Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

October 27 | Fwd:Thinking. The Intelligent Security Summit (Powered by Tessian). Save Your Seat →

guide icon

Tessian Blog

See All Posts
Integrated Cloud Email Security
Video: Tips For Cybersecurity Awareness Month
By Andrew Webb
Friday, September 30th, 2022
October is Cyber Security Awareness Month, The US Cybersecurity and Infrastructure Agency (CISA) and National Cyber Alliance (NCA) call for organizations to focus on the fundamentals of cyber security. So we caught up with Tessian’s Head of Risk and Compliance, Kim Burton, to find out what they are and what they mean for your organization. Watch the video below or read the transcript.  
So one of the things that’s really exciting about starting your security journey is that there are things that are actually very, very easy to do. And these are true for everyone. It doesn’t matter if you’re an employee somewhere. It doesn’t matter if this is what you’re doing at home trying to protect your friends and family. The key core components of where security starts are…   Strong passwords That means long, strong, and unique. You can store those in a password manager, and with that password manager you want to pair that two-factor authentication on every account that you have if possible. Not every account allows for two factor authentication, but everywhere that you can. You want to use multi-factor authentication,   Updates Make sure you’re always keeping your machine updated!   Mindful posting   What I mean by that is, make sure that when you’re posting on social media, you’re being careful about the kinds of information you reveal. And note that you’re also protecting your friends and family, your business when you’re posting online. So you want to just be careful about the kind of privacy implications that that could come about.    Report suspicious emails And then, when you see something uh make sure you talk about it with your coworkers. If something seems a little bit off, send it to your security team. Report fishing emails uh, and remember that you’re in a community, protect each other.  
Hosting a security open day There are all kinds of different activities that you can run for Cybersecurity Awareness Month. Having a security party where you all come together and discuss secure solutions that the company specifically requires and  relying on people at the business to present their expertise to other coworkers like doing brown bag lunches that are focused on security components. You can use your employees to actually do a pretend ‘hack the company’ event where you can encourage them throughout the month to name different security concerns that they see. Maybe someone’s left their laptop unlocked, or maybe they noticed people aren’t badging in consistently. Or maybe you’re trying to encourage them to wipe down whiteboards – a security scavenger if you will. Have a prize at the end of it. You can get people to design security posters. Your employees know what secure behavior looks like, and they actually get very excited to talk about the knowledge that they have. What’s hard is if someone’s coming in and top-down, telling them very aggressively like waving a stick and saying “you will do these things”. A lot of these folks have worked  other places. They know what they need to be doing, they just need to be empowered to do it. So let them show what knowledge they have and encourage them to talk about it with you, so that you can maneuver exactly their knowledge to be exactly what the business needs. You can make it so that they have the opportunity to talk about it, teach their peers, and then encourage them to grow from where they’re at.   You can have other security events like an Osint scavenger hunt. So Osint is Open Source Intelligence Gathering. That would be maybe a couple of employees gather a bunch of different photographs around the Internet and you ask your folks to identify where they are. It’s amazing how quickly people can identify locations from photographs, and they think they’re not going to be good at this and they’re like “I’ve never done this before, there’s no way I’ll be able to tell from this corner of a building where this is located in the world”. But then you give them five minutes to think about it, and they start saying “You know that type of tree doesn’t grow anywhere else”, or “you know the angle of the sun there seems like it could be in this region of the world” It’s amazing how fast people like start to to figure out these things. And that teaches them how attackers think, that teaches them how malicious actors are going to react.    And it’s fun. You’ve changed it into a game, but what they come away with is; “Oh, okay, I was able to do this in  half an hour of activity. What could someone do with a month? I’ve got to be careful. I have a duty to protect myself. I have a duty to protect my friends, and I really need to protect the business”. It helps them  really see the practicality of of the events that they’re doing.
Read Blog Post
Threat Intel
New Impersonation Campaign: Logokit
By Catalin Giana
Friday, September 30th, 2022
In August Tessian’s Threat Intel team saw a new Business Email Compromise malware campaign in the wild called Logokit. Logokit is an impersonation attack phishing kit used to propagate Business Email Compromise campaigns to harvest credentials.   How Logokit exploit kits work    Threat actors will impersonate domains of trusted brands, commonly seen impersonating healthcare, financial or legal services providers. The phishing email usually contains a malicious URL or attachment.    The unsuspecting victim will click on the malicious URL which in this case redirects to an impersonated website of Microsoft. There, the threat actors attempt to harvest login credentials.    
The attack chain   1: The law firm is impersonated and a spoofed account is used to send a malicious email to the victim. 2: The victim receives the malicious email and downloads the malicious HTML attachment.  3: Upon execution of the HTML page, the final landing page is Microsoft impersonation page, requesting the victim to enter Microsoft login credentials.  4: The compromised credentials that were inserted by the victim are then harvested by the threat actor.   Threat analysis In the case that Tessian Threat Intel analyzed, a victim of this campaign was targeted by threat actors impersonating a law firm. The impersonated email from the law firm contained the company logo, as well as an obfuscated HTML attachment titled: Letter To Buyer’s Solicitor Enclosing Contract Bundle.htm
Tessian Threat Intel started the investigation in a virtual environment, analyzing the attached HTML file. At first inspection the HTML file appeared benign. We, then, analyzed the HTML file in a non-virtual environment. This initial HTML file then redirects to an impersonated Microsoft login webpage.   Conclusion and recommendations for staying safe   At the initial time of analysis, the Logokit redirect campaign stopped at the Microsoft phishing landing page. There is a high probability that this campaign could be altered in the coming days and weeks, landing on a different page.   In order to not fall victim to similar types of phishing emails we recommend:   Being careful of unsolicited emails, especially those containing attachments or URLs. Before interacting with any suspicious email received, check the source and email header to confirm the organization it originated from is legitimate. If anything seems unusual, do not follow or click on links, or download attachments.  If the suspicious email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative.  Adopt intelligent cloud email security solutions like Tessian that use behavioral intelligence to detect and prevent advanced email attacks, including increasingly sophisticated impersonation emails.
Read Blog Post
Threat Intel
Tessian Threat Intel Roundup: Ransomware Dominates
By John Filitz
Wednesday, September 28th, 2022
As we wind down Q3, we see no letting up by threat actors with a series of high profile breaches dominating the headlines in September. Of concern is the increasing activity of Ransomware-as-Service (RaaS) offerings and threat actor activity. It’s little surprise that phishing and email remain significant threat vectors for ransomware actors, either to gain initial access, or to execute ransomware payloads.   Sign-up for our Threat Intel update to get this monthly update straight to your inbox.    Key Takeaways Phishing attacks are in uncharted territory with over 1 million attacks reported for Q2 2022. Financial services and SaaS companies are among the most targeted. Phishing and email remain primary threat vectors for gaining initial access to carry out ransomware attacks. The Ransomware-as-a-Service (RaaS) gang activity continues its steady increase up by 63% in Q1 2022, as RaaS actors continue to diversify services and exploit kits, including mining exposed data to carry out second stage Business Email Compromise (BEC) campaigns. There is significant concern that corrupting of files will become a new modus operandi of Noberus aka BlackCat ransomware actors and affiliates over the usual encrypting of files. LockBit ransomware encryption code has been leaked, sparking concern for an increase in LockBit attacks. Ukraine has proven to be cyber resilient against Russian cyber attacks, largely as a result of recovering from previous significant breaches such as NotPetya, as a result of NATO support. Recent reports of an Iranian cyber campaign against Albania has resulted in the severing of diplomatic ties with Iran. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a record number of advisories for the month, with ransomware and nation-state activity from Iran being front-and-center.
Trending Analysis Phishing attacks continue the upward trajectory according to the latest from APWG’s Q2 Phishing Activity Trends Report – with over 1 million phishing attacks recorded for the 2nd quarter of 2022 – the worst quarter on record. The most targeted industries according to APWG include financial services (28%), followed by webmail and Software-as-Service providers (19%) and retail (15%). Some of the key threat vectors identified by APWG are email delivered impersonation and ransomware attacks. New Zealand’s Computer Emergency Response Team (CERT NZ) agency reports that phishing campaigns are the primary method for threat actors to gain initial access to carry out ransomware attacks. Email according to CERT NZ, is the third most commonly used vector for malware delivery.  Trend Micro reports a 63% rise in Ransomware-as-a-Service (RaaS) groups in the first quarter of 2022.  Accenture reports on a growing trend of threat actors leveraging “sensitive corporate data exposed on the dark web” to carry out sophisticated Business Email Compromise (BEC) campaigns. Findings from a Stairwell study indicate that RaaS Affiliates of Noberus also known as BlackCat/ALPHV, the successor to DarkSide and BlackMatter ransomware gangs, is potentially resorting to corrupting files on local systems instead of encrypting them with the release of a new “Exmatter” tool. BleepingComputer citing research from Symantec on the “Exmatter” tool, shows that the new data extraction tool has been reengineered to more stealthy gain a foothold and exfiltrate data from compromised systems – an essential complement for carrying out double-extortion attacks. Symantec researchers also confirm the ability of Exmatter to “corrupt processed files.” The Record reports that leaked LockBit ransomware code has the ability to enable more widespread use of the ransomware file encryptor.  The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory on Vice Society ransomware actors that are targeting the education sector.  The Los Angeles Unified School District, the second largest school district in the country,  was the latest victim to suffer a Vice Society ransomware attack that resulted in the loss of access to 500GB of data. CISA and MS-ISAC also released a ransomware guide, and CISA issued a RFI for new cybersecurity incident reporting for the proposed Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The proposed cyber compliance requirements will compel companies to report significant cybersecurity incidents within 72 hours, and 24 hours after a ransomware payment has been made.  Turning attention to nation-states, Ukraine has proven to be relatively cyber resilient in the ongoing conflict with Russia in a large part due to recovery from previous cyber attacks such as the infamous NotPetay attack in 2017. The significant support received from NATO is also another decisive factor. It is suspected that Ukranian affiliated cyber actors hacked Russia’s Wagner Group, responsible for mercenary recruitment for the Russian armed forces – compromising the personal data of mercenaries. CISA shows that Iranian nation-state actors gained access to the Government of Albania’s network 14 months prior to launching a devastating ransomware and wiper malware attack on that country in July. Albania has since severed diplomatic relations with Iran as it tries to recover data and restore public service operations.
Concluding Thoughts & Recommended Actions   The data point to an increasing threat of ransomware-related breaches in the short-to-medium term. Key industry verticals receive a disproportionate amount of attacks including financial services, technology, and more recently the education sector. The threat of nation-state-sponsored attacks as witnessed recently in Albania is of growing concern. Increasing geopolitical tension and instability are likely to exacerbate the probability of state-sponsored ransomware campaigns disrupting key public services.   As the ransomware threat grows, adopting a defense-in-depth strategy is essential. One key attribute of hardening your information system against ransomware attacks is leveraging a machine learning, behavioral-based cybersecurity solution like Tessian that can detect anomalous behavior on email as it arises.   
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Podcast
U.S. Secret Service’s Andrew Frey on Why Business Email Compromise Works
By Andrew Webb
Tuesday, September 27th, 2022
Andrew Frey is a Forensic Financial Analyst for the San Francisco Field Office of the U.S. Secret Service, working in the Cyber Fraud Task Force. As one of the most knowledgeable people in the US Government on the threat of Business Email Compromise (BEC), Andrew works directly with companies and individuals to gather intelligence on cybercriminals behind these attacks and helps recover lost funds when wire fraud has occurred. In a recent episode of the podcast, he spoke to Tim Sadler about attacks he’s investigated, explained how lost funds are recovered and why he believes BEC is on the rise.   Listen to the whole episode, here, or read on for three key Q&As from the interview.
Why are BEC attacks growing more frequent and more effective?   I think that the answer is in the question – BEC attacks are growing in frequency because of their efficacy. BEC is an unprecedented type of cybercrime because of its enduring effectiveness. For most scams, widespread education brings their downfall – think IRS impersonation scams, lottery scams, and the Nigerian prince scam.   Those schemes are all still around but their heyday is over because most people have been made aware of them in one form or another. You also have organizations like banks and gift card retailers pitching in with warning signs or detection systems that help deter those scams with a high degree of effectiveness.   In the case of BECs there is now more education, communication, and detection technology than just about any other scam, and yet they are still very common with no sign of becoming less so. The victim pool is also very broad. It isn’t just senior executives being targeted, we now see everyday people losing down payments to their new homes through BEC, for example.   The victims also aren’t necessarily so-called ‘vulnerable’ or lacking in tech-savvy. Many victims are Fortune 500 companies – companies that most folks know by name and logo, companies with rigorous security and control. So as long as the crime continues to have success it is only going to grow.
What are the typical traits and characteristics of these attacks?   In almost every BEC case that I have worked there were red flags in hindsight. They could be as subtle as a different font or a different representative than who you have always worked with, or even a different salutation. It is very rare that when reviewing the email with hindsight you don’t spot something that probably should have caught your eye.   As for who is targeted most frequently, it is tough to say because each criminal organization probably has a favorite industry – one that they’ve spent time familiarizing themselves with to allow them to talk the talk in a convincing fashion. I am currently working on a case where about a dozen cities and counties were hit with millions of dollars in BECs, and this is a number that is growing by the day. Victims include city police departments and even some school districts, and part of what has made them appealing targets is that so many of their suppliers and the amounts and frequency paid to them are publicly available online.   This takes a lot of the work out of the process for the criminals. In some instances, a cyber intrusion isn’t even necessary because the criminal actor could impersonate the supplier or municipality’s finance director and request payment without intrusion. Cases like this are becoming more and more common.
How do you recover lost funds? What is important to know for people who one day might be victims of these kinds of attacks?   We have a number of tools at our disposal that can help recover funds, including cryptocurrency and funds that have been wire transferred abroad, which is common these days. As a victim, the key is timely notification to law enforcement. I personally receive one to three reports of BEC a week, and the recovery rate is actually a lot better than you would imagine. I think people think BECs aren’t recoverable and that is not accurate, but timing is everything.    When I am notified of a BEC I immediately work with the relevant financial institutions to trace these funds and I won’t stop until there is a definite dead end or the money is recovered. Simultaneously we might be arranging for an exam of the victim’s network by one of our network intrusion responders to gather evidence for a criminal investigation. But really one of the best ways we help is pro-active education. We try to get out there and provide a resource for companies and institutions so that when any kind of cyber incident happens they know who to call.    In terms of more general advice, businesses need to practice good cyber hygiene. That means anti-phishing training, using complex unique passwords, and changing passwords frequently. It is also very important to prep yourself before an attack occurs by having an incident response plan with clearly outlined roles. That way, if something does happen you don’t have a half dozen people trying to figure out who to call and what to do.
For more of Andrew’s anecdotes and further discussion, listen to our Tessian Podcast episode, here. You can also visit the Secret Service website to find out more information.
Read Blog Post
Remote Working, ATO/BEC, Data Exfiltration
Cybersecurity Awareness Month 2022: 12+ Free Resources
By Andrew Webb
Sunday, September 25th, 2022
October is Cyber Awareness Month, and this year’s theme is “See Yourself in Cyber.”   Fun fact: Cyber Awareness Month started back in 2004, the same year a former AOL software engineer stole 92 million screen names and email addresses and sold them to spammers. Sadly, that’s peanuts compared to more recent breaches. Incidents involving insider threats are at an all-time high, phishing incidents are doubling and even tripling in frequency year-on-year, and the cost of a breach is now over $4 million. This is all to say that cybersecurity is more important than ever. And at Tessian, we live by the motto that cybersecurity is a team sport. So, to help you educate and empower your employees, we’ve put together a toolkit with over a dozen resources, including:
You can download them all for free, no email address or other information required. But, that’s far from the only content we have to share… CEO’s Guide to Data Protection and Compliance By 2024, CEOs will be personally responsible for data breaches. So it’s essential they (and other execs) understand the importance of privacy, data protection and cybersecurity best practices. To help you out, we’ve published an eBook which breaks down: How different regulations have changed how businesses operate  How cybersecurity and compliance can be leveraged as a business enabler The financial and operational costs of data breaches OOO Templates OOO emails can contain everything a hacker needs to know to craft a targeted spear phishing attack… Where you are How long you’ll be gone Who to get in touch with while you’re away Your personal phone number Use these templates as a guide to make sure you don’t give too much away👇🏼
Human Layer Security Knowledge Hub Cyber Awareness Month is all about raising awareness and sharing best practices, and we know the #1 source of trusted information and advice for CISOs are…other CISOs….  That’s why we’ve created a hub filled with dozens of fireside chats and panel discussions about enterprise security, spear phishing, data loss prevention, leadership, and the human element. Sign-up for free and hear from some of the biggest names in the industry.   You Sent an Email to the Wrong Person. Now What? Did you know at least 800 emails are sent to the wrong person in organizations with 1,000 employees every year. While it’s easy to shrug something like this off as a simple mistake, the consequences can be far-reaching and long-term. Learn more, including how to prevent mistakes like this.   6 Best Cybersecurity Podcasts While we’re partial to our own podcast – RE: Human Layer Security – we’ve learned from the best in the business.  To get our fix of cybersecurity breaking news, threat intel, and inspiring interviews, we regularly tune into these podcasts: The CyberWire Daily The Many Hats Club WIRED Security Get the full breakdown here.   How to Get Buy-In For Security Solutions As a security or IT leader, researching and vetting security solutions is step one. Step two involves convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost.  This is easier said than done… So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives? We talked to security leaders from some of the world’s most trusted and innovative organizations to find out what they do to get buy-in from CxOs.  Here’s a summary of their tips.    Ultimate Guide to Staying Secure While Working Remotely While most of us have been working remotely or in a hybrid environment for well over a year, we know that more than half of IT leaders believe employees have picked up bad cybersecurity behaviors since working remotely. This eBook offers plenty of helpful reminders, including: The risk involved in sending work emails “home” Why using public Wi-Fi and/or your personal device as a hotspot aren’t good ideas Best practice around using cloud storage to share documents How to physically protect your devices Top tips for businesses setting up remote-working policies What Does a Spear Phishing Email Look Like? We know you’re working hard to train employees to spot advanced impersonation attacks…but every email looks different. A hacker could be impersonating your CEO or a client. They could be asking for a wire transfer or a spreadsheet. And malware can be distributed via a link or an attachment. But it’s not all bad news. While – yes – each email is different, there are four commonalities in virtually all spear phishing emails.  Download the infographic now to help your employees spot the phish.   The Risks of Sending Data to Your Personal Email Accounts  Whether it’s done to work from home (or outside of the office), to print something, or to get a second opinion from a friend or partner, most of us have sent “work stuff” to our personal email accounts.  And, while we might think it’s harmless…it’s not. In this article, we explore the reasons why employees might send emails to personal accounts, why sending these emails can be problematic, and how security leaders can solve the problem.  Looking for more helpful content? Sign-up to our weekly newsletter, or follow us on LinkedIn and Twitter (or do all three!).
Read Blog Post
ATO/BEC, Integrated Cloud Email Security
Product Update: Enhanced Security Event Filtering and Reporting
By Swati Aggarwal
Thursday, September 22nd, 2022
Our latest product update for our Advanced Email Threat Prevention module, Tessian Defender, improves the efficiency of security event filtering through new and easy-to-navigate event filters. We have also improved malicious email reporting, resulting in improvements to our detection efficacy.
New and enhanced filters for more efficient event filtering The enhanced event filtering interface will improve confidence and control for security admin using Tessian’s portal. It enables security admins to  efficiently filter and find security events, enabling security teams to respond faster.    
Some of the new and enhanced filters include:   Original filter location: Folder location of the email at the time of delivery to the end-user’s mailbox. Attachment filter: Contains attachments or not. Phishing simulation filtering: To exclude/include phishing simulations. Confidence level filtering: To filter on high/medium/low confidence interval events.  
Improved end-user reporting capability   Improvements to malicious email reporting will further improve the ability to recall malicious emails from inboxes, as well as improving detection efficacy. After a security admin reports a malicious email, future emails that share the same characteristics will automatically be quarantined in the portal – reducing cyber risk.  
Why these updates matter: Quicker response time and improved detection efficacy   In a hypothetical example of attempted Account Takeover (ATO), Tessian will flag suspicious emails as potentially malicious. After receiving an alert, security admins using the Tessian Cloud Email Security Platform, analyze all suspicious emails marked with a high degree of confidence and take appropriate action.    The new event filtering capability further speeds up this process, enabling security admins to filter all the security events by event type, confidence level, user response and quarantine status, while also allowing security admins to exclude events classified for example as phishing simulations – improving response times.     The new labeling feature incentivizes customers to report malicious emails. This, in turn, improves the detection efficacy of the platform’s algorithms with each reported email. 
Every minute counts to reducing cyber risk   Time is of the essence in triaging security events on email. Our engineering teams are working relentlessly to cut response times and give time back to security teams. These latest product updates do just that, enabling our customers to reduce the time spent on event triaging while also improving detection efficacy. To see how the Tessian Cloud Email Security platform intelligently prevents ransomware attacks, and protects against data loss, watch a product overview video or book a demo.
For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
ATO/BEC
The Three Biggest Problems Facing Law Firm Security Leaders Right Now
By Andrew Webb
Thursday, September 22nd, 2022
Law firms handle some of the most sensitive and confidential information in any sector. Not only that, there are huge pressures on employees to ensure the right verdict for the firm’s clients. Add to this the large sums of money at stake in any court case and you can see why they represent nice juicy targets for bad actors/ . We spent the summer talking to law firm security leaders and technologists at various conferences. Here’s the problems they detailed and how they mitigate them.    Free as in domains   Law firms are public facing, customers can and do come in all shapes and sizes. Consequently many individual clients will use freemail email addresses. Increasingly many small businesses are also turning to services like Gmail for their email needs. Consequently, blanket banning freemail domains doesn’t work, and having to maintain and update a whitelist of individuals is a drag. What’s more, by banning freemail domains, you could potentially be costing the business money in the form of lost clients. This is where Tessian comes in. It looks beyond the domain to deeper within the content – and context –  of an email to understand the sender’s intent.
Partners going rogue Partners run the firm – it’s literally their names on the wall in reception – consequently they tend to act in a manner that they see fit, emailing case notes to their personal addresses to read later on that commute or vacation. You can’t stop them doing that – they’re the bosses, but with Tessian, you can track high profile users to understand what is being sent where and by who.   It’s not just the partners that can present problems. Lawyers are incredibly busy people juggling lots of information via email and trying to build a case around it. Statistically, that means that someone’s gonna hit the reply all rather than the reply button. Tessian’s in the moment notifications catch these human errors and alert the user to any potential dangers. It happens more times than you think.   The result depending on your jurisdiction could be serious compliance violation fines. Indeed, nearly half (48%) of the top 150 law firms in the UK have reported data breaches since the GDPR came into force in May 2018. And, of those breaches, 41% were a result of emailing the wrong person.
Forwarding exhibit A   Many law firms didn’t adopt email until the 1990s. In 1996 the UK’s leading legal technology expert, Richard Susskind, was almost banned from speaking and labelled ‘dangerous’ for predicting that lawyers would use email as their main communication method in the future, and was accused of “…bringing the profession into disrepute!” That was over 30 years ago, but technology is now everywhere. Indeed some of the biggest vendors at ILTACon were offering smart screens and projects that can access digital content from emails and shared company drives. As more case notes and legal content goes digital, the potential for email as a means of mis-distributing and mis-sharing this information grows exponentially.
Of course these three issues sit on top of all the regular ones security leaders in any sector face – rising threats, more advanced attacks and the cost of a breach rising exponentially. Tessian is trusted by over 15o of the world’s leading law firms. They rely on Tessian to protect their organizations from advanced email threats, data exfiltration and accidental data loss. Get in touch today and see how we can help your firm.
Read Blog Post
Data Science, ATO/BEC, Integrated Cloud Email Security
Product Update: Improvement to Algorithms Sees 15% Increase in Detection of Advanced Email Threats
By Jhamat Mahbubani
Tuesday, September 13th, 2022
Innovations in machine learning have fundamentally changed the email security landscape.    And in order to stay ahead, and to ensure that we are protecting our customers from new and advanced email threats, we need to continually improve our machine learning algorithms. Most recently, Tessian’s data science team updated our platform’s Behavioral Intelligence Modeling algorithms to detect advanced social engineering threats.   The result? A 15% increase in the detection of advanced email threats including impersonation spear phishing and account takeover (ATO) attacks.
The growing threat of advanced social engineering attacks  Social engineering attacks like impersonation and ATO attacks are a growing threat, with ATO attacks witnessing +300% growth over the last three years.    Impersonation and ATO attacks are a notoriously difficult type of advanced email threat to detect and prevent. This is because the threat actors either impersonate a trusted party or, in the case of ATO, the emails originate from a legitimate source, either within the organization from an already compromised account, or from a compromised vendor in the supply chain.    Traditional, rule-based email security solutions, like Secure Email Gateways (SEGs), which enterprises have been reliant on for decades, offer little protection against these types of attack. Why? Because legacy solutions like SEGs and built-in security from cloud providers are unable to detect adaptive and unknown threats with no prior indicators of compromise reported.    This makes the case for why security and risk management teams must move away from a rule-based approach to one that analyzes behavior instead.    This behavioral approach should leverage machine learning, Natural Language Processing (NLP), Behavioral Intelligence and Global Threat Feeds to automatically determine whether an email sent to an end-user at a particular time is an advanced threat.
A machine intelligent approach to email security Encouragingly, an increasing number of security leaders are realizing the need to adopt machine intelligent solutions to tackle the persistent threat of advanced email attacks. In fact, over half of cybersecurity leaders (58%) surveyed in a 2022 Forrester Consulting report said that they are actively looking to displace SEGs for the next generation of email security solutions. These solutions, like Tessian, leverage machine learning to help organizations mitigate risk on email.    The importance of machine learning powered cybersecurity solutions was similarly recognized by IBM’s Cost of Data Breach Report for 2022. IBM reported that the average cost of a data breach was $3.05 million less in organizations that deployed security artificial intelligence (AI) versus those that had not. What’s more, 66% of security leaders from across the world believe that AI and Machine Learning enables faster threat detection on email and 56% say it makes threat detection more accurate.    Continual improvements to our algorithms are important to ensuring we quickly and accurately detect new and unknown threats on email – keeping our customers and their data safe and secure.    Learn more by speaking to our experts and seeing our machine learning algorithms in action. 
Read Blog Post
ATO/BEC
When a Breach is More Than Just a Breach
By KC O'Carroll
Monday, September 12th, 2022
Sometimes, what looks like a harmless third party breach notification can lead on to other, more targeted attacks, in this article, Tessian’s Head of Security Engineering & Operations explains how.    There is a deluge of breach notifications for defenders to track, monitor, and respond to. When triaging a breach notification for a third party service, the first instinct is to review the exfiltrated data and evaluate for impact to users.    When that data comes back as non-sensitive, defenders will oftentimes stop analysis there and breathe a sigh of relief. Unfortunately, as some recent breaches make clear, evaluating risk and impact isn’t that simple.
Two confirmed identity points   Take Twitter’s July breach as an example. In the notification, Twitter confirmed the exposure of 5.4 million emails as well as associated phone numbers that had been used as 2 factor authentication (the problem with using phones for 2FA is a topic for another time). No passwords were exposed, so it’s simply a minor irritation for the impacted users, right?   Well, not always. Things get more complicated when we consider what an attacker might be able to pivot to with two confirmed identity traces like email and mobile number.   Smishing attacks   At the low end of the sophistication scale, the phone numbers (which remember have been confirmed as active to the attacker by virtue of use as an auth factor) can be targeted for waves of SMS based phishing attacks. Anecdotally, Tessian has received reports of an increase in these attacks for users who had a number tied to their Twitter accounts.
Moving up in complexity, a SIM swap attack paired with a compromised password can yield access to other accounts using the same email. Credential pair reuse across multiple sites can make a single breach keep yielding dividends to the attacker for months.   Secondary attack vectors   These are well known post breach secondary attack vectors that have had a lot of visibility over the years. Less well known is the gray market for end user data used to enable scams and sales of questionable products and services, popularly known as crapware.    Quite a few people have heard of tech support scams, where an overseas scammer will call an elderly person and pretend to have valuable security services to offer. Less well known is how these scammers get access to phone numbers in the first place.
As we can see here, third party data brokers offer resales of “warm leads” for tech support scams targeting English speaking countries for call centers around the world. It’s easy enough to buy or otherwise acquire breach data for this purpose; though it’s important to note that data brokers don’t always stop with legal means of targeting users.
This particular data broker kindly offers pop-up campaigns, better known as fake blue screens in the browser that force the user to call an 800 number to unlock. So while buying gray market data can be lucrative for brokers, they certainly aren’t limited to it.   How to protect against attacks   So how do we protect against the impact of a secondary attack vector like this? First, end users should be encouraged and enabled to use software authenticators or hard tokens. SMS based attacks are widespread and tough to mitigate.    Secondly, security tooling that identifies a departure from normal email traffic can be more effective than relying on end user reporting. Tessian’s implementation of our product alerts us to unusual trends in email traffic that we in turn use for campaign tracking and prioritizing SecOps team resources. An eye on what’s normal and what isn’t serves as our first line against malicious activity. Stay vigilant and stay secure.   To see how Tessian prevents ATO attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
ATO/BEC
52% of U.S. Healthcare Insurance Providers At Risk of Email Impersonation During Open Enrollment
By John Filitz
Monday, September 5th, 2022
Over half of the top 25 U.S. healthcare insurance providers are at risk of having their domain spoofed by threat actors looking to target individuals via advanced phishing and email impersonation attacks as open enrollment begins on 1 November 2022.    In our analysis, we found that 52% of the top healthcare insurance providers in the U.S. do not have DMARC – Domain-based Message Authentication, Reporting & Conformance – policies set up to the strictest settings or don’t have it set up at all to prevent abuse of the domain on email.    Why is DMARC important in preventing impersonation on email?    Nearly all cyberattacks in enterprises start with a successful spear phishing attack. This often involves a threat actor directly impersonating an email domain of a recognizable, trusted or well-known organization. 
There are a number of policies and protocols that prevent direct impersonation of an organization’s domain on email. In its simplest form, SPF and DKIM are email authentication records that allow email clients to validate the domain name of an inbound email. DMARC enables organizations to specify how to respond to emails that fail these SPF or DKIM checks – generally reject, quarantine, or take no action.   In the absence of authentication records, bad actors could easily create legitimate-looking emails with the domain extension, while the recipient of the malicious emails wouldn’t be able to validate the sender’s authenticity.    In the case of the insurance providers that do not have DMARC records in place – or do not have the DMARC policies set up to ‘reject’ – there is a very real opportunity for threat actors to impersonate the provider’s domain in spear phishing campaigns, convincing their targets they are opening a legitimate email from their healthcare insurance provider.    What risk does this pose to individuals?    Open enrollment – the yearly period in which people in the U.S. can enroll in a health insurance plan for the next calendar year – begins on 1 November 2022.    As open enrollment becomes available for employees and people seeking healthcare options, threat actors will likely take advantage of this time to target unsuspecting people – using the timely hook as a lure in their scams. We’ve noted in previous blogs how cybercriminals take advantage of timely or trending moments to make their phishing attacks more convincing.    By impersonating a trusted insurance provider, cybercriminals could trick people into sharing personally identifiable information including social security numbers, financial information, or even confidential medical details which – if gotten into the wrong hands – could be used to perpetrate identity fraud. 
Advisory to healthcare insurance companies and the public   As open enrollment begins,  healthcare insurance providers must ensure they are taking every measure to protect their domain from misuse over email.    Conversely, it’s important that employees signing up to new benefits – as well as HR personnel – are made aware of the potential scams that could land in their inbox during this period. Advise people that if they do receive an email from their provider, asking for urgent action or financial information, they must take the time to check it and question the legitimacy of any requests. If they’re ever unsure, they should always contact the insurance company directly to verify or only read correspondence in the insurance provider’s portal.    An more intelligent approach to email impersonation attacks   While DMARC is certainly a necessary first step to prevent domain impersonation over email, it’s not without its shortcomings and cybercriminals can find ways around it.    For example, DMARC won’t stop lookalike domains, and there’s nothing stopping threat actors from registering look-a-like domains, betting on the fact that victims may not notice the slight change. Furthermore, DMARC records are inherently public, and an attacker can use this information to select which domains they can directly impersonate, their targets and their attack methods, simply by identifying providers that do not have DMARC policies configured to the strictest settings.    In addition to ensuring DMARC records are set to the strictest standards, security teams at healthcare insurance providers should also question whether they are equipped to safeguard against email scams. They should consider whether a more intelligent approach to email security is needed to stop staff and customers falling victim to advanced email impersonation attacks.    To see how the Tessian Cloud Email Security platform intelligently prevents advanced email threats and impersonation attacks, watch a product overview video or book a demo with us today.
Read Blog Post
Integrated Cloud Email Security
Product Update: Enhanced Event Triage to Speed Up Detection and Response to Malicious Emails
By Swati Aggarwal
Thursday, September 1st, 2022
Introducing our latest product update, designed to improve security event triaging efficiencies for security admins using the advanced email threat prevention module, Tessian Defender, in the Tessian portal.    The enhanced event triage update not only provides security admins with greater control and confidence in preventing advanced threats coming into corporate inboxes, but it also gives valuable time back to security teams.   How does it work?    When Tessian flags an email as potentially malicious, security admins quickly analyze the email within the Tessian portal. After analyzing the email, they can assess whether the email is malicious or not. If the email is deemed safe, the security admin can release it to all of the end-user’s inboxes with a single click and if it’s malicious, they can delete the email from the end-user’s quarantine as well as delete the released copy from the user’s inbox with a single click. As a result, security teams can significantly reduce the risk of an end-user interacting with a malicious email.    This capability extends to bulk remediation of large scale phishing attacks – a.k.a. burst attacks – that affect multiple end-users.
The update builds on our previous update which improved the visibility for security admins to view the full body of flagged emails and label workflow.
Greater efficiency and control for the Security Operations Center   Triaging security incidents on email is a time intensive task. In fact, research shows security teams that rely on legacy email security software spend as much as 9-12 hours detecting and responding to each email security incident.    With this latest product update in the Tessian portal, our customers are able to cut the time spent on event triaging down to minutes, significantly reducing the risk of an end-user engaging with a malicious email and reducing the administrative burden for security admins
Every one of our product updates are part of our continuous effort to improve the experience we provide our customers and give security teams peace of mind and confidence in their email security solution.  To see how the Tessian Cloud Email Security platform intelligently prevents ransomware attacks, and protects against data loss, watch a product overview video or book a demo.
Read Blog Post
Threat Intel
Tessian Threat Intel
By John Filitz
Tuesday, August 30th, 2022
A growing incidence of multi factor authentication (MFA) compromises is dominating the threatscape.    The recent breaches at Cisco and Twilio were part of a large phishing campaign that resulted in close to 10,000 credentials at 130 organizations being compromised. Another noteworthy MFA attack was the recent adversary-in-the-middle (AiTM) compromise at Microsoft, impacting over 10,000 organizations. We’re also tracking the persistent and growing challenges posed by ransomware and nation-state campaigns.   Sign-up for our Threat Intel update to get this monthly update straight to your inbox.    
  The use of MFA is an essential security control but has been over-hyped as providing fail-safe protection.   Social engineering using phishing for credential theft is central to recent MFA compromises.   Phishing attacks are escalating month over month to record highs.   MFA bypass attacks targeting organizations that use Microsoft 365 are on the rise.   ATO attacks are increasing and disproportionately targeting the financial sector.   Ransomware attacks are increasing and are targeting the industrial sector.   The threat posed by nation-state cyber campaigns is expected to persist and increase as geopolitical tensions escalate.
  The cost of a data breach is now $4.35m per incident. For healthcare that figure rises to $10.1m.   Phishing attacks are the costliest form of a breach coming in at $4.91m.   ATO attacks have increased by 307% in the last 2 years, with ATO related losses increasing by 90% in 2021 alone.   Phishing attacks escalated to over 1 million attacks in Q1 2022 – a new record.   Credential theft campaigns that resulted in the Cisco and Twilio breaches are part of a  phishing campaign that made use of what has been dubbed the “oktapus phishing kit.” This phishing campaign netted the Okta login credentials of almost 10k users at 130 organizations – mostly located in the US. Victims were targeted with a SMS phishing campaign linked to a malicious site that captured Okta login credentials and 2FA codes. The credentials were then used to gain access to the corporate networks of the affected companies via VPNs and remote devices.   The recent Microsoft 365 MFA related compromises were, according to Microsoft, attributed to the theft of a significant amount of login-in credentials through a large-scale phishing campaign. Using the compromised credentials, threat actors were able to hijack users’ already authenticated sign-in sessions. The threat actors were then able to access victims’ mailboxes and carry-out business email compromise campaigns against other targets.    According to Mitiga, the vulnerability inherent in Microsoft’s MFA authentication protocol is at the heart of the compromise. In particular, the lack of regular re-authentication prompts for a user’s session, even when a user is provisioning applications of a sensitive security nature, such as registering a second authenticator application in their Microsoft profile, played a big role in enabling escalation of the compromise.    This weakness is further demonstrated in the Privilege Identity Management feature of Microsoft’s MFA, enabling admin users to request admin privileges through the PIM  feature only when needed. However Microsoft does not prompt users to reauthenticate for this privilege escalation on the basis that their existing session has already been authenticated. Compounding these vulnerabilities is the fact that there is no-way for customers of Microsoft 365 to override the MFA native features and request additional reauthentication prompts.   According to NCC Group, ransomware attacks are up 47% compared to a month earlier, with the top 3 targeted industry verticals industrials (32%), consumers cyclicals (17%), and technology (14%).    Lockbit 3.0 and Hiveleaks and BlackBasta are the top 3 trending ransomware groups, with Lazarus Group activity also increasing.   The threat of nation-state cyber campaigns is growing according to CSIS, with 86% of organizations indicating that they have been recently targeted on behalf of a nation-state.
  The recent MFA compromise breaches indicate the limitations of this singular security control. This is resulting in an increasing number of successful ATO attacks.    As threat actors become more sophisticated, adopting a defense-in-depth strategy is essential. One key attribute of hardening your information system against ATO attacks is leveraging machine learning powered behavioral-based cybersecurity like Tessian that is able to detect anomalous behavior as it arises. This includes once an attacker has effectively bypassed security controls such as MFA.
To see how Tessian prevents ATO attacks, and protects against DLP, watch a product overview video or book a demo.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Page