One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8643378 |
| Date de publication | 2025-01-27 01:19:44 (vue: 2025-01-27 16:08:06) |
| Titre | Cybersecurity Stop of the Month: E-Signature Phishing Nearly Sparks Disaster for an Electric Company |
| Texte | The Cybersecurity Stop of the Month blog series explores the ever-evolving tactics of today\'s cybercriminals and how Proofpoint helps organizations better fortify their email defenses to protect people against today\'s emerging threats. Phishing remains the No. 1 tactic that cybercriminals use to target your people and steal valuable data and funds. According to Verizon, phishing is the top method that attackers use to gain unauthorized access, and it continues to evolve in both frequency and sophistication. This trend is not just alarming-it\'s costly. IBM estimates the average data breach that originates with phishing causes a staggering $4.88 million in damages. In this post, we\'ll analyze a new and complex e-signature phishing threat. In it, attackers combine several novel tactics to get around native Microsoft email security. Background In an e-signature phishing attack, bad actors will spoof a trusted brand and send malicious content through legitimate digital channels. Often, they use advanced methods like adversary-in-the-middle (AitM) to bypass multifactor authentication (MFA) in an effort to further extend their access. And when bad actors use combined tactics, such as Adversary-in-the-Middle plus geofencing, they can be extremely successful in evading detection. Let\'s look at e-signature phishing attacks in more depth: Impersonating trusted brands Threat actors leverage brands and services of trusted electronic signature services, such as DocuSign or Adobe Sign. They use them to trick recipients into directly downloading malicious documents or visiting fake websites where they enter their login credentials. Of the billions of phishing emails that Proofpoint sees each year, our 2024 State of the Phish report shows that 3.5M malicious messages abused DocuSign branding. Bypassing MFA Attackers that use e-signature phishing lures frequently seek more than just credentials. They also aim to intercept MFA codes or steal session cookies. Adversary-in-the-middle (AitM) tactics use proxy sites to capture login details and MFA codes in real-time. This grants attackers access to the victim\'s account and any active session cookies which can, in turn, unlock other websites. Steps in the adversary-in-the-middle threat technique. Geofencing access Threat actors use geofencing techniques to limit from where their targets can access their phishing sites or malicious content. By restricting access to specific geographic locations, such as the target\'s region or country, they reduce the likelihood of detection by IT teams and automated security scanning tools based in other regions. Deploying just one of these tactics can be enough to convince your people to take action. But what happens when a savvy scammer uses all three? The scenario Our recent example shows how combining the methods above enabled a threat actor to successfully target a global electric company. The threat actor\'s intended victim supplies power to one of the world\'s largest cities and employs more than 15K people. In this attack, the offending message was delivered to the mailbox of a C-suite executive. It bypassed Microsoft security tools as well as additional detection meant to stop such multi-stage campaigns. Thankfully, Proofpoint caught this threat and helped secure the company from a possible cyberattack or data breach. The named threat actor launching this threat was first observed by Proofpoint in 2021. They are known for using delivery mechanisms like multistep redirection chains, advanced filtering and highly customized lures. Frequent targets include the manufacturing, technology and energy industries. While they often spoof brands like Microsoft OneDrive and LinkedIn, in this e-signature-based phishing attack they chose popular digital transaction management platform, DocuSign. The threat: How did the attack happen? Here\'s how the attack unfolded: 1. Setting a lure. The attack started with an email that spoofed DocuSign\'s brand to appear as a legitimate follow up notice. It offered the recipient |
| Notes | ★★★★ |
| Envoyé | Oui |
| Condensat | 15k 2021 2023 2024 able abnormal about above abused access accessible according accordingly account accounts accuracy action active activity actor actors acts additional additionally adobe advanced adversary after against aim aitm alarming alerts aligned all allow allows also analysis analysts analyze analyzed analyzes analyzing anomalies any appear appears application april are armed around arrives assigned att&ck attack attacker attackers attacks attempts attributions august authentication automated automatically average background bad based basic bec because becoming before behavior behavioral below better between billions block blog blogs body both brand branding brands breach brief browser built business but bypass bypassed bypassing campaigns can capabilities capture case caught causes centers centric ceo chain chains channels check chose cities claims classic click clicks cloud code codes combat combination combine combined combining company complete completed complex comprehensive compromise conclusive condemnation condemned consequently content continues convenience convince cookies copy costly country creation credential credentials customized cutting cyberattack cybercriminals cybersecurity damages darkgate data december deceptive defeating defending defenses delivered delivers delivery demonstrated deploying depth: designed details detect detected detecting detection detection: detects determine did difficult digital direct directly disaster diversion documents docusign domain domains download downloading driven dropbox during each easily edge effort electric electronic email emails emerging employs enabled enables end energy enough ensures enter esignature estimates evading evaluating evasion even ever every evilproxy evolve evolving example executive exploit explores extend extended extremely fake false february filtering first flags follow following forms fortify found fourth framework frequency frequent frequently from funds further gain gaining gaps geofencing geographic gesture get global google gotten grants grim had happen happens has haunts healthcare help helped helps here hidden highly hoping hosted how however human ibm identified identifies identify ill impending impersonating impersonation inbox include included industries industry infrastructure intelligence intended interact interacted intercept invest its itself january july june just known landing largest launch launching lead leads learn learned legitimate less lessons let level leverage like likelihood limit line link linkedin links location locations login long look lure lures made mailbox make makes malicious malware management manipulation manufacturing map march may meant measure measures mechanisms message messages method methodologies methods mfa microsoft middle million miss missed mitre month month: more most move multi multifactor multilayered multiple multistep name named native nature nearly need neutralized never new newly nexus not notice notify novel november number observed october offending offered often once one onedrive only opens organizations oriented originates other out over overall own page party path patterns payload payroll people personal personalized phish phishing physical platform plus popular portal positive possible post posture potential power pre preventing previous prioritize professional proofpoint protect protection provide provides proxy public quickly reached read real reasons receive received recent recently recipient recipients recognize recommend red redirect redirecting redirection reduce region regions registered relationships relevant remains remediate remediation: remove report reported reputable requests respond response responses restricting result revealing risks routes safe sandboxing savvy scam scammer scams scanning scenario scraped second sector secure security see seek sees send sender senders september sequence series series: server services session setting several should shows sign signals signature significant site sites socgholish solution sophisticated sophistication sp |
| Tags | Data Breach Malware Tool Threat Prediction Medical Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.