We warn users not to click on suspicious emails and not to open emails from untrusted senders to prevent users from being phished. Sender identity is one of the filtering mechanisms in email security solutions. But what happens when a trusted sender’s email account is compromised and an attacker uses that access to send emails as if they are that trusted sender?
That’s exactly what happened in the most recent round of attacks attributed to the Nobelium hacking group, according to Microsoft. Researchers at Microsoft and Volexity found that Nobelium gained access to a user account on Constant Contact, an email marketing software vendor, and used it to send phishing attacks to over 7,000 recipients.
The account the intruders obtained was a legitimate employee account for USAID, a US government agency dedicated to humanitarian efforts worldwide. The attackers sent emails that included URLs disguised by a legitimate feature of the Constant Contact platform, which then redirected to malicious content served from additional attacker infrastructure.
Market Share, Brand, And Trust Used To Enhance Attacks
For the second time in six months, we’re seeing a threat actor weaponize the market penetration, brand, reputation, and perception of a firm to increase the possibility of other subsequent breaches. In the case of Nobelium with USAID, the agency’s legitimacy lends authenticity and credibility to the email messages, increasing the likelihood someone opens the message.
Constant Contact is a trusted email sender for numerous well-known brands, and the email originated from a USAID account, which increased the likelihood the messages would be opened by recipients. As with many attacks, it was the group’s ambition that undercut its campaign. By sending hundreds of messages simultaneously in its most recent campaign, email security controls did prevent delivery of many of the messages, but the attacker did have months to experiment prior to that.
With increased focus on earning and retaining the trust of customers as a competitive differentiator, it’s important to realize that trust can be weaponized by attackers to make campaigns more successful.
Our Trust Relationship With Email Has To Change
The biggest problems with email are its ubiquity and our willingness to trust it. Every person has an email account, often more than one, making this medium a perennially ripe target for attackers. When a person gets an email from a trusted sender, they’re inclined to open it. Since these malicious emails may come from a sending domain and IP that’s trusted by our email security tools, they’ll likely end up in users’ inboxes, unless attackers make a mistake or get greedy, as seen in this case, and while that’s often something we can rely on, it’s far too reactive of an approach.
What we must come to terms with is that we’re not just looking for known malicious actors. If our standard for blocking an email or making the links within it unusable is that the sender must be a known bad actor, we’re making ourselves vulnerable for an attack that preys on our trust.
No amount of well-intentioned antiphishing training and external email banners can prepare someone to recognize every malicious email they receive. Even seasoned security pros can miss a phishing email. So instead of trusting an external email that reaches the inbox, security pros should limit how employees can interact with it by blocking unknown domains or using browser isolation technology to open the URL in a virtual environment for especially risky employees or environments. At the least, organizations need to follow antiphishing best practices to protect against malicious emails.
It’s also paramount that organizations evolve their security capabilities to go beyond just using traditional antivirus and email security technologies. They must also get rid of implicit trust. Security pros need to apply the principles of Zero Trust to email to quickly detect and contain the inevitable breach. That way, we are not just relying on siloed pieces, whether it be the human or technology elements of our security programs. Organizations should modernize their security approach by moving to the Zero Trust model, where trust is contextual and layered, using risk-based context to continually verify that all users and their associated devices, applications, networks, and workloads are secure.
Third-Party Email Senders Must Secure What They Sell
The more trust a brand earns, the more likely it becomes a target, especially in spearphishing campaigns. Given that it’s tough to stop breaches when an organization is merely a target of opportunity, being a priority target raises the stakes considerably.
For companies looking to make a business case for product security efforts, the last six months in the B2B world should pretty much seal the deal. Brand damage alone based on association is often enough. Consider that during the SolarWinds breach, two major security vendors mentioned getting popped and nine federal agencies in the US were victims. Yet the attack is forever branded as the “SolarWinds” intrusion because that was the method of entry.
Securing your revenue-generating products and services is not only the right thing to do, it’s also one way to avoid search engine results listing out details of the breach and its impact when someone runs a query about your company or becoming the logo on the second slide of every cybersecurity vendor’s pitch deck for the next few years as the parable of what to avoid.
While Constant Contact wasn’t breached, and the intruders merely posed as a legitimate user sending legitimate emails, those messages included links to materials that would exploit the recipient. Email marketing vendors need to understand that securing the messages they send and not distributing malicious content via their platforms is part of product security. People absolutely will blame the messenger.
Security And Risk Pros Must Get Better At Assessing Third-Party Risk Of Nontraditional Third Parties
Third-party risk is an imbalanced equation. Organizations have limited or no control over how third-party partners secure their infrastructure, applications, or data but are fully responsible for the fines, penalties, and barrage of bad press that follow because of a third-party cyberattack.
The recent media attention on third-party cyberattacks is highlighting a well-known secret: Most firms are bad at third-party risk management (TPRM). TPRM programs are failing to adapt to the new risks. These efforts are failing because: 1) TPRM efforts are struggling to keep up with the growing third-party ecosystem; 2) spend is used as a proxy for criticality; and 3) third-party risk assessment is considered “one and done” and doesn’t continuously reassess risk.
CISOs And Marketers: Brand Stewardship Is A Joint Responsibility
Security teams have dreaded combing through the questionnaires they receive from vendors across all categories. And marketers would prefer simply to choose the third-party partner that best suits their needs and move forward. Brand resilience, however, is a shared mission, and both parties have a stake in and are affected by a high-profile incident.
With that in mind and before the TPRM questionnaires start flying, chief information security officers (CISOs) and their teams must work directly with marketers to understand the workflows and data movement involved in the development, refinement, and launch of campaigns. This includes the ecosystem of third and fourth parties involved and the expected customer interactions in response. After all, marketing uses sensitive customer information for personalization and contextual marketing to customers. This data, like the email accounts, must be protected.
Security and marketing should work together to jointly create a campaign data journey map. Those flows should be thoroughly assessed for potential security and privacy gaps. From there, the organization can ask more targeted questions and demand specific controls and associated attestations from their third-party marketing providers, including senders. CISOs and marketers can also use this journey map to apply least-privilege access and additional, contextual activity monitoring to third-party marketing resources at all stages of the lifecycle.