Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Prepare for the next wave of email attacks at Fwd: Thinking on Nov 2 | Save Your Seat →

Tessian Blog

  • All
  • Customer Stories
  • Compliance
  • Email DLP
  • Integrated Cloud Email Security
  • Data & Trends
  • NULL
    array(14) { [0]=> object(WP_Term)#11602 (11) { ["term_id"]=> int(5) ["name"]=> string(16) "Customer Stories" ["slug"]=> string(16) "customer-stories" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(5) ["taxonomy"]=> string(8) "category" ["description"]=> string(155) "Read our latest Customer Stories, interviews and news. Learn how Tessian protects organisations in Financial Services, Legal, Technology and other markets." ["parent"]=> int(0) ["count"]=> int(46) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "2" } [1]=> object(WP_Term)#11999 (11) { ["term_id"]=> int(120) ["name"]=> string(10) "Compliance" ["slug"]=> string(10) "compliance" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(120) ["taxonomy"]=> string(8) "category" ["description"]=> string(143) "Read our latest articles, tips and news on Compliance including GDPR, CCPA and other industry-specific regulations and compliance requirements." ["parent"]=> int(0) ["count"]=> int(40) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "5" } [2]=> object(WP_Term)#11998 (11) { ["term_id"]=> int(116) ["name"]=> string(9) "Email DLP" ["slug"]=> string(20) "data-loss-prevention" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(116) ["taxonomy"]=> string(8) "category" ["description"]=> string(144) "Read our latest articles, tips and industry-specific news around Data Loss Prevention (DLP). Learn about the implications of data loss on email." ["parent"]=> int(0) ["count"]=> int(99) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "4" } [3]=> object(WP_Term)#11997 (11) { ["term_id"]=> int(2) ["name"]=> string(31) "Integrated Cloud Email Security" ["slug"]=> string(20) "human-layer-security" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(2) ["taxonomy"]=> string(8) "category" ["description"]=> string(301) "Integrated Cloud Email Security solutions were introduced as a new category, and positioned as the best defense against advanced phishing threats that evade traditional email security controls.  Learn more about what they are, the benefits of using them, and how you can best evaluate those on offer." ["parent"]=> int(0) ["count"]=> int(138) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [4]=> object(WP_Term)#11996 (11) { ["term_id"]=> int(486) ["name"]=> string(17) "Data & Trends" ["slug"]=> string(11) "data-trends" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(486) ["taxonomy"]=> string(8) "category" ["description"]=> string(0) "" ["parent"]=> int(352) ["count"]=> int(1) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "3" } [5]=> object(WP_Term)#11995 (11) { ["term_id"]=> int(341) ["name"]=> string(13) "Insider Risks" ["slug"]=> string(13) "insider-risks" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(341) ["taxonomy"]=> string(8) "category" ["description"]=> string(154) "Access Tessian's library of free data exfiltration posts, guides and trend insights. Acidental data loss, insider threats, and misdirected emails content." ["parent"]=> int(490) ["count"]=> int(39) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "2" } [6]=> object(WP_Term)#11994 (11) { ["term_id"]=> int(433) ["name"]=> string(14) "Remote Working" ["slug"]=> string(14) "remote-working" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(433) ["taxonomy"]=> string(8) "category" ["description"]=> string(163) "Access free tips from security leaders and new research related to remote working and hybrid-remote structures. Level-up your cybersecurity for a remote workforce." ["parent"]=> int(116) ["count"]=> int(16) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [7]=> object(WP_Term)#11993 (11) { ["term_id"]=> int(384) ["name"]=> string(7) "Podcast" ["slug"]=> string(7) "podcast" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(384) ["taxonomy"]=> string(8) "category" ["description"]=> string(345) "Cybersecurity podcast series on the human factor, discussing why we need to focus on people - not just machines and data - to stop breaches and empower employees. Tim Sadler, CEO of Tessian meets with business, IT and security leaders to flip the strict on cybersecurity and share best practices, cybersecurity challenges, threat intel and more." ["parent"]=> int(2) ["count"]=> int(9) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [8]=> object(WP_Term)#11992 (11) { ["term_id"]=> int(411) ["name"]=> string(14) "Threat Stories" ["slug"]=> string(14) "threat-stories" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(411) ["taxonomy"]=> string(8) "category" ["description"]=> string(155) "Tessian Threat Intelligence and Research team uncovers trends and insights in email security related to phishing, social engineering, and more. Learn more!" ["parent"]=> int(0) ["count"]=> int(24) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "3" } [9]=> object(WP_Term)#11991 (11) { ["term_id"]=> int(3) ["name"]=> string(22) "Advanced Email Threats" ["slug"]=> string(22) "advanced-email-threats" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(3) ["taxonomy"]=> string(8) "category" ["description"]=> string(166) "Get up to speed on the latest tips, guides, industry news and technology developments around phishing, spear phishing, Business Email Compromise, and Account Takeover" ["parent"]=> int(490) ["count"]=> int(156) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "6" } [10]=> object(WP_Term)#11990 (11) { ["term_id"]=> int(352) ["name"]=> string(15) "Life at Tessian" ["slug"]=> string(12) "team-culture" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(352) ["taxonomy"]=> string(8) "category" ["description"]=> string(149) "Learn more about Tessian company news, events, and culture directly from different teams. Hear from engineering, product, customer success, and more." ["parent"]=> int(0) ["count"]=> int(49) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "7" } [11]=> object(WP_Term)#11955 (11) { ["term_id"]=> int(435) ["name"]=> string(21) "Interviews With CISOs" ["slug"]=> string(21) "ciso-spotlight-series" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(435) ["taxonomy"]=> string(8) "category" ["description"]=> string(164) "Learn how to navigate the threat landscape, how to get buy-in, and how to break into the industry from these cybersecurity leaders from Shell, Penn State, and more." ["parent"]=> int(0) ["count"]=> int(33) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "8" } [12]=> object(WP_Term)#11956 (11) { ["term_id"]=> int(436) ["name"]=> string(16) "Engineering Blog" ["slug"]=> string(16) "engineering-blog" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(436) ["taxonomy"]=> string(8) "category" ["description"]=> string(134) "Tessian's engineering team shares tips for solving complex problems. Get advice related to QAs, 502 errors, team management, and more." ["parent"]=> int(352) ["count"]=> int(18) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [13]=> object(WP_Term)#11934 (11) { ["term_id"]=> int(434) ["name"]=> string(16) "Cyber Skills Gap" ["slug"]=> string(16) "cyber-skills-gap" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(434) ["taxonomy"]=> string(8) "category" ["description"]=> string(149) "Learn more about the cybersecurity skills gap and cybersecurity gender gap. Research and interviews with industry leaders and champions of diversity." ["parent"]=> int(435) ["count"]=> int(19) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } }
Beyond the SEG / Microsoft + Tessian, Advanced Email Threats
Tessian in Action: This Attack Got Through a SEG and M365, but Not Tessian.
by Tessian Threat Engineering Group Tuesday, March 28th, 2023
Cyber attacks are getting more sophisticated and more targeted. In this Tessian in Action update we explore how an attack got through legacy security solutions, but not Tessian.  Legacy security solutions just aren’t able to combat advanced threats over email the way that Integrated Cloud Email Solutions can. At Tessian, we’re seeing more and more attacks bypass traditional secure email gateways only to be stopped by our platform. The attack below sailed right through the client’s SEG and their Microsoft 365 defenses, only to be flagged by Tessian. The client, a medical firm, handles highly sensitive data and personal identifiable information. Fines from PII data breaches can be huge. In February 2023 Arizona-based Banner Health was fined $1,250,000 following a 2016 breach.
The target of the attack The attackers had clearly done their research, as this attack was specifically targeted at the client’s Chief Legal Officer, and one other senior member of the legal team. They were both targeted with a malicious URL sent from a look alike domain. The timing of the attack was 12-1 UTC, which was in the morning of the client’s location, perhaps in an attempt to catch them early and be top of their inbox.  Stopped dead in its tracks This attack was able to get past the client’s SEG and MS365 but Tessian flagged it as an impersonation attack. Tessian also identified the URL as malicious, and the fact it was a first time sender. Tessian’s Behavioral Intelligence models detected additional anomalies increasing our confidence score to 100/100. Consequently, this email never reached either of the recipients. The security team at the organization are well aware that attacks against their exec team can have devastating consequences. In fact, the security team that highlighted this attack to Tessian are highly active with the Tessian portal, and so quarantined it themselves, but had they not, Tessian Defender would have hard-quarantined this email or displayed a warning message to end users, coaching them and raising their security awareness ‘in the moment’.  It’s situations exactly like this that more and more firms are facing. Tessian was built exactly to stop these kinds of highly targeted attacks that slip by existing and legacy solutions. If you’d like to see how Tessian can better protect your organization, find out more with our Microsoft + Tessian Solutions Guide.
Read Blog Post
Advanced Email Threats
Tessian in Action: Phishing Attack Sends Credentials to Telegram
by Tessian Threat Engineering Group Monday, March 27th, 2023
Contributors : Catalin Giana & Razvan Olteanu In this example of Tessian in Action members of our Threat Intel Team saw this Microsoft credential attack target several of Tessian’s customers. There are four interesting things to note in this attack.  There was a zipped set of password instructions attached Within that was HTML that hid obfuscated Javascript which forwarded to a credential harvesting site The attack had a custom sender name for each individual attack Any successfully captured credentials were forwarded to Telegram. Here’s how the attack sequence worked. The email came as a Microsoft impersonating campaign with a zip file attached containing password instructions. Much like a sealed present, the hope was that the user would unpack the zip file to see what was in it, believing it to be legitimate.  
The copy in the email backs this up by specifically asking the user to unzip and follow the instructions within. There’s also an implied sense of urgency about the account expiring in the next 24 hours, which is further encouragement for the user to act.  It’s worth noting the ‘in the moment’ warning provided by Tessian at the top of the email here. Tessian adds custom warnings like this to Outlook (it looks a little different for gmail) to provide ‘in-the-moment’ security awareness for end users. Depending on how you have Tessian configured, and what our confidence score of threats are, we can either hard quarantine (as we did in this case) or add a warning and release to the user. You can see more on how Tessian protects against threats like these here. Upon downloading and unzipping the archive the team found malicious HTML. When executed it shows that it loads something from Microsoft Sharepoint which finally redirects to a Microsoft login phishing page.
Adding user credentials causes a script to execute which then queries, to determine the IP address. It then attempts to pass the response along with the password entered directly to a telegram group using Telegram’s api.
Let’s look now at that HTML in detail.  Original form: The html contains multiple chunks of base64-encoded Javascript that needs decoding manually and concatenating in order to find the original script. Doing that reveals a new obfuscated Javascript that is hex-encoded and has appended some base64 code at the end.
After removing the hex code character and adding all the other base64 encoded chunks the original script looks like this.
Read Blog Post
Beyond the SEG / Microsoft + Tessian, Threat Stories, Advanced Email Threats
Tessian in Action: Microsoft Credential Scraping Attempt
by Tessian Threat Engineering Group Monday, March 20th, 2023
Recently Tessian’s Threat Engineering Group identified an emerging threat detected by Tessian Defender targeting around 45 of our customers. The campaign was an email credential harvesting attack and was not detected by Microsoft Exchange Online Protection (EOP) when the attack began.  Anatomy of the attack The attack email was able to bypass legacy security solutions, like secure email gateways, as well as Microsoft 365. Let’s explore some of the reasons why it was able to do that: Firstly, the email was ‘sent’ by Amazon Simple Email Service (SES), which is a common tool leveraged by attackers to send automated attacks. However, the display name impersonated the company being targeted, no doubt attempting to add legitimacy, • The display name was actually dynamically generated, taking the first three letters of the recipient address and pretending to be the company name. • This is done to avoid basic aggregation and detection methods by secure email gateways and native security controls of email providers. • Looking at the subject of the email, it’s fairly innocuous, and again a rule in a SEG to flag the word ‘payment’ would trigger hundreds of false positives. • Finally, the body of the email itself is benign, simply stating “Please consider the environment before printing this email”. If anything, the attack attempt is a little too spartan in content, which might have raised suspicions in the user that received it.
Let’s now look at the HTM attachment, which contains JavaScript, which is encoded (below)
And when decoded twice it looks like this. Note that some of the content is still encoded.
All this encoding and obfuscation is attempting to hide the fact that the script redirects the user to a credential harvesting form. The form is hosted on a domain registered one day before the first phishing email was seen on the Tessian network. What’s more, to add legitimacy, the customer’s logo is hosted at the top of the form. Remember, this attack went to several organizations, so the logo must be dynamic. It’s therefore likely that it was scraped by the attacker using automated tooling. The user the “username” field is already pre-populated with the recipient’s email address. Again, adding legitimacy and lower the amount of effort for the recipient to share their password. Finally, when the password is entered, it is posted to a PHP script hosted on the same domain.
How did Tessian Defender detect this threat? So how did Tessian Defender stop this threat when SEGs and Microsoft 365 didn’t? Well, as well as detecting unusual file characteristics, Tessian’s Behavioural Intelligence models detected additional anomalies increasing our confidence score to 100/100. They are as follows:   The recipient company name was used in the display name.  The recipient has no historical relationship with the sender. Multiple emails were sent to each customer in a short period of time, to unconnected employees, this is known as a bust attack.  Tessian’s Natural Language Processing (NLP) models classified the email as being payments-related Depending on the specific customer configuration, Tessian Defender either hard-quarantined this email or displayed the following warning message to end users, coaching them and raising their security awareness
Indicators of Compromise (IOCs) Tessian Threat Engineering Group reacted to add the below IOCs to the Tessian Unified Threat Interface. We recommend readers do the same Sender Address: jorgezamora@powderiverdev[.]com Credential Harvesting Site Domain: https://emdghouseltd4[.]pro
Contributors: Ed Bishop and Catalin Giana.
Read Blog Post
Beyond the SEG / Microsoft + Tessian
Tessian Recognized as a Representative Vendor in the 2023 Gartner® Market Guide for Email Security
by James Alliband Monday, March 20th, 2023
Tessian is honored that Gartner has recognized us as a Representative Vendor for Integrated Cloud Email Security (ICES) in the 2023 Market Guide for Email Security. Within the report, Gartner recommends that security and risk management leaders should: “Supplement the native capabilities of your existing cloud email solutions with third-party security solutions to provide phishing protection for collaboration tools and to address both mobile- and BEC-type phishing scenarios.” According to the report, “The migration to cloud email platforms continues along with a significant increase in the number of phishing attacks.” Further in the report Gartner states, “Impersonation and account takeover attacks via business email compromise (BEC) are increasing and causing direct financial loss, as users place too much in the identities associated with email, which is inherently vulnerable to deception and social engineering.” The report informs its readers, “email continues to be a significant attack vector for malware and credential theft through phishing. An estimated 40% of ransomware attacks start through email. Cloud adoption continues, with an estimated 70% using cloud email solutions.  
Gartner recommends that security and risk management leaders responsible for email security should:  Supplement the native capabilities of your existing cloud email solutions with third-party security solutions, to provide phishing protection for collaboration tools and to address both mobile- and BEC-type phishing scenarios.  Use email security solutions that include anti-phishing technology for targeted BEC protection that use AI to detect communication patterns and conversation-style anomalies, as well as computer vision for inspecting suspect URLs. Select products that can provide strong supply chain and AI-driven contact chain analysis for deeper inspection and can detect socially engineered, impersonated, or BEC attacks.  Prioritize integration of email security solution APIs to enable integration of email events into a broader XDR or security information and event management (SIEM)/security orchestration, analytics and reporting (SOAR) strategy.
While email security has come a long way since its inception around 2000, the greatest external threats facing on-premise mail servers at the time were bulk unsolicited mail and spam. But today, the world has changed. As Gartner refers to in the report, now an estimated 70% of organizations are using cloud email solutions. This rapid shift to the cloud has opened up a new threat to landscape security. Risk management leaders must uncover and learn how to protect themselves from it. Regarding email, the effectiveness of safeguarding this unsolicited domain has been in the crosshairs for quite some time. Today email is the entry point responsible for over 90% of cyber attacks.   
But why is this the case?  The rapid shift in moving to the cloud allowed cyber criminals a huge opportunity; an opportunity grabbed with both hands. Email security, while being in the crosshairs, has been largely untouched for many years. Organizations holding significant investments in their Secure Email Gateway (SEG) protect their internal network from the outside world. Still, it isn’t as though these solutions deteriorated overnight, but the world around them did. Secure Email Gateways were built to address security concerns in a forgone, cloud-adverse world. They were once the gold standard in email security. But the rapid shift to the cloud and ever-changing threat landscape exposed this once sturdy and reliant email defense to become vulnerable and ineffective in safeguarding users and data from advanced threats and insider risks.  Further to this, Microsoft and Google have pressured this space. Now offering overlapping capabilities of a Secure Email Gateway (SEG) solution within the cloud productivities platforms allowing organizations to streamline their email security approach, simplify their security stack and reduce cost and complexity. But while this is a positive for security and risk management leaders, Gartner states in the report that “threat actors are also getting more sophisticated, often targeting the end users using fake login pages as a way of harvesting credentials. Sophisticated email threats include compromised websites and weaponized documents used to deploy malware. Many ransomware-as-a-service gangs use email as the initial entry point. Beyond malware, business email compromise and account takeover threats continue to rise, with significant financial losses as a result”. 
Combatting this new wave of attacks  Now it is recommended to consolidate overlapping gateway capabilities into Microsoft 365 to help CISOs reduce cost and complexity while cautioning that CISOs should carefully evaluate the native capabilities offered by cloud email systems and ensure that they are adequate to prevent a sophisticated attack. An argument can be made that “complexity” remains at the heart of Microsoft’s licensing model. Microsoft has numerous packaging options, bundles, and add-ons. Knowing where they differ and overlap is vital to understanding what you have access to today and effectively leveraging native security capabilities to secure your email environment.
At Tessian we believe that organizations need to go beyond their SEG and that a Microsoft + ICES email security stack is the future of email security. Gartner recommends that to combat this new wave of attacks, email security solutions need to use a variety of more-advanced detection techniques, including, but not limited to, Natural Language Processing, Natural Language Understanding, and Social Graph Analysis. Gartner states, “ICES solutions go beyond simply blocking email by adding context-aware banners warning users. This means that the threshold for false positives can be higher and can also reinforce security awareness training. Often, a mechanism for reporting phishing is included, either as part of the email client or as another banner inserted into the email body.” Microsoft + Tessian = Comprehensive security This is where an intelligent cybersecurity solution like Tessian Cloud Email Security Platform comes into play, providing advanced email threat protection and insider risk protection on email. With Tessian, no mail exchange (MX) records need to be changed. Tessian can construct a historical user email pattern map of all email behavior in the organization. The algorithm can then detect and prevent threats that Microsoft or SEGs have failed to detect. 
This dynamic protection improves with each threat that is prevented. Unlike the in-line static nature of SEGs, it ensures 24/7 real-time protection against all attack vectors, including insider threats. That is why the leading enterprises opt to displace their legacy SEG and augment Microsoft’s native security capabilities with Tessian. Gartner, Market Guide for Email Security, Ravisha Chugh, Peter Firstbrook, Franz Hinner, 13 February 2023 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Read Blog Post
Attack Types, Threat Stories, Advanced Email Threats
Dozens of SVB and HSBC-themed URLs Registered
by Tessian Threat Engineering Group Wednesday, March 15th, 2023
As we explored 48 hours ago, the recent turbulence in the banking sector provided a potential opportunity for threat actors to launch attacks. So it comes as no surprise that we’re starting to see domains spun up for just such purposes. Tessian’s Threat Intel Team have been monitoring the situation as it unfolds, and found that multiple domains featuring both SVB and HSBC were registered. Malicious domains are being added to Tessian’s Unified Threat Feed to proactively protect our customers from future phishing attacks. What is interesting about this is that some are for legitimate, if a little unorthodox, activities like driving traffic, marketing and selling merchandise. It’s in this ‘fog of war’ that bad actors like to hide, and clearly some have been registered with attacks in mind. So let’s look at those first.  Siiiconvalleybank[.]com and siliconvalleybonk[.]com have clearly been set up to launch impersonation attacks, hoping people don’t notice those typos in the URLS. Other examples include myaccount-hsbc[.]com and thesiliconvalleybank[.]com. Meanwhile Svb-usdc[.]com and svb-usdc[.]net are both already set up to launch phishing attacks.
Google is already blocking these and alerts any visitors to that effect. Exploring beyond that warning reveals a ‘lookalike’ site offering a reward program and clicking ‘claim’ opens a QR code.
Fake URLs to drive traffic Some of the newly registered URLs are also being used to drive traffic.[.]in uses HSBC brand in order to gain more traffic for an Indian-based website with adult content. Meanwhile SVBlogin[.]com loads up All Day Capital Partners website offering to ‘help’ SVB customers. Many of the others are cybersquatting, no doubt hoping to sell on, while others registered but don’t contain any content or redirect, as if waiting to see how things pan out. Perhaps one of the oddest is svbbankrun2023[.]com, which hosts a merchandise shop selling SVB-themed items.  
Tessian Recommends: The following list should be used as a blocklist at your own risk, but we advise adding the newly registered domains on a watchlist for monitoring purposes. Here’s a full list of SVB and HSBC URLs we’ve documented so far.    Hsbcsvb[.]com Siiiconvalleybank[.]com Login-svb[.]com Svbankcollapseclaimants[.]com Svbankcollapselawsuit[.]com Svblawsuits[.]com[.]in Svbanklegal[.]com Svbankcollapse[.]com Svbankcollapseclaims[.]com siliconvalleybankfilm[.]com siliconvalleybankcrash[.]com siliconvalleybankcollaps[.]com siliconvalleybankcolapse[.]com siliconvalleyfederalbank[.]us silliconvalley[.]ink siliconvalleyfederalbank[.]net siliconvalleybank-usdc[.]com siliconvalleybonk[.]com ziliconvalley[.]sk siliconvalleybankcustomerservice[.]com siliconvalleybankhelp[.]com siliconvalleyentrepreneursbank[.]com siliconvalleybankcreditors[.]com siliconvalleyentrepreneurbank[.]com siliconvalleybankclasaction[.]com wwwsiliconvalleybankclassaction[.]com siliconvalleybankfailures[.]com siliconvalleybanksettlement[.]com siliconvalleybank[.]xyz siliconvalleybank[.]lol siliconvalleyfederalbank[.]biz siliconvalleyfederalbank[.]lol siliconvalleybankmovie[.]com siliconvalleybank[.]biz siliconvalleybn[.]com siliconvalleybanklawsuit[.]com siliconvalleybankclassaction[.]com siliconvalleybankreceivershipcertificate[.]com siliconvalleybankcollapse[.]com siliconvalleybust[.]com svbbankrun2023[.]com svbalternative[.]com svbankclassaction[.]com svbanklawsuit[.]com svb-cash[.]com svbfdic[.]com svbwiki[.]com svbcollapseexplained[.]com banksvb[.]com svbcollapse[.]net svbbailout[.]org fucksvb[.]com svbcoin[.]xyz svbchain[.]xyz svb-usdc[.]com svb-usdc[.]net svbfailure[.]com svbopenletter[.]com svbplaintiffs[.]com svbinfo[.]com svbbankrun[.]com svbrecovery[.]com svbmeltdown[.]fyi wefundsvbclients[.]com svbreceivership[.]com svblogin[.]com svbcollapse[.]com svbclaim[.]com svbdebt[.]com svbclaims[.]net svbbailout[.]com svbi[.]io svbank[.]com hsbcbdubai[.]com hsbc079[.]com hsbc757[.]com Hsbc736[.]com hsbc119[.]com hsbc719[.]com hsbc938[.]com Hsbc891[.]com Hsbc-premium[.]com Hsbckyc[.]com Hsbclogin[.]co Myaccount-hsbc[.]com Thesiliconvalleybank[.]com 1svb[.]com Circle-svb[.]com Svb2023[.]com Svbgate[.]com Svbtoken[.]com Svbnfts[.]com whatissvb[.]com
Read Blog Post
Attack Types, Threat Stories, Advanced Email Threats
The Current SVB Banking Crisis Will Increase Cyberattacks, Here’s How to Prepare
by Tessian Threat Engineering Group Monday, March 13th, 2023
The recent banking turmoil involving Silicon Valley Bank and Signature Bank sent shockwaves through technology firms globally as they scrambled to transfer their capital, secure payroll, and pay their bills. However, this mass changeover in banking details is exactly the situation that breeds targeted cyberattacks. Although the swift intervention of The Federal Reserve, The Bank of England, HSBC and others helped calm the liquidity crisis, a cyber threat crisis is likely now brewing as threat actors spin up a host of impersonation attacks and campaigns. The Tessian Threat Intel Team has already seen dozens of SVB and HSBC-themed URLs registered, some of which are used to launch phishing campaigns. 
Money, distraction, urgency Bad actors are driven by money. And there is a lot of money at play with this crisis. The streaming firm Roku indicated it has about $487 million in deposits at SVB. They are likely making changes now to diversify where they deposit this money and, accordingly, updating wiring instructions to reflect these new banking relationships. In their Q4 Risk Insights index, Corvus Insurance indicated 28% of all claims in Q4 2022 were due to fraudulent funds transfers. Threat actors relish the confusion and rapid changes that come with a crisis like this. The sheer number of updates to wiring instructions increases the chances that standard operating procedures around changing wiring instructions are ignored. Common operating procedures around changing wiring instructions might include (a) verifying the authenticity of each request by calling the person (using a known, existing phone number, not one provided in a new email) (b) implementing a call-back verification system for each vendor when any wiring instructions are changed, and (c) implementing dual control and multiple “eyes” on every wire change request. Tessian is already seeing genuine email traffic related to changing wiring instructions and expects to see advanced attacks leveraging this crisis soon. Finally, the scale of this crisis is huge and information about it is widespread. There are a large number of affected entities – Reuters published a list detailing not only the firms affected but their financial exposure – ensuring a target rich environment for the bad guys.
Fraudulent (and genuine) wire transfers The top 2 common attack vectors with fraudulent funds transfers are (1) impersonation attacks and (2) targeted phishing attacks. In an impersonation attack, the bad actor impersonates someone or some company that is known to the organization. They will typically do this by registering a new domain name that is largely similar to the targeted company’s domain. Tessian stopping a lookalike threat
In this example, the attacker registered a new domain name ( which looks similar to They are reaching out to the finance department at Acme to request a change in bank accounts for future payments. Sophisticated attackers will conduct research using publicly available information (10-K annual reports, LinkedIn blog posts, LinkedIn connections to the CFO or Accounts payable personnel, and any website mentions) to build a convincing approach.  A targeted phishing attack would use similar impersonation methods while attempting to gain access – either electronically with a username and password or via socially engineered approach – to implement a fraudulent funds transfer. In the below example, the attacker is impersonating a known, trusted domain and attempting to gain access to an accounts payable employee.  Tessian stopping a potential phishing email
Recommended next steps Tessian’s Threat Engineering teams are monitoring our datasets closely for emergent threat signals and updating Tessian’s Global Threat Library and Behavioral Intelligence Model in response. Our existing Defender customers will automatically benefit from this protection. In addition, we are recommending the following steps to further protect our existing customers: Deployment hygiene: review your deployment coverage to ensure Defender’s protection is configured to apply to all mailboxes on all devices. Schedule a deployment health-check.  Enable warnings for money requests: for additional protection, Defender Customers can leverage Defender’s Custom Protection to detect and warn users when an email “requests money”.  Reinforce approval processes: work with your finance teams to revise and review your payment approval workflows, and consider adding an additional internal verification layer to account for the increased risk 
How Tessian stops wire fraud attacks Built ready: The SVB crisis and other events like this are exactly the sort of thing Tessian was built to handle. Tessian covers fraudulent fund transfer attacks and other scenarios that are difficult to detect and that are often missed by legacy email security tools. Tessian is built to detect and prevent any variations of wire fraud attacks. Tessian stops wire fraud attacks
Spotting imposters: Tessian catches thread hijacking attempts by looking for subtle indications of domain spoofing and small changes in behavior that suggest the sender isn’t who they say they are.  Custom protection: All Tessian customers have access to an additional layer of protection that allows them to educate users at the point of receiving a suspicious email including those involving fraudulent funds transfers. Defender’s Custom Protection gives organizations an additional layer of security by alerting users when an email triggers specified conditions. This provides further fine tuning around threats specific to your organization or specific groups within your organization. how to Configure defender
Proactive defense: As this situation evolves, Tessian’s Threat Engineering Team are closely monitoring incoming emails for new phishing tactics and upward trends in existing ones, continuously improving the breadth and accuracy of the protection we provide to our customers. Our threat intelligence team can also respond to new phishing campaigns in a matter of minutes by updating our global threat library, ensuring that all of our customers are protected against malicious sender domains and URLs. Guidance: While we may see more basic attacks leveraging the SVB crisis initially, threat actors will quickly evolve in sophistication to take advantage of the sheer volume of wire changes occurring to better target organizations. Legacy email security tools that use rules and policies are more likely to miss these attacks or report large numbers of false positives. Tessian’s guidance to our customers and anyone else is to expect a significant uptick in volume and in quality (more convincing) attacks on your employees over the coming weeks and months. See Defender in action (video) or request a free trial of Tessian to start detecting wire fraud attacks today.
Read Blog Post
Beyond the SEG / Microsoft + Tessian, Advanced Email Threats
Why You Should Download the Microsoft 365 + Tessian Guide
by Bob Boyle Thursday, March 9th, 2023
With Business Email Compromise (BEC) attacks remaining the number one cybercrime in 2022, and 82% of data breaches involving humans – email continues to be the largest threat vector for any organization. The effectiveness of legacy gateway solutions like Proofpoint, Ironport, and Mimecast has come under scrutiny as organizations look to solve new security concerns in a cloud-first world. Organizations that have already begun adopting cloud-hosted productivity suites, like Microsoft 365, are finding an overlap in their native-security capabilities, which legacy email security solutions have traditionally addressed.  Microsoft has made significant strides in improving the native-security features built into their different licensing models. This allows security leaders to reduce cost and complexity within their security stack, as the email security capabilities offered by Microsoft 365 mirror that of a Secure Email Gateway (SEG):  Traditional Email Security URL & Attachment Protection Manual Investigation & Response Rule-Based DLP Policies  These overlapping capabilities have given security leaders a good enough option to move beyond legacy SEGs, but understanding what is included within each Microsoft licensing model is key to effectively securing an organization’s email environment. Microsoft offers various packaging bundles and add-ons, allowing flexibility for security leaders to maintain the same level of protection offered by their legacy gateway solutions.
Microsoft 365 Tessian Guide Is good enough really good enough?  The global shift to a remote workforce has also opened up new threat vectors and emerging attack types that security leaders are still struggling to prevent. Round-the-clock access to sensitive data has increased the human risk of malicious, negligent, and accidental data loss. Attackers are leveraging social engineering to trick end-users by abusing trusted relationships. Relying solely on traditional detection methods to defend against advanced attacks and rule-based policies to protect against insider risk, is leaving organizations more vulnerable than ever before.  A more intelligent approach is needed. Organizations can continue to rely on traditional detection methods to filter out bulk phishing and spam, but simply put, scanning for malicious signatures based on known threat intelligence doesn’t stop the advanced threats that security leaders face today.
Microsoft 365 Tessian Guide There is, however, a solution. The advanced detection capabilities of an Integrated Cloud Email Security (ICES) solution close the gaps where legacy, rule-based detection or current Microsoft tools fall short. ICES solutions employ advanced machine learning to map an organization’s typical email behavior and detect unusual communication patterns, providing a more accurate defence against BEC attacks. In addition, ICES solutions can warn end-users of potential misdirected emails or instances of sensitive data loss.
In this Solution Guide, we discuss the decline of legacy gateway solutions, how to reduce cost & complexity by migrating to Microsoft 365, and what email security capabilities are available in each Microsoft licensing package. In the end, readers will understand how Tessian + Microsoft 365 enables the most complete Integrated Cloud Email Security platform. Microsoft 365 Tessian Guide
Read Blog Post
Insider Risks
Taking a Modern Approach to Insider Risk Protection on Email
by Seema Shah Thursday, March 9th, 2023
Businesses have found themselves in a world where data is a form of currency. Their biggest successes rely on leveraging and exchanging vast volumes of data such as company IP, customer PII data, payment information, or confidential business intel. In nearly every case, this is sensitive data. While businesses would not thrive without data, they would also not run without their people. People and data working in harmony, enabled by technology, and driven by processes are the key ingredients for what powers a business.  The increasingly interconnected nature of the global business network demands a universally accepted and standardized method of communication. Unsurprisingly, this is email by default, making it the most utilized channel for sending and receiving sensitive data, with nearly 350 billion emails sent daily.  But as Spiderman’s Aunt May said, with great power comes great responsibility. As much as data can serve as a competitive advantage, it can also be the cause of the downfall of a business. The average cost of a data breach in 2022 stands at $4.35 million according to IBM Security’s “The Cost of a Data Breach Report“. Rules don’t work Preventing breaches is paramount, but it’s only possible to truly secure the data by understanding the people. And it isn’t possible to understand people with static, stagnant rules and a one-size-fits, rigid approach because everyone is different. People work in many roles and functions, interacting with varying types of sensitive data in their own way. Subsequently, the rise of remote working and migration to the cloud has allowed people to work “in their own way” more than ever before.   Everyone has a unique behavior on email, from the way different individuals address their recipients to the distinct set of initiatives they are working on and the typical associated stakeholders and data of each of those.   So it follows that today, one of the biggest challenges of protecting data on email is insider risk, whereby an employee accidentally, negligently, or maliciously leaks sensitive data.  Why we’ve published this guide With current DLP solutions, you would have to configure endless rules to account for the countless different email behaviors unique to each employee to address the majority of data loss events arising from insider risks such as misdirected emails, miss-attached files, and data exfiltration.   The issue of insider risk and data loss on email requires a tailored approach to every employee’s unique, risky behaviors on email, driven by a deep understanding of their normal behavior to identify anomalies, mistakes, and malicious actions effectively.  Insider risk can cause real harm to your business. What’s more, many security leaders are unaware how many incidents actually happen, as many are unreported. Tessian has created a guide for addressing the problem of insider risk on email, covering what you need to know about today’s threats and what it takes to solve the problem. Download our guide to find out how. 
Read Blog Post
Engineering Blog, Life at Tessian
Our VP of Engineering on Tessian’s Mission and His First 90 Days in the Role
by Gün Akkor Wednesday, March 8th, 2023
After many years working to secure the networks, computers, applications and connected devices that power our world, I joined Tessian a little over 90 days ago to help them in their journey to eliminate human influenced cyber attacks, accidents, and insider threats from the enterprise.  So why Tessian and why now? Targeted email attacks such as business email compromise (BEC), spear phishing, account takeover, and ransomware continue to be the number one and most damaging human-influenced cyber threats to businesses.  As businesses move to cloud-based email services like Microsoft 356 and Google Workspace, they are looking for email security solutions that can be combined with the capabilities of these platforms. A new market space – Integrated Cloud Email Security (ICES) – is emerging to fill this need.
I believe the evolution of ICES will follow a pattern similar to that of the emergence of Endpoint Detection and Response (EDR) in endpoint protection space, and Cyber Asset Attack Surface Management (CAASM) in asset management space: legacy solutions pivoting into the new market and forward thinking new companies looking to disrupt the status quo.  Tessian has the forward thinking necessary to become one of the visionaries in this space. I am excited to join Tessian to help accelerate their execution to become the leader. The journey is just starting to be interesting! Moreover, Tessian is not playing a “finite game” (good news for you Simon Sinek fans!). Our vision is to secure the human layer. This vision is beyond just email security, and one that I can get behind.  Just like physical security, cybersecurity has been taking an adversarial approach to protecting the networks and computers humans engage in the course of doing day-to-day business. Over the past several decades we have built solutions that protect network perimeters and detect and respond to anomalies in machines running applications and software.  Today, employees in an organization use multiple interfaces; email, messaging, shared drives, and documents, to access and work with (sensitive) data. Many solutions put rules and boundaries around such interactions without learning from and adapting to the changing nature of them; they are not only insufficient but also restrictive.  Tessian aspires to protect every business’ mission while empowering their people to do their best work. This is not an end goal but a shared purpose. Lastly, no company aspiring to secure the human layer could be true to itself if it wasn’t human-first and customer-centric. These are part of Tessian’s core values, and I look forward to building a company that exemplifies these values everyday and learns from the industry experts, our partners, and of course our customers. It has been a whirlwind 90-days so far! If you are interested in knowing more about Tessian, or would like to work with us, or you are an expert with an idea to pitch, reach out to me. I would be happy to hear from you, and our open roles are here.
Read Blog Post
Compliance, Advanced Email Threats
Will Australia’s Tougher Cyber Regulation Force Firms to Upgrade Their Security?
by Andrew Webb Friday, March 3rd, 2023
2023 saw several shifts around the world in data privacy laws. But by far the biggest is the news that the Australian authorities have increased penalties for data breaches following a spate of major cyberattacks.  Australian firms are facing a hacking ‘pile on’ as threat actors find relatively few sophisticated defenses and an undersized and overstretched cybersecurity workforce to stop them. The Australian cybersecurity minister, Clare O’Neil, has warned of a new world “under relentless cyber-attack” as Australia’s security agencies scramble to stop the latest ransomware attacks.  This is exacerbated by a country-wide lack of skilled security professionals across all disciplines which, according to the latest research, is nearing crisis levels. Finally, Australia isn’t immune to global pressures like the post-pandemic shift to remote working which has only increased the attack surface.
Previous attempts to address the issue It’s not like the Australian Government has been sitting on its thumbs over the issue. In 2016, the government released its first Cyber Security Strategy, which included investments in cybersecurity research and development, increased collaboration between government and industry, and the establishment of the Australian Cyber Security Centre (ACSC). The ACSC is a key element of Australia’s cybersecurity infrastructure and provides a range of services to government agencies and businesses, including threat intelligence, incident response, and advice on cybersecurity best practices. The ACSC also works with international partners to share information and collaborate on cybersecurity initiatives. The Australian government has also introduced legislation aimed at improving cybersecurity. The Security of Critical Infrastructure Act 2018 requires owners and operators of critical infrastructure to report cyber incidents to the government, while the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 provides law enforcement agencies with greater powers to access encrypted communications.
Australian privacy breach fines just got a whole lot bigger The new bill aims to increase fines from a current maximum of AU$ 2.22 million (USD$ 1.4m) to whichever of the following is greater; AU$50 million (USD$ 34m), three times the value of any benefit obtained through the misuse of information, or 30% of a company’s adjusted turnover in the relevant period. That’s a significant increase on the old fine and dwarfs IBM’s average total cost of a data breach which stood at USD$4.35 million in 2022. It is even bigger than the estimated $25m and $35m fallout costs of the attack on Australian healthcare provider, Medibank. Further damage was done as Medibank’s value fell by AU$1.6 billion in just a single week after the breach.
Australia’s cyber future Another key trend that will shape the future of cybersecurity in Australia is the increasing use of cloud computing. Many businesses are moving their data and applications to the cloud, which can provide cost savings and greater flexibility. However, cloud computing also introduces new cybersecurity challenges, such as the need to secure data stored in multiple locations and the risk of third-party data breaches. As mentioned above, the shortage of skilled cybersecurity professionals is also likely to remain a challenge in the future. The Australian Cyber Security Centre’s 2020 Cyber Security Survey found that 88% of surveyed businesses had difficulty recruiting cybersecurity professionals. To address this shortage, the Government and industry need to work together to provide training and education opportunities for cybersecurity professionals. Looking further ahead, the Government recently launched the 2023-2030 Australian Cyber Security Strategy Discussion Paper, seeking the views and opinions of interested parties and experts (the option to contribute closes April 15 2023). The aim is to assemble an offensive cyber team to become the world’s “most cyber-secure country” by the end of the decade. That’s going to take a while. In the meantime, Australian firms, or global enterprises that have data there, are left with the threat of large, potentially ‘business ending’ fines. Interestingly, The ‘breach turnover period’ stands at 12 months or the duration of the contravention, whichever is longer. For longer-term systemic breaches by larger organizations, this framework could lead to maximum penalties significantly higher than the A$50 million figure. Indeed some commentators are asking if 2023 will see the first AU$1 billion data privacy fine. All this raises the question about the effectiveness of state sanctions on companies who fall foul of cyber regulations. But will, as the Australian authorities hope, bigger fines lead to companies upgrading their security stance and ultimately fewer breaches? We’ll have to wait and see. But with email the biggest attack vector, Australia-based organizations should give serious thought to adopting an Integrated Cloud Email Security solution, and quickly. 
Read Blog Post
Life at Tessian
A decade in the making, but the best is yet to come.
by Tim Sadler Tuesday, February 28th, 2023
January 2023 was a special month for us here at Tessian. We celebrated our 10th birthday and we also brought together over 200 Tessians in person for the first time ever for our company kick-off (CKO) in London. It was a humbling moment and a great reminder of how far we’ve come from the days of building Tessian v1 in our first HQ (which was also our living room) and cold emailing thousands of people a week trying to get anyone to take a meeting with us.  With a more distributed team than we’ve ever had before, we thought it was really important to get everyone together in person to celebrate the wins of the past year and set the course for our ambitious 2023 plans. You can see a video reel of the event above, but I wanted to share three of my highlights. Sharing the journey with an incredible team. It’s said so often that it’s almost cliche but when building a startup, you live and die by the strength of your team. Having everyone all together for the first time since 2019 was a reminder of the incredible passion, talent and shared sense of mission that we all have at Tessian.  Appreciating the scale of what you’ve built. When you’ve been building for 10 years, it’s easy to lose track of the progress you’ve made over time. This hit home when we reflected on preventing hundreds of thousands of data breaches and security threats and, on our busiest days, processing more than 1,400 transactions per second for our customers.  Hearing your customers tell you the impact you’re having for them. We invited several Tessian customers from the US and UK to share their stories and experiences with our team. Maurice Tunney (Director of Technology & Innovation at Keystone Law) became a Tessian customer just over a year ago and in that time Tessian has stopped 33 account takeover attacks, any one of which, in Maurice’s words, “could have shut the business down”. Having customers who care so much about your product that they take time out of their schedule to join your company kick-off and share why you’re such a critical part of their security technology stack is an incredible reminder of the impact our technology is having and the importance of our mission. Tessian may be a decade in the making, but the best is yet to come and we have an exhilarating year ahead. If you’re interested in joining our mission and being there for next year’s CKO, please check out our open roles here.
Read Blog Post
Beyond the SEG / Microsoft + Tessian, Advanced Email Threats
Tessian in Action: Account Takeover & SharePoint File Share Attack
by Tessian Threat Engineering Group Wednesday, February 22nd, 2023
Recently, Tessian Defender detected and prevented an emergent threat across a large number of our legal and financial customers. Here’s how it happened… This external Account Take Over (ATO) campaign contained over 500 malicious emails that evaded Microsoft’s and customers’ secure email gateway (SEG) controls. Subsequently, it went on to reach 20 of our customers’ inboxes. An ATO often occurs when a user accidentally shares their credentials with a threat actor allowing them full access to their email account. Because a legitimate account was compromised, this ATO attack was sent from a trusted email address, with the correct domain, meaning it would have been almost impossible for an end user to identify it as malicious. What’s more, the email content was a legitimate Microsoft SharePoint file sharing email pointing to a OneNote file in SharePoint. The hosted file pointed to a malicious website used to harvest user credentials.  Here’s a screenshot of the SharePoint email (the name, file and entities have been anonymized).
Why did the SEGs not detect this threat? There are two main reasons why a traditional SEG didn’t stop this attack. Firstly, external ATOs are extremely difficult to detect because the phishing email is sent from a legitimate account, it’s just a bad actor operating the account. This means all email authentication methods such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC), will pass. Secondly, the email pointed to a legitimate SharePoint URL which, at the time of delivery, was not present on URL Threat Feeds. SEG detection relies heavily on signature-based, threat intelligence feeds. But for new and emerging threats, when the URL has not been seen before, there is no signature to detect so the only option they have is to deliver the email.
How did Tessian Defender detect this threat? Tessian Defender’s behavioral intelligence models identified two clear anomalous signals to predict this ATO attack. Firstly, Unusual Sender Behavior. A large amount of emails (~500) were sent from the compromised account, to many disconnected users on the Tessian network, in a short period of time. Successfully compromising an account is a rare event for an attacker, therefore the attacker will likely send many emails from the compromised account to trusted contacts in the account’s address book, as quickly as possible, before being discovered and before the credentials are changed. Secondly, Unusual File Sharing Service Used. As mentioned above, Microsoft SharePoint was leveraged in this attack. There is nothing unusual or suspicious about SharePoint, however because Tessian Defender’s behavioral models have a deep understanding of every relationship in our customer’s accounts, they were able to identify that the sender of this email had never used the SharePoint service in previous interactions. Depending on the specific customer configuration, Tessian Defender either hard-quarantined this email or displayed the following warning message to end users:  
This email was confirmed to be malicious by end users and security analysts across our customer base – reinforcing and strengthening the Tessian Global Threat Network, and nullifying this emergent threat.  Account takeover attacks are becoming an increasingly common category of threat – driven by their ability to evade existing Microsoft and secure email gateway controls. Consequently, there is a strong likelihood of an end user being tricked into trusting the legitimacy of the email. Once inside a threat actor can deploy ransomware, instigate fraudulent fund attacks, and continue to move laterally through a customer by compromising higher target accounts. 
Read Blog Post