Cybersecurity News – Malicious OAuth Hijack, University Email Update, American Airlines Breach

Emails are the common entry point for cybercriminals looking to infiltrate the organization’s network and obtain valuable data. Since the attacks are getting more sophisticated, standard email security controls are no longer effective. Read about the latest email security news and determine why you need to invest in better email security practices.

Microsoft: Hackers Use Malicious OAuth Apps and Take Over Email Servers

Microsoft warned of a consumer-facing attack in which attackers deployed rogue OAuth applications on compromised cloud tenants. Their main aim was to seize control of the Exchange servers and spread spam.

According to the Microsoft 365 Defender Research Team, the attackers launched dedicated credential-stuffing campaigns against high-risk accounts lacking multi-factor authentication (MFA). The unsecured administrator accounts served as the initial access points.

  • The cloud tenant’s unauthorized access allowed the adversary to register malicious OAuth applications with elevated permissions.
  • Eventually, the attacker modified Exchange Server settings, allowing inbound emails from a specific IP address to get routed through the compromised email server.
  • Thus, the threat actors achieved their primary goal of sending spam emails by altering the Exchange server settings. They forwarded the spam emails as deceptive sweepstakes schemes designed to trick recipients into registering for recurring paid subscriptions.
  • The emails asked the victims to click on a link and receive a prize. After they clicked, the victims got redirected to a landing page asking them to enter their credit card details and make a payment towards a small shipping fee for collecting the reward.

Furthermore, the threat actor took various steps to evade detection and continue operations for extended periods. It included using the malicious OAuth application weeks and months after they were set up and deleting the modifications to the Exchange Server after every spam campaign.

University Mail Exchange Systems Hosted On Microsoft: Update The Authentication Methods If Your Email Application Supports Basic Authentication

As part of its constant efforts to reduce the cybercrime risk, Microsoft started blocking all applications that only use basic authentication methods from interacting with its University Mail Exchange Online system from Saturday, October 1. The affected applications include:

  • Versions of Outlook for Mac and Windows older than Outlook 2016.
  • Older versions of mail applications on iOS and Android devices.
  • Services and applications which use Exchange Web Services (EWS)

Why did Microsoft decide to block applications that only use basic authentication methods?

An application using Basic Authentication stores your username and password on the device and will resend these personal details each time you make a connection request to Microsoft Exchange Online. According to Microsoft, such storage, reuse, and resending personal credentials make organizations more vulnerable to cybercrime than modern authentication methods.

Additionally, applications that support modern authentication provide enhanced security by offering organizations a multi-layered approach with multi-factor authentication methods, like one-time passcodes.

American Airlines Suffers a Breach, Customer and Staff Information Exposed

American Airlines became the latest big-name brand that announced a data breach in recent days after a malicious actor compromised employee inboxes.

The aerospace giant confirmed that a phishing attack was the source of the incident, which “led to an unauthorized access of few team-member mailboxes.” The airline added that the compromised emails contained very few employees’ and customers’ personal information, suggesting that the attackers could not pivot to the corporate data stores.

The breach notification sent by American Airlines to customers noted that the incident occurred in July this year. The statement added that security teams immediately secured the applicable email accounts after discovering the incident and contacted a third-party cybersecurity forensic team to investigate the incident’s nature and scope. The investigation determined that the email accounts contained the personal information of employees and customers. After conducting a full eDiscovery exercise, the team confirmed that the accessed emails had a few customers’ personal information.

However, American Airlines contends that there is no evidence to suggest that attackers misused personal information. The notification further contains detailed information about the incident and the protective measures customers can take. The information allegedly accessed by the threat actors includes names, mailing and email addresses, dates of birth, phone numbers, medical information, driver’s license, and passport numbers.

The airline offered the affected customers two years of identity theft protection from Experian. It is not the first time American Airlines was put on the back foot by malicious threat actors.

Fall 2022: Expect BIMI in All Apple Inboxes

Apple recently joined the growing list of email technology providers implementing BIMI (Brand Indicators for Message Identification), a broader industry effort to enable inboxes like Apple Mail to display brand logos besides authenticated email in a secure and standardized manner and at scale.

BIMI offers a secure, uniform framework and enables email inboxes globally to include sender-designated logos for secure and authenticated messages. Additionally, it contains protections that prevent cyber criminals from impersonating senders fraudulently. For instance, a banking services organization can use BIMI to display its logo along with the authenticated messages forwarded from its domain, giving it control over which images get displayed across multiple email clients, providing brand exposure and protection against spoofing.

When discussing desktop client market share, Apple takes a large part of the pie. At 58.4%, the estimated 850 million Apple email users will get an enhanced email experience after Apple’s commitment to BIMI. The emails will only display BIMI-enabled logos if both the logo and the email get proper authentication. Specifically, the emails must get authenticated through the DMARC (Domain-based Message Authentication, Receiving & Conformance) standard, with enforcement set to reject or quarantine. Furthermore, the logo must get validated through the VMC (Verified Mark Certificate) to prove its authenticity and ownership for use by the sending domain.

Final Words

Email security is not just about installing a security application or solution and expecting it to protect against every attack automatically. It demands a comprehensive strategy that changes according to the organizational situation and needs. Ultimately, protecting the enterprise from email-based threats is a collaboration between all levels, from the CEO to the rank-and-file. For IT security professionals, it is crucial that security solutions are updated regularly and configured properly.

Similar Posts