CyberheistNews Vol 10 #37 [Heads Up] How to Check Your Email Rules for Maliciousness. Do This Now.


CyberheistNews Vol 10 #37
[Heads Up] How to Check Your Email Rules for Maliciousness. Do This Now.

Roger Grimes wrote: "Email rules have been used maliciously for decades. Learn about email rules and what you need to do to defend your organization against their malicious misuse.

Email Rules

Attackers have always been adept at using legitimate automation tools and features against us. The time-worn programmer’s credo, “Why do something manually when you can automate it?” apparently applies to malware writers as well.

Automating maliciousness makes it more effective in terms of both success, lower cost, and it makes the attacker far less likely to be caught. For decades, phishers and other attackers have used email automation functionality, such as rules, scripts, add-ons, templates, and configuration settings, against their victims.

Microsoft Outlook, arguably the most popular and feature-rich email client out there, has long been abused, but Gmail, Mozilla Thunderbird, and other email clients have also been targeted by the bad guys, but to a far lesser extent.

Most of the popular email clients offer rules. In Outlook and many other email clients, they are called rules. In Gmail, they are known as filters and have less functionality, but Gmail also has templates and add-ons that can be every bit as feature-rich as Outlook rules.

Mozilla Thunderbird has add-on, extensions, and templates. Apple Mail has rules that can be tied to AppleScripts. In general, if there is a popular email client, there is a way to add automated personalized email handling, and there are hackers willing to abuse it.

Depending on the email client and server, these automation features can be enabled locally, follow the email client, or be applied on the server or in the cloud. Where the automation is enabled is important, especially when trying to look for that automation, and when determining which steps users can take to prevent, detect, and eradicate malicious actions.

There are even ways to “hide” rules to make it harder for defenders to detect maliciousness. Many email items, like rules, “travel” with the email client, meaning that even if you change your passwords or get a new device, any malicious modifications may still be there.

Over the years I’ve often gotten calls from people who know they have been exploited by a hacker who has taken over their email account. And they change their passwords, scan their systems, and even have gotten new devices in order to stop the attacker, but the attacker is still persistently abusing their system and email.

They always wonder, how is the hacker doing it? I tell them, check your email rules. Although it can be something else besides rules (i.e., templates, add-ons, etc.). The problem with the malicious misuse of email automation is that most email users and only a small percentage of email administrators and computer defenders know about the problem, and only a small subset of those individuals actually do something to proactively defend against it.

Malicious email automation is almost never detected by anti-malware software and vulnerability scanners. When was the last time your anti-malware program or vulnerability scanner warned you about a potentially malicious email rule, add-in, or template? I think I’m hearing the virtual echoes of silence.

How To Check Your Email Rules for Maliciousness is CONTINUED at the KnowBe4 blog:
[Live Webinar] Think Like a Hacker: Learn How to Use Open Source Intelligence (OSINT) to Defend Your Organization

In today's digital age we are surrounded by massive amounts of data every day. This makes it ridiculously easy to gather shockingly detailed information about anyone… even your organization. Bad actors use open source intelligence (OSINT) techniques to gather this inside knowledge and create attacks your users will click on.

No one knows this better than former CIA Cyber Threat Analyst and Technical Intelligence Officer, Rosa Smothers. But she can show you how to use OSINT to turn the tables on the bad guys and regain the upper hand.

Join us on THIS WEEK, Thursday, September 10 @ 2:00 PM (ET) for this live webinar as Rosa, now KnowBe4's SVP of Cyber Operations shares her insights on how to leverage OSINT to defend your organization and think like a hacker!

Rosa will show you:
  • How to go beyond general OSINT techniques to gather the details you need for effective investigations
  • Apps and analytic techniques that enhance your research and data interpretation
  • Live demonstrations of OSINT gathering techniques you can use before the bad guys do
  • How training your users to understand OSINT and their digital footprint can protect your organization from threat actors
Learn how to use hackers' best techniques against them and earn CPE credit for attending!

Date/Time: THIS WEEK, Thursday, September 10 @ 2:00 PM (ET)

Save My Spot!
The U.K. Is Under Massive Cyberattack and They Are Nowhere Near Prepared
New insights into the cybersecurity readiness of U.K. organizations shows cyberattacks are plentiful and costly, and there aren’t enough cybersecurity pros to help.

I just finished writing about how the U.K. is seeing a massive surge in the number of new cybersecurity firms and the massive shortfall of cybersecurity professionals to fill open jobs. The data from global recruiter Robert Walters and recruitment data provider VacancySoft also highlights just how bad the state of cyberattacks are in the U.K. today.

According to the report, cybercriminals are working at a furious pace and are making substantial profits:

There are 65K attempted cyberattacks on UK small to medium sized businesses (SMB's) each day. The average cost of a data breach in the UK is £2.48 million. Part of the problem appears to be both the shift to working remotely, as 48% of executives state that their existing cybersecurity policies are currently not suitable for maintaining a 100% remote working model.

In addition, the bigger problem goes back to the issue of filling those cybersecurity job vacancies – according to the report, only 28% of companies have sufficient cybersecurity staffing in the UK.

So, what’s a UK organization to do? You’re constantly under attack, your current strategies aren’t enough to secure remote workers, and you don’t have enough expert staff to make anything better!

The answer lies in looking at what you need to protect against; according to the report, ransomware was the #1 driver for cybersecurity initiatives, with phishing as the #2 driver. These two threats can be best addressed by looking at the common factor that does not require a cybersecurity professional to fix – the user.

Users are the one part of a phishing attack that are necessary – in the form of engaging with malicious email and web content – to help an attack succeed.

By implementing Security Awareness Training, your organization can improve its state of security by educating users on the need to be vigilant and security-minded while doing their job (whether in the office or working remotely), and on the common tactics and methods used to trick them into becoming the unwitting participant.

The attacks on UK organizations aren’t going to stop anytime soon, but you can do something about it – even while short-staffed.
[NEW PhishER Feature] Remove, Inoculate, and Protect Against Email Threats Faster With PhishRIP

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft Office 365 to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.

Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.

Now you can with PhishER, which is the key ingredient of an essential security workstream. PhishER allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us for a 30-minute demonstration of the PhishER platform. With PhishER you can:
  • NEW! Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft Office 365
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s machine-learning module
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, September 16 @ 2:00 PM (ET)

Save My Spot!
How to Defend Against Phishes Coming from Trusted Partners

One of the most frequent concerns I hear from IT security practitioners and CISOs is the rise of phishing attacks coming from compromised trusted partners and contractors. The attackers use the initial victim’s real email account and existing long-established relationships with years of built up trust to as a way to more easily compromise additional victims.

How do you protect your organization when the phish is coming from someone you trust?

A lot of the traditional anti-phishing advice fails. The common recommendation of “Don’t click on links coming from strange email addresses” doesn’t work. This article will cover how third-party compromises often happen and what you need to do to better protect your organization against trusted third-party attacks.

How Trusted Third-Party Attacks Occur

It all starts with a trusted third party’s email account being compromised. In order for a third party’s email account to be taken over and abused by attackers, the attackers must first gain control. It can happen a variety of different ways, including:
  • Stolen email credentials
  • Compromised workstation
  • Compromised email server
  • Compromised admin credentials
  • OAuth
By far, the two most common ways out of the list above are compromised email account credentials or a compromised workstation that contains an already working email client. Login credentials, which are often identical to a victim’s email credentials, are all over the Internet. There are literally over 10 billion previously stolen login credentials sitting in a few files on the Internet or dark web waiting for some hacker to attempt to exploit them.

You can do a quick online check using Troy Hunt’s infamous website or for your entire organization at once using KnowBe4’s Password Exposure Test free tool.

It’s even more common for people to lose their current active login credentials to social engineering attacks. In fact, 70% to 90% of all malicious breaches are due to social engineering.

Once a victim’s email login credentials have been obtained, hackers have a variety of methods to manipulate a user’s email and email client remotely. There are a handful of hacker tools, most notably Empire PowerShell Post-Exploitation Toolkit, XRulez, and SensePost Ruler, which will allow a hacker to maliciously modify Microsoft Outlook, the Apple Mail app, and using regular scripted command-line options with Linux’s Mozilla Thunderbird, so that malicious emails can easily be sent remotely without a hacker ever being present on the involved computer containing the email client.

Defending Against Trusted Third-Party Phishes
  1. Make Everyone Aware of Trusted Third-Party Phishes
  2. Pay Attention to Action Requests More Than Email Addresses
  3. Make a Call
  4. Look Out for Real Fake Companies
  5. Watch Out for Long Setup Pretexting
  6. Call Law Enforcement
  7. Warn the Original Victim Company
  8. Don’t Become That Compromised Third Party
Each of the above 8 points is explained in great detail here:
[Heads-Up] Re-Check Your Email Attack Surface Now. (We are always adding new breaches)

Your users are your largest attack surface. Data breaches are getting larger and more frequent. Bad guys are getting smarter every year. Add it all up and your organization's risk skyrockets with the amount of your users' credentials that are exposed.

It's time to re-check your email attack surface.

Find out your current email attack surface now with KnowBe4’s Email Exposure Check Pro. EEC Pro identifies your at-risk users by crawling business social media information and now also thousands of breach databases.

EEC Pro now leverages one of the largest and most up-to-date breach data sources to help you find even more of your users’ compromised accounts that have been exposed in the most recent data breaches - fast.


Get your EEC Pro Report in less than 5 minutes. It’s often an eye-opening discovery. You are probably not going to like the results...

Get Your Report:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: [ALERT] My name is being used in clumsy criminal identity theft attacks at the moment. Here is the blog post how that's going down:

PPS: Below is a list of our new feature releases and updates on the KnowBe4 Security Awareness Training Platform. Check back frequently to learn about new updates:

Quotes of the Week
"Where all think alike, no one thinks very much."
— Walter Lippmann, American Writer (1889 – 1974)

"The best time to plant a tree was 20 years ago. The second-best time is now."
- Chinese Proverb

Thanks for reading CyberheistNews

Security News
QBot Is Back With New Phishing Tricks and Hijacks Email Threads

Researchers at Check Point warn that the QBot banking Trojan now has the ability to hijack email threads on infected devices and send malicious emails to the victim’s contacts. The malware’s operators began churning out phishing emails earlier this month after a brief hiatus.

“One of Qbot’s new tricks is particularly nasty, as once a machine is infected, it activates a special ‘email collector module’ which extracts all email threads from the victim’s Outlook client, and uploads it to a hardcoded remote server,” the researchers write. ”These stolen emails are then utilized for future malspam campaigns, making it easier for users to be tricked into clicking on infected attachments because the spam email appears to continue an existing legitimate email conversation.

Check Point’s researchers have seen examples of targeted, hijacked email threads with subjects related to Covid-19, tax payment reminders, and job recruitments.” Check Point adds that QBot can also spread within a network, potentially gaining access to more email accounts from which it can propagate even farther.

“Once the victim has been infected, their computer is compromised, and they are also a potential threat to other computers in the local network because of Qbot’s lateral movement capabilities,” the researchers write. “The malware then checks whether the victim can also be a potential bot as part of Qbot’s infrastructure.”

This campaign is widespread and indiscriminate, but the most-targeted sectors are government, military, manufacturing, insurance/legal, and healthcare. The researchers conclude that Qbot’s developers can be expected to continue adding improvements to their malware.

“These days QBot is much more dangerous than it was previously – it has[an] active malspam campaign which infects organizations, and it manages to use a ‘3rd party’ infection infrastructure like Emotet’s to spread the threat even further,” they write.

New-school security awareness training can teach your employees to be wary of clicking on links in emails, even if the messages are sent from a trusted account.

Check Point has the story:
Organizations Aren’t Prepared to Recover from Cyberattacks on Active Directory

Cybercriminals are increasingly leveraging Active Directory to spread malware and even hold the organization for ransom. New data suggests you’re nowhere near ready for it.

I don’t need to say it, but your Active Directory (AD) is mission critical. Nearly every part of your on-premises environment – and some of your cloud environment – depends on the active presence of this directory service.

And the bad guys know it.

I’ve brought up the use of AD a few times this year. We’ve seen AD used to spread Ryuk ransomware to remote endpoints by compromising domain controllers and running a logon script via Group Policy. We’ve also seen ransomware specifically target domain controllers to hold AD for ransom.

And anytime you hear about an attack involving lateral movement, it means accounts are compromised, passwords are changed and – if the bad guys can make their way to a privileged account within AD – modifications to AD groups, users, and permissions to establish persistence, stealth, and control.

So, it’s necessary for organizations to be ready to recover both parts of Active Directory that have been modified during a cyberattack, as well as recover their domain controllers.

But according to AD-focused cybersecurity vendor Semperis, in their Recovering Active Directory from Cyber Disasters report, it appears the IT organizations simply aren’t prepared:
  • 84 percent of orgs feel an AD outage would be “significant, severe, or catastrophic”
  • Only 3 percent of orgs are “extremely confident” about their ability to recover AD to new servers should it be necessary
  • Only 15 percent of organizations have actually tested their AD recovery plan in the last six months
With cyberattacks being so prevalent today, increasing in frequency and sophistication, it’s time for organizations to ensure they have a means to recover themselves to not just a known-functioning state, but a known-secure state back before attackers had access to AD.

The bad guys know AD is the keys to the kingdom. You need to work to both prevent its’ compromise, as well as be able to recover it should it be compromised.
What KnowBe4 Customers Say

"Hey guys! I wanted to pass along my thanks and compliments. The Texas certified training is great and our users are giving us a lot of good feedback on it. Along with that, I want to tell you that Tim has been extremely helpful in getting everything working for the big annual training campaign for us!

Everyone at KnowBe4 that I have had contact with has impressed me, from Andrew to Tim to Matt our sales rep. I wish all vendors had your spirit and great customer service!"
- M.A., InfoSec Analyst
The 10 Interesting News Items This Week
    1. Google Play apps promised free shoes, but users got ad fraud malware instead:

    2. Misconfiguration on the Cloud is as Common as it is Costly:

    3. DoJ Aims to Seize 280 Cryptocurrency Accounts Used by Hackers:

    4. Iranian hackers impersonate journalists to set up WhatsApp calls and gain victims' trust:

    5. Slack users unwittingly phished with malicious payloads:

    6. Norwegian Parliament discloses cyber-attack on internal email system:

    7. Deepfake porn is now mainstream. And major sites are cashing in:

    8. Iranian hackers are selling access to compromised companies on an underground forum:

    9. Norwegian Parliament discloses cyber-attack on internal email system:

    10. The most popular brand websites that hackers use for typosquatting campaigns:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Free Cybersecurity Awareness Month Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews