fraud, on target organizations. In this attack, bad actors utilize a new twist on executive impersonation and executive email domain spoofing tactics – by seemingly including the victim’s boss – to further exploit victims’ trust, sense of urgency, and quick execution of the request: payment of a fake invoice.

How it works: In the first part of this attack, the bad actor sends an email to both the victim and their “boss” (via a  spoofed email address), pretending to be a legitimate company or individual and asking end users to pay an invoice. In the second part of the attack, the bad actor will then reply to the email thread, using the spoofed domain account to impersonate the victim’s boss and instruct them to pay the invoice as soon as possible. 

You can read the research here.

Armorblox, today announced its newest product, Graymail and Recon Attack Protection, developed to decrease the time security teams spend managing graymail and mitigate the security risks from malicious recon email. This is in addition to the announcement of new capabilities across two main products of the Armorblox cloud-delivered email security and data loss prevention platform: Advanced Data Loss Prevention and Abuse Mailbox. The new capabilities are designed to enhance overall productivity across security teams by providing custom, automated workflows across user-reported threats, improved graymail detection and classification, and enhancements to data protection features.

The new features build on the platform’s existing capabilities, which provide comprehensive email protection for automatically detecting and protecting against emerging language-based cyber threats, preventing accidental or malicious data leakage and compliance violations across all communication channels, and saving security teams time from having to manually sort through graymail and respond across individual user-reported threats.

According to the company’s latest threat report released last week, security teams can find themselves spending almost 30 hours a week manually sorting and deleting graymail across user mailboxes. Armorblox Graymail and Recon Attack Protection uses advanced machine learning algorithms and large language models to detect and classify graymail and reduces the risk of malicious recon email being mistaken for genuine communications.

New Armorblox capabilities include:

• Improved Graymail Detection and Protection against Recon Threats: Armorblox Graymail and Recon Attack Protection uses advanced machine learning algorithms and large language models to enable the precise detection and classification of graymail, such as newsletters and marketing emails, and unwanted solicitation from a legitimate source – all while reducing the risk of malicious reconnaissance threats, emails disguised as genuine graymail communications with the intention of eliciting a response prior to exfiltrating sensitive data. Automatic remediation removes the need for manual review, saving security teams up to 30 hours each week, and end-user preferences (based on movement of graymail) are automatically monitored and applied for all future incoming graymail communications.
• Abuse Mailbox Custom Workflows for End-User Reported Phishing Threats: Security teams can now automate the feedback loop back to end users for user-reported phishing incidents submitted to Armorblox Abuse Mailbox. This keeps end users informed of the status of user-reported threats and engaged in the security process. Preconfigured templates allow security teams to automate the response back to end users based on incident type, while custom templates allow for pre-authorized workflows to be quickly and efficiently identified as exceptions for a reduction in false positives.
• Custom DLP Workflows: Armorblox Advanced Data Loss Prevention provides powerful data protection capabilities, including automatic classification, protection, and encryption of sensitive information (PII/PCI/PHI, source codes, tabular data, across languages). The latest enhancements bring investigation, management, and response to sensitive emails that have been blocked together into a streamlined workflow. Insightful DLP analysis per incident allows admins to quickly remediate (delete or request alterations) or release the email to be sent.

Armorblox is committed to providing security teams with the most advanced, comprehensive email security and data protection solutions on the market, so that organizations can stay ahead of emerging threats, protect organization-specific sensitive data, and ensure compliance across industry regulations.

Armorblox Large Language Models (LLM) and Artificial Intelligence capabilities include:

1. GPT Large Language Models & AI – Analyzes the content and context of email communications: text in email body and attachments for tone (like urgency) and intent (unusual requests) often seen in social engineering tactics, and provides in-depth email analysis to protect against sender impersonation, ransomware/extortion, account compromise attacks and graymail.
2. Computer Vision – Follows URLs to final destination and inspects in real-time to protect against fake landing pages used in malicious credential phishing campaigns. Minute, visual deviations such as image and layouts often go unnoticed by the human eye, Armorblox analyzes and safely redirects end users away from these malicious pages.
3. Malware & File Attachment Inspection – Provides static and dynamic analysis of attachments, malware, and advanced persistent threat analysis, while ensuring there are no delays in end users gaining access to critical emails nor disruption to email-based business workflows.
4. Contextual Analysis & Attacks Overview – Creates both user-specific and organization models for custom behavior baselines, so that how and who one communicates with are continuously monitored and anomalous communications and conversations are automatically flagged.

Learn More

Armorblox experts will be hosting demos at RSA Conference 2023, San Francisco, April 24-27, Booth #5304, Moscone, North Expo.

Armorblox has released its second annual 2023 Email Security Threat Report, documenting the significant increase in targeted attacks, trends across a broad range of attacks, and highlights the use of language to bypass existing email security controls. 

The report, based on data gathered from analyzing over 4 billion emails and stopping 800,000 threats every month, tracks email attacks across threat types such as vendor compromise, business email compromise (BEC), financial fraud, phishing attacks, impersonation attacks, account compromise, and graymail. Findings revealed that in 2022, BEC attacks have increased dramatically by 72% compared to 2021.

Key Highlights in the report also included:

• 58% of account compromise attacks targeted SMBs
• Vendor fraud and supply chain attacks are on the rise – and 53% of these targeted technology organizations
• Security teams can find themselves spending upwards of 27 person hours a week manually sorting and deleting graymail across inboxes
• Education was the leading industry targeted by BEC attacks in 2022, with over 40,000 attacks

You can read the report here.

As tax season approaches, cybercriminals are getting more creative in their attempts to steal sensitive information. Armorblox has released its newest research on the latest attack that impersonated one of the most trusted government entities in the US, the Social Security Administration, in an attempt to prey on the trust and uncertainty that many end-users experience during tax season.

These emails, targeting over 160,000 end users of a large educational institution, bypassed native email security.

How it Works: In this attack, end users were presented with an email, from what appeared to be the Social Security Administration, notifying them of suspicious activity that requires immediate action. For recipients who opened the attachment, they were welcomed with a blunt account suspension letter on what looks like official SSA letterhead. The end goal of this targeted vishing email attack was to get victims to open the email attachment, call the customer support number included, and render personal information.

You can read the research here.

Armorblox has released its latest research analyzing a malware attack campaign that has been making waves, spreading its infection through a seemingly innocuous attachment disguised as a Microsoft OneNote note-taking app file. 

How it works: Victims are presented with an email coming from what appears to be a trusted vendor or service provider. The email uses financial-based language to talk about the completion of a sale and prompts recipients to open the attached OneNote file where the billing expenses can be found. The OneNote file contains Windows Command Script (.cmd), which when opened, initiates the encoded powershell command to download the Qakbot payload onto the victim’s device to steal sensitive information.

You can read the research here.

Today, Armorblox released its latest blog of a recent account compromise attack that targeted a large university. 

These emails, targeting over 160,000 end users and a much larger number of organizations outside as well from this compromised account in a trusted university, bypassed native Microsoft 365 Email Security (receiving an SCL score of -1) to land in victims’ inboxes. 

How it worked: the attack involved the use of a compromised account to execute a malicious email attack to university students about a (fake) job that was open for applications. Clicking the Apply Here button directed victims to a google form that included a summary of the position and asked for sensitive information such as address, phone number, bank name, full name, age, etc.

The blog post can be found here.

Armorblox has released its latest research analyzing a credential phishing attack that impersonated the well-known brand, DocuSign, intending to exfiltrate sensitive login credentials.

These emails targeted more than 10,000 end users across multiple organizations and various industries counting on the trust and legitimacy people have in the company.

How it works: In this attack, victims receive an email from what appears to be from DocuSign. 

Attackers instilled a sense of urgency within the body of the email attack to encourage victims to open the new document for review and approval. When clicked, victims were navigated to a fake landing page designed to impersonate a Proofpoint Storage application login.

You can read the research here.

Armorblox has released its latest research that dives into the details of a credential phishing attack that spoofed the international shipping, courier services and transportation company, DHL. 

These emails, targeting more than 10,000 mailboxes of a private institution within the education industry, bypassed both native Microsoft Office 365 Email security and Exchange Online Protection (EOP) email security layers.

How it works: In this attack, end users were presented with an email that resembled a notification from DHL, notifying recipients about a parcel sent by a customer that needed to be rerouted to the correct delivery address. Users were encouraged to view the attached document and confirm the destination address of the parcel shipment by providing Microsoft login credentials. Unknowingly, the provided sensitive information entered on the fake login page was sent straight to the attackers. 

You can read the research here.

Armorblox has released its latest blog, diving deep into a targeted impersonation email attack campaign including two similar, but different, emails sent to employees across the organization impersonating staff that held Director titles.

These emails, targeting 100,000 mailboxes of a large, national institution within the Education Industry, bypassed Microsoft Office 365 Email security using language as the main attack vector. 

How it works: The emails, coming from what appeared to be Directors or the institution, included the individual’s name as the sender, spoofing the employee’s email address, as well as a signature that included the individual’s full name, credentials, and title at the organization. The attackers claimed that a confidential task needed to be completed and a response warranted by the recipient in order to exfiltrate sensitive information such as confidential business data, user login credentials, bank account credentials, and gift cards.

You can read the report here.