Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

State of Email Security 2022: Every Company’s Riskiest Channel |  Read the Full Report →

Threat Intel
“No Pain No Gain” Impersonation Campaign – Sending Stolen Credentials to Telegram Group
by Catalin Giana Thursday, November 10th, 2022
The Tessian Threat Intel team discovered a new Microsoft impersonation campaign in the wild called “No Pain No Gain.” The campaign utilizes a Telegram API call to harvest credentials to a malicious chat group on the messaging platform – a common tactic that was first identified last year. The threat actors also relied on heavily encoding the malicious attachment.  Read further to see how we reviewed the attachment, and the steps we took to de-obfuscate it. We also show what the harvested credentials look like when received by the Telegram BOT API. The victim receives an email with an HTML attachment called Setup Outlook-mail.html. Upon opening it you are redirected to a page that impersonates Microsoft’s login, with the victim’s email address already embedded in the page.                                  Impersonated Microsoft login page
Although this is not impressive at this point. At face value it appears to be a run-of-the-mill impersonation campaign that has been seen before. Where it gets interesting is that upon inspecting the HTML page it is apparent that great effort was taken to obfuscate the code. Decoding the HTML attachment Obfuscated code
Step 1 The HTML page contains multiple layers of obfuscation that needed to be removed manually in order to reveal the original content. After escaping all the javascript-encoded characters we were left with a more readable script. Code snippet before base64 decoding Step 2 In order to reveal the actual HTML script we had to decode the string found in the data variable which we found out was base64 encoded. After another step of decoding and beautifying, we found the readable HTML code. Decoded data variable Outcome All the magic can be found in the code snippet above. What is unique about this campaign is the fact that instead of using a command and control server to store the stolen data, it is using the Telegram app, via the Telegram API to a malicious chat group on the messaging platform. The stolen information contains usernames and passwords that can be used to compromise Microsoft email accounts. The sent message also has the geolocation of the victim and the User-Agent that was used.
Telegram testing with our own channel We created a Telegram chat group for testing purposes to see exactly how the stolen data i.e. the credentials are harvested and sent out via the Telegram API (see graphic below). Using an impersonated Microsoft login-in page, the threat actors prompt the victim for a password, this triggers a pop-up message indicating that the first password entered is incorrect or too short. The victim is then prompted to submit a second password, which then appears to be a successful log-in.  In addition to harvesting the credentials, other collected data includes the victim’s IP address by using the ip-api.com service. All the stolen data is stored in the malicious Telegram chat group in the format below. Example of harvested credentials message  
When we use the getChat endpoint, we received the response below from the malicious Telegram group chat. We were able to identify the group ID, the group name and determine that the channel is private. Group ID   We were also able to determine that the malicious Telegram group chat has two members. Group Members   After further investigation we were unable to access the contents of the Telegram chat group due to privacy and security settings set by the threat actors. We based this determination on the fact that the value of the parameter “can_read_all_group_messages” is set to “False”. Privacy Settings
Indicators Here is a table of indicators that can be filtered or searched on in your logs for any potential past leaks, or signals for any attempts. Object Indicator Telegram Bot ID 5695672431:AAF0Bzm_wh3g13sO-CDFeWWC-k6kWv7-Emk Telegram Channel ID 5748272550 Email Attachment Filename [T1598.002] Setup Outlook-mail.htm Setup Outlook-mail.html Starting Text <script>var emai\u006c=” Telegram API Exfiltration [T1071.001] https://api[.]telegram[.]org/bot$botid_value/sendMessage?chat_id=$channel&text=$credentials $botid_value = the value that Telegram BotFather provides for the bot 5695672431:AAF0Bzm_wh3g13sO-CDFeWWC-k6kWv7-Emk $channel = the value of the channel at Telegram 5748272550 $credentials = The data that is being sent to Telegram and the fraud channel hosted there  
Conclusions and Recommendations  Don’t open attachments from unknown sources, especially if you weren’t expecting an Invoice/Outlook Setup/Resume etc. If you opened an attachment and you are still unsure please send it to your security team for review. Ensure that your organization utilizes an intelligent email security solution that can prevent and detect advanced impersonation campaigns. If you have security experience, you can open the HTML page in a text editor before running it, if it’s highly obfuscated as in the first screenshot above there is a high possibility that it’s likely to be malicious.  Additionally the US Cybersecurity and Infrastructure Security Agency (CISA) offers useful advice for staying safe as well as a list of free cybersecurity tools: The UK’s National Cyber Security Centre (NCSC) also has offers useful guidance for staying safe:
Read Blog Post
Threat Intel, ATO/BEC
Tessian Threat Intel Roundup: Advanced Phishing Attacks
by John Filitz Monday, October 31st, 2022
On the back of Cybersecurity Awareness Month in October 2022 with key recommendations to protect against phishing attacks, we delve deeper into the latest Phishing-as-a-Service offering known as Caffeine, first identified by Mandiant. We also unpack an impersonation campaign we identified in the wild called Logokit. And in other notable news, a misconfigured Microsoft endpoint storage vulnerability dubbed BlueBleed was exposed by researchers at SOCRadar, potentially exposing sensitive data for thousands of customers. Sign-up for our Threat Intel update to get this monthly update straight to your inbox.     • Phishing-as-a-Service (PhaaS) is now sold alongside Ransomware-as-a-Service (RaaS) on the dark web.  • The commercialization of these PhaaS exploit kits and threat actors’ services are removing the barriers to entry for carrying out attacks, at scale.  • The most recent offering is the so-called Caffeine PhaaS exploit kit that enables anyone to procure the kit and launch phishing attacks against Microsoft 365 targets.  • Tessian Threat Intel recently identified a Business Email Compromise (BEC) campaign in the wild called Logokit. • Logokit uses randomized spoofed pages and brand logos for purposes of harvesting login credentials. In one instance we found that a spoofed version of a Microsoft login page was being used in an attempt to capture credentials. • Researchers from SOCRadar identified six misconfigured Azure buckets which it has dubbed BlueBleed. • The BlueBleed exposure according to SocRadar is among the most significant B2B leaks ever, exposing sensitive data of 65,000 entities across 111 countries.  • Microsoft immediately rectified the privacy settings on the exposed buckets, thanking SOCRadar, however disputing the extent of the exposure.
Phishing remains a persistent threat and security challenge. Threat actors continue having significant success using social engineering attacks to compromise organizations. And there is no silver bullet to protect against social engineering attacks.    Only by adopting a multi-pronged, defense-in-depth security strategy will the risk of a social-engineering-related breach be reduced. Utilizing a best-in-breed solution that has advanced social engineering defense capabilities and that reinforces security culture strengthening like Tessian is increasingly essential to address an ever-evolving threatsc
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Threat Intel
A day in the life of Tessian’s Threat Hunters
by Andrew Webb Thursday, October 13th, 2022
Our head of Threat Intelligence, Paul Laudanski, takes us through a typical threat hunting exercise and takes up the story… Threat hunting is the act of looking for the unknown; for an attack vector we don’t know anything about, for a new campaign, or changes to tactics, techniques and procedures. And there are always new types of attacks to contend with. When I find one type of threat, oftentimes that can snowball into finding other types of threats, so I keep hunting and pivoting and enriching the information that I find. Here’s a recent example…   At Tessian, we’re interested in attacks delivered via email and so I started off with a query looking for URL duplicates that have been sent in emails at least five times during September. I’m specifically targeting the “low and slow” type of attack, where the offenders do not want to alarm security tools and teams. They might be targeting a certain type of function or role for instance. 
Breaking this SQL query down, I search for URLs and the email subjects they are associated with, and how many times they were seen. I don’t want to see singletons but my gut tells me I don’t want to see anything less than 3 hits. Will I search for those as well? Yes, that is another type of search I run in another stream. But for now, my interest is in 5 or more hits. This approach revealed some interesting recurring URL path and filename values. This match, k7OIMyJhEU/page1.php  after the domain, was seen hundreds of times across many domains and their subdomains. Very much a low type of attack because it was spread across different domains. Tools don’t normally pick up on this type of occurrence, and it takes an intel analyst to find such behavior There were several full URLs with that exact pattern, and as I sampled some, Chrome was telling me they were bad. But I couldn’t get the ones I was sampling to actually load anything. So I updated my query to this:
This query now focuses on giving me all the URLs that match that directory pattern, because I want to see what this actually is. Here is a sample, with a subject containing Visa or Mastercard in it. We know from Chrome that some of these that I sampled are malicious.
The subject is detected by Google Translate as Japanese. Taking a sample subject from the above, I’m advised it translates to: “Visa card information on estimated payment amount”. Now I continue to pivot, and take a domain for further analysis: anl7ya[.]icu.   An open source investigation into said domain showed it is heavily involved in phishing and malware activity. Researching Passive DNS data for that domain, there are 191 records. Many of the subdomains were first seen on the 14th of September. None of this is good based on the threat signals around the domain and its activity.   The IP address associated with the domain, searching spam deny listed services reveals UCEPROTECT and Barracuda have it listed as being involved in spam campaigns.
So I started off with JST with an open mind and a theory, hunting and pivoting, trying to see what I could find. I found something for sure, and then started to enrich and dive deeper and go broader. Doing so gave me a lot more information we can use to build our own threat intel. This is called derivative data, and it helps to spot the attacks on a broader scale, otherwise we might miss additional attack vectors   Ultimately, in my open source queries I found a snapshot reported by a Twitter user:  
As a threat intelligence team, we work hard to ensure customers are protected against this and other types of behavior by leaning in and being engaged with the intelligence. We want to focus on what is called the Pyramid of Pain. Here we have indicators we can use to detect and protect against, and we can also move up the pyramid and look at the patterns, in this case, it doesn’t matter what the domain is, so long as we see “k7OIMyJhEU/page1.php”, we can detect it and look to protect against it. Hence our coverage is broad, and we add another query into our playbook that we can automate and spot any changes or new patterns of threats.   This is fun and exciting work, I enjoy working with the unknown and making actionable sense of intelligence. If you’d like to join me, check out our open roles here. 
Read Blog Post
Integrated Cloud Email Security, ATO/BEC
1 in 5 Chief Information Security Officers (CISOs) Work More Than 25 Extra Hours Per Week
by Andrew Webb Tuesday, October 11th, 2022
A career in Infosec can be demanding. And as recent headlines have shown, the stakes have never been higher as Chief Information Security Officers (CISOs) are charged with keeping all facets of their organization protected online. This constant vigilance also results in security pros regularly working extra hours and overtime, and even missing holidays, to keep the company secure.    We recently took an updated look at how overworked and stressed CISOs are in 2022, following our inaugural CISO Lost Hours report last year. This year, we learned that CISOs are working more than ever which is contributing to stress, fatigue and feelings of burnout: 18% of security leaders work 25 extra hours a week, which is double the amount of overtime that they worked in 2021.    Some overtime or extra hours worked can be unavoidable, but the consequences of habitual overwork are real. Our recent study shows that employees are more likely to make mistakes when they’re tired or stressed, which could have serious consequences for security pros. 
Here are the highlights:   CISOs are working overtime and can’t always switch off from work   The demands of the CISO role mean they are putting in significant overtime – about two extra work days per week. The study found that on average, CISOs work 16.5 hours over their contracted weekly hours, an increase of 11 hours from last year. What’s more, many have adopted an “always on” way of working. Three-quarters of security leaders report being unable to always switch off from work, while 16% say they can rarely or never switch off.    Last year, we learned that CISOs were missing out on important personal and social events outside of work like holidays, family vacations and even workouts and doctor appointments due to the nature of their role. Even if security leaders are able to attend these events, the “always on” mindset takes away from being fully present during these moments.
The size of the company makes a difference   The survey also found that security leaders at larger companies are putting in more overtime. CISOs at smaller companies (10-99 employees) report working an average of 12 extra hours a week, whereas those in the same role at a company with 1,000+ employees report working an extra 19 hours.    On the other hand, security leaders at small companies say they have more difficulty creating boundaries between work and home life. Twenty percent of CISOs at these companies say they can always switch off from work, compared to 31% of those at larger companies.
Overworked employees make more security mistakes   Many overworked and burnt-out employees are finding resolve in “quiet-quitting” where employees do the bare minimum of their job requirements. However, CISOs don’t have that luxury. They’re putting in more hours and can’t switch off from work just to keep up with the demands of the job.    Unfortunately, the Great Resignation has impacted the IT industry, with IT employees being the most likely to look for a new job, according to another Tessian data report from earlier this year. We’ve also learned that employees are more likely to make security mistakes when they’re tired or stressed. In fact, 47% of employees cited distraction as the top reason for falling for a phishing scam, and 41% said they accidentally sent an email to the wrong person because they were distracted. While accidentally sending an email to the wrong person might seem small, mistakes like these can lead to serious cybersecurity incidents like data loss or a breach.    While no employee should ever be shamed or punished for making a security mistake at work, it’s mistakes like these that can contribute to the extra time CISOs are putting in at work. According to a separate survey conducted by Forrester and commissioned by Tessian, employee-related security incidents take up a significant amount of CISOs’ time. In fact, the survey found that security teams spend up to 600 hours per month investigating and remediating threats caused by human error – the equivalent of nearly four employees’ full-time workloads.
So what can CISOs do to create a better work / life balance?   Lean on your team: While CISOs are the Head Honcho within IT and security teams, that doesn’t mean they have to do everything. It’s okay to ask for help, prioritize, and then divide and conquer. Beyond their immediate team, CISOs can also work closely with other members of the C-Suite – like the CFO – to adopt new tools that automatically prevent threats and give CISOs some time back in their day. Set boundaries and stick to them: It can be difficult to establish a division between work and life. With mobile access to Slack, email, and Google Docs, “work creep” can seem inevitable. Similarly, if you’re working from home, personal tasks can take up mental space that could compromise your productivity. That’s why you need to define your work space and working hours, and try to create healthy habits that give you a chance to recharge. For some it might be a walk or making time to connect with kids during a lull in active work. These mini breaks can also make a big difference in recharging your battery.    Unplug: This is easier said than done, especially when CISOs are considered the superheroes of any organization. “When duty calls”, right? Yes and no. If you don’t take time for yourself, you won’t be up for the job. You also won’t model the kind of the habits that will help up-and-comers in your organization to see a path to balanced work and life if you don’t figure it out for yourself. Consider mindfulness apps for day-to-day relaxation, and limit the number of people who have access to you while you’re OOO.
Read Blog Post
Integrated Cloud Email Security
Product Update: Advanced Malicious URL Protection
by James Alliband Thursday, October 6th, 2022
The threat caused by malicious, embedded URLs will grow as Business Email Compromise (BEC) attacks increase. Only a behavioral-based approach that involves a thorough examination of the URL content contained within the email body and its attachment allows you to reduce the risk of a URL-based email compromise.   Differentiating from the SEG   While URL link rewriting, also known as time-of-click protection, is offered by legacy email security providers, such as Secure Email Gateways (SEGs), it has major restrictions on the level of security it can provide. The problem is that your protection is only as effective as the rules and policies you create and how up-to-date the threat detection engine of known threats is.   Tessian enhances the protection against known and unknown malicious URLs by ensuring they are detected and retrieved from both the email’s body as well as any attachments that may include them. From here the URLs are analyzed against known and unknown indicators of compromise (IOC).
Cyber Criminals break the rules   The static, rule-based approach to malicious URL detection offered by legacy email security presents an open opportunity for threat actors to circumvent them using a range of obfuscation methods. For example, in a well-documented case of APT 39’s malicious URL campaign, the cyber criminals were able to hide malicious links within attached files and bypassed the rule-based SEGs of numerous victims.   
Five Shortcomings of URL Link Rewriting Protection    Here are five additional reasons why URL Link Rewriting falls short in protecting your organization from malicious URLs:   URL link rewriting is an overly manual security control prone to human error   It requires a significant degree of manual security rule and policy orchestration. The static nature of URL policy and rule orchestration also opens up the probability of human error introducing security risk, by either failing to set the appropriate degree of URL scanning intensity, or failing to include appropriate user groups.      URL link rewriting is ineffective at protecting against zero-day attacks   It only offers protection against known threats and limited protection against zero-day attacks. For example, registering new domains or hijacking existing “trusted” domains are popular methods of evasion by threat actors.      URL link rewriting lacks the intelligence to detect advanced attacks on email   Threat actors are continuously becoming more sophisticated. Hiding malicious URls in an attachment or having a redirected link tricks the victim into thinking they are clicking on a perfectly safe link when in fact they are actually clicking on a malicious link.     Protection starts and stops at the gateway   When utilizing a perimeter solution, such as a SEG, you can only see what is coming into and out of the organization. Lateral phishing attacks are missed as the email doesn’t pass the gateway.     If all you have is a hammer, everything looks like a nail   URL link rewriting offers no protection against cross-site scripting (XSS) attacks. In this type of attack, threat actors will send a benign-looking URL link to a victim, usually from a legitimate but recently compromised website. Here the threat actor is able to capture credentials from the victim, for example on a log-in page of the compromised website. Legacy email security solutions would have determined that the link is “safe” even if the email was received from an unknown or suspicious party.
The need for Intelligent Cloud Email Security    Email-based attacks are still by far the most popular attack vector. The efficiency of legacy email security controls has come into sharp focus as a result of the constantly shifting and developing attack landscape.     Threat actors are continuously becoming more sophisticated and circumventing the rules-based approaches of legacy email security tools. Today URL link rewriting is no longer capable of defending organizations from advanced attacks on email. Only by leveraging intelligent email security solutions that understand behavior and have contextually aware scanning capabilities – detecting the most obfuscated of URLs – can you significantly improve your email security posture against URL-based attacks.   To see how the Tessians Intelligent Cloud Email Security platform prevents ransomware attacks, and protects against data loss, watch a product overview video or book a demo.
For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Integrated Cloud Email Security
Video: Tips For Cybersecurity Awareness Month
by Andrew Webb Saturday, October 1st, 2022
October is Cyber Security Awareness Month, The US Cybersecurity and Infrastructure Agency (CISA) and National Cyber Alliance (NCA) call for organizations to focus on the fundamentals of cyber security. So we caught up with Tessian’s Head of Risk and Compliance, Kim Burton, to find out what they are and what they mean for your organization. Watch the video below or read the transcript.  
So one of the things that’s really exciting about starting your security journey is that there are things that are actually very, very easy to do. And these are true for everyone. It doesn’t matter if you’re an employee somewhere. It doesn’t matter if this is what you’re doing at home trying to protect your friends and family. The key core components of where security starts are…   Strong passwords That means long, strong, and unique. You can store those in a password manager, and with that password manager you want to pair that two-factor authentication on every account that you have if possible. Not every account allows for two factor authentication, but everywhere that you can. You want to use multi-factor authentication,   Updates Make sure you’re always keeping your machine updated!   Mindful posting   What I mean by that is, make sure that when you’re posting on social media, you’re being careful about the kinds of information you reveal. And note that you’re also protecting your friends and family, your business when you’re posting online. So you want to just be careful about the kind of privacy implications that that could come about.    Report suspicious emails And then, when you see something uh make sure you talk about it with your coworkers. If something seems a little bit off, send it to your security team. Report fishing emails uh, and remember that you’re in a community, protect each other.  
Hosting a security open day There are all kinds of different activities that you can run for Cybersecurity Awareness Month. Having a security party where you all come together and discuss secure solutions that the company specifically requires and  relying on people at the business to present their expertise to other coworkers like doing brown bag lunches that are focused on security components. You can use your employees to actually do a pretend ‘hack the company’ event where you can encourage them throughout the month to name different security concerns that they see. Maybe someone’s left their laptop unlocked, or maybe they noticed people aren’t badging in consistently. Or maybe you’re trying to encourage them to wipe down whiteboards – a security scavenger if you will. Have a prize at the end of it. You can get people to design security posters. Your employees know what secure behavior looks like, and they actually get very excited to talk about the knowledge that they have. What’s hard is if someone’s coming in and top-down, telling them very aggressively like waving a stick and saying “you will do these things”. A lot of these folks have worked  other places. They know what they need to be doing, they just need to be empowered to do it. So let them show what knowledge they have and encourage them to talk about it with you, so that you can maneuver exactly their knowledge to be exactly what the business needs. You can make it so that they have the opportunity to talk about it, teach their peers, and then encourage them to grow from where they’re at.   You can have other security events like an Osint scavenger hunt. So Osint is Open Source Intelligence Gathering. That would be maybe a couple of employees gather a bunch of different photographs around the Internet and you ask your folks to identify where they are. It’s amazing how quickly people can identify locations from photographs, and they think they’re not going to be good at this and they’re like “I’ve never done this before, there’s no way I’ll be able to tell from this corner of a building where this is located in the world”. But then you give them five minutes to think about it, and they start saying “You know that type of tree doesn’t grow anywhere else”, or “you know the angle of the sun there seems like it could be in this region of the world” It’s amazing how fast people like start to to figure out these things. And that teaches them how attackers think, that teaches them how malicious actors are going to react.    And it’s fun. You’ve changed it into a game, but what they come away with is; “Oh, okay, I was able to do this in  half an hour of activity. What could someone do with a month? I’ve got to be careful. I have a duty to protect myself. I have a duty to protect my friends, and I really need to protect the business”. It helps them  really see the practicality of of the events that they’re doing.
Read Blog Post
Threat Intel
New Impersonation Campaign: Logokit
by Catalin Giana Friday, September 30th, 2022
In August Tessian’s Threat Intel team saw a new Business Email Compromise malware campaign in the wild called Logokit. Logokit is an impersonation attack phishing kit used to propagate Business Email Compromise campaigns to harvest credentials.   How Logokit exploit kits work    Threat actors will impersonate domains of trusted brands, commonly seen impersonating healthcare, financial or legal services providers. The phishing email usually contains a malicious URL or attachment.    The unsuspecting victim will click on the malicious URL which in this case redirects to an impersonated website of Microsoft. There, the threat actors attempt to harvest login credentials.    
The attack chain   1: The law firm is impersonated and a spoofed account is used to send a malicious email to the victim. 2: The victim receives the malicious email and downloads the malicious HTML attachment.  3: Upon execution of the HTML page, the final landing page is Microsoft impersonation page, requesting the victim to enter Microsoft login credentials.  4: The compromised credentials that were inserted by the victim are then harvested by the threat actor.   Threat analysis In the case that Tessian Threat Intel analyzed, a victim of this campaign was targeted by threat actors impersonating a law firm. The impersonated email from the law firm contained the company logo, as well as an obfuscated HTML attachment titled: Letter To Buyer’s Solicitor Enclosing Contract Bundle.htm
Tessian Threat Intel started the investigation in a virtual environment, analyzing the attached HTML file. At first inspection the HTML file appeared benign. We, then, analyzed the HTML file in a non-virtual environment. This initial HTML file then redirects to an impersonated Microsoft login webpage.   Conclusion and recommendations for staying safe   At the initial time of analysis, the Logokit redirect campaign stopped at the Microsoft phishing landing page. There is a high probability that this campaign could be altered in the coming days and weeks, landing on a different page.   In order to not fall victim to similar types of phishing emails we recommend:   Being careful of unsolicited emails, especially those containing attachments or URLs. Before interacting with any suspicious email received, check the source and email header to confirm the organization it originated from is legitimate. If anything seems unusual, do not follow or click on links, or download attachments.  If the suspicious email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative.  Adopt intelligent cloud email security solutions like Tessian that use behavioral intelligence to detect and prevent advanced email attacks, including increasingly sophisticated impersonation emails.
Read Blog Post
Threat Intel
Tessian Threat Intel Roundup: Ransomware Dominates
by John Filitz Wednesday, September 28th, 2022
As we wind down Q3, we see no letting up by threat actors with a series of high profile breaches dominating the headlines in September. Of concern is the increasing activity of Ransomware-as-Service (RaaS) offerings and threat actor activity. It’s little surprise that phishing and email remain significant threat vectors for ransomware actors, either to gain initial access, or to execute ransomware payloads.   Sign-up for our Threat Intel update to get this monthly update straight to your inbox.    Key Takeaways Phishing attacks are in uncharted territory with over 1 million attacks reported for Q2 2022. Financial services and SaaS companies are among the most targeted. Phishing and email remain primary threat vectors for gaining initial access to carry out ransomware attacks. The Ransomware-as-a-Service (RaaS) gang activity continues its steady increase up by 63% in Q1 2022, as RaaS actors continue to diversify services and exploit kits, including mining exposed data to carry out second stage Business Email Compromise (BEC) campaigns. There is significant concern that corrupting of files will become a new modus operandi of Noberus aka BlackCat ransomware actors and affiliates over the usual encrypting of files. LockBit ransomware encryption code has been leaked, sparking concern for an increase in LockBit attacks. Ukraine has proven to be cyber resilient against Russian cyber attacks, largely as a result of recovering from previous significant breaches such as NotPetya, as a result of NATO support. Recent reports of an Iranian cyber campaign against Albania has resulted in the severing of diplomatic ties with Iran. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a record number of advisories for the month, with ransomware and nation-state activity from Iran being front-and-center.
Trending Analysis Phishing attacks continue the upward trajectory according to the latest from APWG’s Q2 Phishing Activity Trends Report – with over 1 million phishing attacks recorded for the 2nd quarter of 2022 – the worst quarter on record. The most targeted industries according to APWG include financial services (28%), followed by webmail and Software-as-Service providers (19%) and retail (15%). Some of the key threat vectors identified by APWG are email delivered impersonation and ransomware attacks. New Zealand’s Computer Emergency Response Team (CERT NZ) agency reports that phishing campaigns are the primary method for threat actors to gain initial access to carry out ransomware attacks. Email according to CERT NZ, is the third most commonly used vector for malware delivery.  Trend Micro reports a 63% rise in Ransomware-as-a-Service (RaaS) groups in the first quarter of 2022.  Accenture reports on a growing trend of threat actors leveraging “sensitive corporate data exposed on the dark web” to carry out sophisticated Business Email Compromise (BEC) campaigns. Findings from a Stairwell study indicate that RaaS Affiliates of Noberus also known as BlackCat/ALPHV, the successor to DarkSide and BlackMatter ransomware gangs, is potentially resorting to corrupting files on local systems instead of encrypting them with the release of a new “Exmatter” tool. BleepingComputer citing research from Symantec on the “Exmatter” tool, shows that the new data extraction tool has been reengineered to more stealthy gain a foothold and exfiltrate data from compromised systems – an essential complement for carrying out double-extortion attacks. Symantec researchers also confirm the ability of Exmatter to “corrupt processed files.” The Record reports that leaked LockBit ransomware code has the ability to enable more widespread use of the ransomware file encryptor.  The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory on Vice Society ransomware actors that are targeting the education sector.  The Los Angeles Unified School District, the second largest school district in the country,  was the latest victim to suffer a Vice Society ransomware attack that resulted in the loss of access to 500GB of data. CISA and MS-ISAC also released a ransomware guide, and CISA issued a RFI for new cybersecurity incident reporting for the proposed Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The proposed cyber compliance requirements will compel companies to report significant cybersecurity incidents within 72 hours, and 24 hours after a ransomware payment has been made.  Turning attention to nation-states, Ukraine has proven to be relatively cyber resilient in the ongoing conflict with Russia in a large part due to recovery from previous cyber attacks such as the infamous NotPetay attack in 2017. The significant support received from NATO is also another decisive factor. It is suspected that Ukranian affiliated cyber actors hacked Russia’s Wagner Group, responsible for mercenary recruitment for the Russian armed forces – compromising the personal data of mercenaries. CISA shows that Iranian nation-state actors gained access to the Government of Albania’s network 14 months prior to launching a devastating ransomware and wiper malware attack on that country in July. Albania has since severed diplomatic relations with Iran as it tries to recover data and restore public service operations.
Concluding Thoughts & Recommended Actions   The data point to an increasing threat of ransomware-related breaches in the short-to-medium term. Key industry verticals receive a disproportionate amount of attacks including financial services, technology, and more recently the education sector. The threat of nation-state-sponsored attacks as witnessed recently in Albania is of growing concern. Increasing geopolitical tension and instability are likely to exacerbate the probability of state-sponsored ransomware campaigns disrupting key public services.   As the ransomware threat grows, adopting a defense-in-depth strategy is essential. One key attribute of hardening your information system against ransomware attacks is leveraging a machine learning, behavioral-based cybersecurity solution like Tessian that can detect anomalous behavior on email as it arises.   
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Podcast
U.S. Secret Service’s Andrew Frey on Why Business Email Compromise Works
by Andrew Webb Tuesday, September 27th, 2022
Andrew Frey is a Forensic Financial Analyst for the San Francisco Field Office of the U.S. Secret Service, working in the Cyber Fraud Task Force. As one of the most knowledgeable people in the US Government on the threat of Business Email Compromise (BEC), Andrew works directly with companies and individuals to gather intelligence on cybercriminals behind these attacks and helps recover lost funds when wire fraud has occurred. In a recent episode of the podcast, he spoke to Tim Sadler about attacks he’s investigated, explained how lost funds are recovered and why he believes BEC is on the rise.   Listen to the whole episode, here, or read on for three key Q&As from the interview.
Why are BEC attacks growing more frequent and more effective?   I think that the answer is in the question – BEC attacks are growing in frequency because of their efficacy. BEC is an unprecedented type of cybercrime because of its enduring effectiveness. For most scams, widespread education brings their downfall – think IRS impersonation scams, lottery scams, and the Nigerian prince scam.   Those schemes are all still around but their heyday is over because most people have been made aware of them in one form or another. You also have organizations like banks and gift card retailers pitching in with warning signs or detection systems that help deter those scams with a high degree of effectiveness.   In the case of BECs there is now more education, communication, and detection technology than just about any other scam, and yet they are still very common with no sign of becoming less so. The victim pool is also very broad. It isn’t just senior executives being targeted, we now see everyday people losing down payments to their new homes through BEC, for example.   The victims also aren’t necessarily so-called ‘vulnerable’ or lacking in tech-savvy. Many victims are Fortune 500 companies – companies that most folks know by name and logo, companies with rigorous security and control. So as long as the crime continues to have success it is only going to grow.
What are the typical traits and characteristics of these attacks?   In almost every BEC case that I have worked there were red flags in hindsight. They could be as subtle as a different font or a different representative than who you have always worked with, or even a different salutation. It is very rare that when reviewing the email with hindsight you don’t spot something that probably should have caught your eye.   As for who is targeted most frequently, it is tough to say because each criminal organization probably has a favorite industry – one that they’ve spent time familiarizing themselves with to allow them to talk the talk in a convincing fashion. I am currently working on a case where about a dozen cities and counties were hit with millions of dollars in BECs, and this is a number that is growing by the day. Victims include city police departments and even some school districts, and part of what has made them appealing targets is that so many of their suppliers and the amounts and frequency paid to them are publicly available online.   This takes a lot of the work out of the process for the criminals. In some instances, a cyber intrusion isn’t even necessary because the criminal actor could impersonate the supplier or municipality’s finance director and request payment without intrusion. Cases like this are becoming more and more common.
How do you recover lost funds? What is important to know for people who one day might be victims of these kinds of attacks?   We have a number of tools at our disposal that can help recover funds, including cryptocurrency and funds that have been wire transferred abroad, which is common these days. As a victim, the key is timely notification to law enforcement. I personally receive one to three reports of BEC a week, and the recovery rate is actually a lot better than you would imagine. I think people think BECs aren’t recoverable and that is not accurate, but timing is everything.    When I am notified of a BEC I immediately work with the relevant financial institutions to trace these funds and I won’t stop until there is a definite dead end or the money is recovered. Simultaneously we might be arranging for an exam of the victim’s network by one of our network intrusion responders to gather evidence for a criminal investigation. But really one of the best ways we help is pro-active education. We try to get out there and provide a resource for companies and institutions so that when any kind of cyber incident happens they know who to call.    In terms of more general advice, businesses need to practice good cyber hygiene. That means anti-phishing training, using complex unique passwords, and changing passwords frequently. It is also very important to prep yourself before an attack occurs by having an incident response plan with clearly outlined roles. That way, if something does happen you don’t have a half dozen people trying to figure out who to call and what to do.
For more of Andrew’s anecdotes and further discussion, listen to our Tessian Podcast episode, here. You can also visit the Secret Service website to find out more information.
Read Blog Post
Integrated Cloud Email Security, ATO/BEC
Product Update: Enhanced Security Event Filtering and Reporting
by Swati Aggarwal Thursday, September 22nd, 2022
Our latest product update for our Advanced Email Threat Prevention module, Tessian Defender, improves the efficiency of security event filtering through new and easy-to-navigate event filters. We have also improved malicious email reporting, resulting in improvements to our detection efficacy.
New and enhanced filters for more efficient event filtering The enhanced event filtering interface will improve confidence and control for security admin using Tessian’s portal. It enables security admins to  efficiently filter and find security events, enabling security teams to respond faster.    
Some of the new and enhanced filters include:   Original filter location: Folder location of the email at the time of delivery to the end-user’s mailbox. Attachment filter: Contains attachments or not. Phishing simulation filtering: To exclude/include phishing simulations. Confidence level filtering: To filter on high/medium/low confidence interval events.  
Improved end-user reporting capability   Improvements to malicious email reporting will further improve the ability to recall malicious emails from inboxes, as well as improving detection efficacy. After a security admin reports a malicious email, future emails that share the same characteristics will automatically be quarantined in the portal – reducing cyber risk.  
Why these updates matter: Quicker response time and improved detection efficacy   In a hypothetical example of attempted Account Takeover (ATO), Tessian will flag suspicious emails as potentially malicious. After receiving an alert, security admins using the Tessian Cloud Email Security Platform, analyze all suspicious emails marked with a high degree of confidence and take appropriate action.    The new event filtering capability further speeds up this process, enabling security admins to filter all the security events by event type, confidence level, user response and quarantine status, while also allowing security admins to exclude events classified for example as phishing simulations – improving response times.     The new labeling feature incentivizes customers to report malicious emails. This, in turn, improves the detection efficacy of the platform’s algorithms with each reported email. 
Every minute counts to reducing cyber risk   Time is of the essence in triaging security events on email. Our engineering teams are working relentlessly to cut response times and give time back to security teams. These latest product updates do just that, enabling our customers to reduce the time spent on event triaging while also improving detection efficacy. To see how the Tessian Cloud Email Security platform intelligently prevents ransomware attacks, and protects against data loss, watch a product overview video or book a demo.
For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Data Science, Integrated Cloud Email Security, ATO/BEC
Product Update: Improvement to Algorithms Sees 15% Increase in Detection of Advanced Email Threats
by Jhamat Mahbubani Tuesday, September 13th, 2022
Innovations in machine learning have fundamentally changed the email security landscape.    And in order to stay ahead, and to ensure that we are protecting our customers from new and advanced email threats, we need to continually improve our machine learning algorithms. Most recently, Tessian’s data science team updated our platform’s Behavioral Intelligence Modeling algorithms to detect advanced social engineering threats.   The result? A 15% increase in the detection of advanced email threats including impersonation spear phishing and account takeover (ATO) attacks.
The growing threat of advanced social engineering attacks  Social engineering attacks like impersonation and ATO attacks are a growing threat, with ATO attacks witnessing +300% growth over the last three years.    Impersonation and ATO attacks are a notoriously difficult type of advanced email threat to detect and prevent. This is because the threat actors either impersonate a trusted party or, in the case of ATO, the emails originate from a legitimate source, either within the organization from an already compromised account, or from a compromised vendor in the supply chain.    Traditional, rule-based email security solutions, like Secure Email Gateways (SEGs), which enterprises have been reliant on for decades, offer little protection against these types of attack. Why? Because legacy solutions like SEGs and built-in security from cloud providers are unable to detect adaptive and unknown threats with no prior indicators of compromise reported.    This makes the case for why security and risk management teams must move away from a rule-based approach to one that analyzes behavior instead.    This behavioral approach should leverage machine learning, Natural Language Processing (NLP), Behavioral Intelligence and Global Threat Feeds to automatically determine whether an email sent to an end-user at a particular time is an advanced threat.
A machine intelligent approach to email security Encouragingly, an increasing number of security leaders are realizing the need to adopt machine intelligent solutions to tackle the persistent threat of advanced email attacks. In fact, over half of cybersecurity leaders (58%) surveyed in a 2022 Forrester Consulting report said that they are actively looking to displace SEGs for the next generation of email security solutions. These solutions, like Tessian, leverage machine learning to help organizations mitigate risk on email.    The importance of machine learning powered cybersecurity solutions was similarly recognized by IBM’s Cost of Data Breach Report for 2022. IBM reported that the average cost of a data breach was $3.05 million less in organizations that deployed security artificial intelligence (AI) versus those that had not. What’s more, 66% of security leaders from across the world believe that AI and Machine Learning enables faster threat detection on email and 56% say it makes threat detection more accurate.    Continual improvements to our algorithms are important to ensuring we quickly and accurately detect new and unknown threats on email – keeping our customers and their data safe and secure.    Learn more by speaking to our experts and seeing our machine learning algorithms in action. 
Read Blog Post
Integrated Cloud Email Security
Product Update: Enhanced Event Triage to Speed Up Detection and Response to Malicious Emails
by Swati Aggarwal Thursday, September 1st, 2022
Introducing our latest product update, designed to improve security event triaging efficiencies for security admins using the advanced email threat prevention module, Tessian Defender, in the Tessian portal.    The enhanced event triage update not only provides security admins with greater control and confidence in preventing advanced threats coming into corporate inboxes, but it also gives valuable time back to security teams.   How does it work?    When Tessian flags an email as potentially malicious, security admins quickly analyze the email within the Tessian portal. After analyzing the email, they can assess whether the email is malicious or not. If the email is deemed safe, the security admin can release it to all of the end-user’s inboxes with a single click and if it’s malicious, they can delete the email from the end-user’s quarantine as well as delete the released copy from the user’s inbox with a single click. As a result, security teams can significantly reduce the risk of an end-user interacting with a malicious email.    This capability extends to bulk remediation of large scale phishing attacks – a.k.a. burst attacks – that affect multiple end-users.
The update builds on our previous update which improved the visibility for security admins to view the full body of flagged emails and label workflow.
Greater efficiency and control for the Security Operations Center   Triaging security incidents on email is a time intensive task. In fact, research shows security teams that rely on legacy email security software spend as much as 9-12 hours detecting and responding to each email security incident.    With this latest product update in the Tessian portal, our customers are able to cut the time spent on event triaging down to minutes, significantly reducing the risk of an end-user engaging with a malicious email and reducing the administrative burden for security admins
Every one of our product updates are part of our continuous effort to improve the experience we provide our customers and give security teams peace of mind and confidence in their email security solution.  To see how the Tessian Cloud Email Security platform intelligently prevents ransomware attacks, and protects against data loss, watch a product overview video or book a demo.
Read Blog Post