Most users know not to open an encrypted .zip, Excel, or Word attachment when the password is sent in the same email. The bad guys used this technique to keep antivirus programs from catching malicious attachments. They kept doing it when sending phishing emails when email filters started to look for known phishing sites and those that were likely compromised.
Fortunately, most targets don't fall for that scam anymore, so what's a bad guy to do?
Last summer, we notified our clients about new attacks that were exploiting vulnerable and unmonitored Sharepoint, Dropbox, and Google Drive sites. These attacks typically abused reused passwords and unmonitored cloud services. In our phishing training simulations, about 75% of our clients fell for them the first time they were exposed to this sort of attack. They were successful because they came from known contacts using trusted services like Microsoft 365. However, they are a lot of work for the attackers, who have to break into a system, monitor for useful messages, and then imitate them. On top of all of this work, some comapanies wised up and started to secure their Microsoft 365 and Google Workspace accounts to prevent these altogether. Our managed security clients were protected from this sort of attack because they had location-based access restrictions, trusted computer restrictions, Multi-Factor Authentication, password management, active monitoring, and other controls in place.
This brings us to the next evolution in this sort of attack: encrypted email services.
Security requirements around the world, such as PIPA in Alberta and BC, PIPEDA in the rest of Canada, GDPR in Europe, and various health information standards have increased the popularity of encrypted email services. These allow businesses to include some sensitive information in emails without worrying about them being intercepted -- although we generally don't encourage them except when required for regulatory reasons because of their overall lack of true security when passwords aren't communicated through a separate method (such as on a piece of paper at a dentist's office or text message) or using encryption certificates that are difficult to deploy.
Despite their limited benefits to legitimate users, these services are great for the bad guys! Just like the old-fashioned encrypted emails, bad guys can now send links to phishing websites and ransomware through these services without firewalls or antivirus products catching them! For this reason, it's important to be especially cautious when receiving messages from encrypted email services. Make sure to mouseover any links and double-check with the sender through chat, phone, or SMS before clicking any links in the "encrypted" message.
In the video above, Tyson gives some examples of such encrypted email attacks and how to protect yourself.
CTO, Tilia Inc. (Financial Technology and Online Payments)
" ThreeShield has employed a dynamic, risk-based approach to information security that is specific to our business needs but also provides comfort to our external stakeholders. I recommend their services. "
IT Architect, Financial Technology and Online Retail
" Collaborating with ThreeShield to ensure data security was an exciting and educational experience. As we exploded in growth, it was clear that we needed to rapidly mature on all fronts, and ThreeShield was integral to building our confidence with information, software, and infrastructure security. "
IT Security Director, Linden Lab (Virtual Reality)
" ThreeShield helped us focus our efforts, enhancing our security posture and verifying PCI compliance.
All of this was achieved with minimal disruption to the engineering organization as a whole.
The approach was smart. In a short time, we accomplished what much larger companies still struggle to achieve. "
Senior Director of Systems and Build Engineering
" ThreeShield very much values active and respectful collaboration, and went out of their way to get feedback on policies to make sure proposals balanced business needs while not making employees feel like they were dealing with unreasonable overhead. By doing so ThreeShield really helped change the culture around security mindfulness is positive ways. "
29 January 2024
13 February 2023
2 February 2023
16 January 2023
26 March 2021