What's new arround internet

Last one

Src Date (GMT) Titre Description Tags Stories Notes
ProofPoint.webp 2024-07-29 01:00:00 Scammer abuse des locataires Microsoft 365, en relayant les serveurs de preuves pour livrer des campagnes de spam
Scammer Abuses Microsoft 365 Tenants, Relaying Through Proofpoint Servers to Deliver Spam Campaigns
(lien direct)
Key Findings In March, Proofpoint researchers identified spam campaigns being relayed through a small number of Proofpoint customers\' email infrastructure by sending spam from Microsoft 365 tenants All analyses indicate this activity was conducted by one spam actor, whose activity we do not attribute to a known entity The root cause is a modifiable email routing configuration feature on Proofpoint servers to allow relay of organizations\' outbound messages from Microsoft 365 tenants, but without specifying which M365 tenants to allow To resolve the issue, Proofpoint implemented a streamlined administrative interface for customers to specify which M365 tenants are allowed to relay, with all other M365 tenants denied by default Any email infrastructure that offers this email routing configuration feature can be abused by spammers Proofpoint Essentials customers are not affected, as configuration settings are already set that prevent unauthorized relay abuse This issue did not expose any Proofpoint customer data, and no customer experienced any data loss as a result We are sharing what we know about these campaigns to help others mitigate this issue and prevent further unauthorized abuse, as it is not unique to Proofpoint Abusing an Outbound Email Relay Configuration to Conduct Spam Campaigns In March 2024, Proofpoint observed spam campaigns being relayed from Microsoft 365 tenants through several Proofpoint enterprise customers\' email infrastructures, targeting users of free email providers such as Yahoo, Gmail, and GMX. The commonality shared between all the customers whose email infrastructures were being abused was a modifiable configuration setting that allowed outbound messages to be relayed from Microsoft 365. Spammers can therefore abuse any email infrastructure that allows messages to be relayed from email hosting services through their infrastructure. This specific email routing configuration abused by the spammer allowed outbound messages to be sent from a customer\'s Microsoft 365 tenant for relay through their infrastructure, but it did not limit the Microsoft tenants allowed to relay. The spammer, whose activity we do not attribute to a known entity, controlled Microsoft 365 tenants that used random strings of letters and numbers, such as 23gdfs56gsd.onmicrosoft.com, for some of the spam messages. Some of the spam made no attempt to disguise the sender address and used the oddly named Microsoft tenant names as the sending domain. Some of spam used the onmicrosoft.com tenant names in the “from” field and other spam messages spoofed the sender email, not all of which were successfully delivered. Interestingly, while the spammer tried this against several Proofpoint infrastructures, some accepted the messages for relay while others rejected the messages. The spammer spoofed the RFC822 “from” header but could not spoof the RFC821 envelope sender address. The spammer used a rotating series of leased virtual private servers (VPS) from several providers, using many different IP addresses to initiate quick bursts of thousands of messages at a time from their SMTP servers, sent to Microsoft 365 to be relayed to Proofpoint-hosted customer servers. Microsoft 365 accepted these spoofed messages and sent them to these customers\' email infrastructures to be relayed. When customer domains were spoofed while relaying through the matching customer\'s email infrastructure, DKIM signing was also applied as the messages transited through the Proofpoint infrastructure, making the spam messages more deliverable. As many of the tenants being abused by the spammer are still active as of writing, we have implemented several measures to prevent unauthorized relay through Proofpoint servers to keep our customers protected. Taking Action to Notify and Protect Our Customers Proofpoint quickly mobilized a cross-functional task force to identify and contact all customers that had an at-risk configuration to help them change their configuration settings, prioritizing those whose infrastructures we Spam Threat Technical Yahoo
ProofPoint.webp 2024-06-27 12:12:56 DMARC: Pourquoi il passe d'une meilleure pratique à un incontournable
DMARC: Why It\\'s Moving from a Best Practice to a Must-Have
(lien direct)
It is widely understood that email is the number one threat vector for cyberattacks. This stems from the fact that email was not designed with security in mind, and cybercriminals do not need highly technical skills to exploit it.   In this blog, we\'ll look at how threat actors exploit human vulnerabilities by impersonating people and brands, why DMARC is becoming mandatory, and how Proofpoint can help.  Are you for real? Looking legitimate to gain trust  Most cyberattacks today are initiated via email. As a result, many users have started to block or delete emails from unknown sources as a precautionary measure.   Cybercriminals realize this and have learned that their best chance is to fool the receiver into believing that they are dealing with a known source-ideally, a trusted source. And this is where sender impersonation comes into play.   Spoofing is a common form of sender impersonation. There are two main types:  Domain spoofing. This is when a bad actor forges a sender\'s domain in an email to make it appear as if the email is from a trusted source.  Header spoofing. In this case, an attacker manipulates the email\'s header information-including various fields such as “From,” “To,” “Reply-To” and others-so that it looks like the email is from a different source than its true source (the attacker).  Both tactics are designed to make recipients believe that they are interacting with a trusted source and can appear very legitimate. If someone believes they are communicating with a trusted person, they are more likely to divulge sensitive information or perform actions that compromise their security, such as handing over their credentials.  If an attacker is spoofing your company to target your partners or customers, it can cause significant damage to your brand\'s reputation. To prevent this type of brand abuse, some companies have implemented email authentication technology as a “best practice.” But this trend is not as widespread as you might expect.  An overview of email authentication technology  To combat domain spoofing, Sender Policy Framework (SPF) was introduced, followed by Domain Key Identified Mail (DKIM), with the goal of validating that email is coming from an approved sending IP address and the message hasn\'t been tampered with en route.   A company can create an SPF record that contains a list of all the “approved” IP addresses that can send email on the organization\'s behalf. This allows a system receiving an email to do a quick check to determine if the email is coming from an authorized server. If the sending IP address isn\'t on the SPF list, it fails authentication.   DKIM goes a step further by using public and private keys, allowing a receiving system to compare the keys in the email to confirm that it came from who it says it did and that nothing in the email was changed after it was sent.  Someone sending a domain-spoofed email would fail both SPF and DKIM authentication.  Email authentication is becoming mandatory  Email authentication tools have been available for years, so you would think that all companies would have implemented them by now. However, some businesses have been slow to act for various reasons, including:  Resource limitations  Budget limitations  Concerns about legitimate email being blocked   Whatever the cause for the lag in implementing these tools, the delay has allowed cybercriminals to continue to exploit the lack of security to initiate their attacks.  Major email providers are making moves to force companies to catch up and use email authentication. Some highly publicized examples include the October 2023 announcements from Google, Yahoo and Apple around mandatory email authentication requirements (including DMARC) for bulk senders sending email to Gmail, Yahoo and iCloud accounts. This should significantly reduce spam and fraudulent emails hitting their customers\' inboxes. Spam Tool Vulnerability Threat Prediction Technical Yahoo ★★★
Last update at: 2024-07-29 19:19:05
See our sources.
My email:

To see everything: Our RSS (filtrered) Twitter