Rising threats in cloud-based email

The recent Microsoft Midnight Blizzard breach in January 2024 has raised concerns about targeted social engineering and credential theft. Midnight Blizzard, also known as APT29, is a Russian state-affiliated hacking group that has been identified as the source behind a surge in credential theft attacks. Microsoft has disclosed that the group employs a range of techniques, including password spraying, brute force, token theft, and session replay, to gain unauthorized access to cloud resources. The impact of these attacks is far-reaching, with governments, IT service providers, non-governmental organizations (NGOs), as well as defense and critical manufacturing industries being targeted[3]. In a recent development, Microsoft revealed that executive emails were hacked by this Russian intelligence group, also known as Midnight Blizzard. The group has been using sophisticated, highly targeted social engineering attacks, such as credential theft phishing lures distributed via Microsoft Teams chats. To enhance credibility, the actor employs security-themed or product name-themed keywords in crafting new subdomains. Midnight Blizzard frequently employs token theft techniques as part of their initial access strategy and has been using previously compromised Microsoft 365 tenants owned by small businesses to conduct these attacks[4][5]. The breach highlights the ongoing threat posed by sophisticated state-affiliated hacking groups and the importance of robust cybersecurity measures to protect against such attacks. Organizations and individuals are urged to remain vigilant and implement best practices to safeguard their systems and data. Citations: [1] https://lnkd.in/gmDcGWis [2] https://lnkd.in/g9KhVJ44 [3] https://lnkd.in/gcWbUZYK [4] https://lnkd.in/gGn5xbMS [5] https://lnkd.in/gV6KrMFR

Reports coming in on a new phishing campaign leveraging Azure Monitor!👀 We're currently seeing a rapidly accelerating phishing campaign where attackers are using compromised Azure tenants to send "official" emails through Azure Monitor. These mails are posing as receipts or invoices for products like "Windows Defender" and urge users to call a phone number. It's highly likely that these numbers are then connected to a call center that's trying to scam victim organizations or individuals out of money💰 The problem with attacks like this is that they bypass almost all email filters due to using a legitimate Azure service, making detecting and hunting for malicious emails difficult 🤔 We've seen these "Living off the cloud" techniques become more and more prevalent over past couple of years ☁️ You can still use Advanced Hunting in Defender XDR to hunt for these mails with the following KQL query to see if there is a rapid influx of emails: EmailEvents | where SenderMailFromAddress =~ "noreply-azure[@]microsoft.com" | where Subject has "Azure Monitor" Stay safe out there! 🛡️ #MicrosoftSecurity #Phishing #Cybersecurity

The inbox is still where most breaches begin. But the threats hiding inside it are developing. The CSA Cyber Landscape 2024/25 report states that phishing is up 49%, and nearly 1 in 8 phishing emails now use AI-generated content. It’s no longer just little 'tricks' such as spelling errors, or fake logos that we have to look for, it’s precision-engineered social engineering, crafted by models that learning just as fast as we patch. And, yes, it’s not just email. New technologies — AI, IoT, and cloud services — are expanding the attack surface more quickly than most security teams are able to adapt. AI has become the ultimate double-edged sword, while it writes phishing scripts in seconds and debugs malicious code at scale, even as defenders use it to predict and block the next breach. Add to that: Cloud outages at giants like Alibaba, Microsoft Azure, and Salesforce — proving even the strongest aren’t immune. IoT devices multiplying across workplaces, often unsecured, running on outdated firmware. Hypervisor attacks slipping under the radar, creating hidden virtual machines to stay undetected for months. Every one of these vectors leads back to the same question: If the attack starts with a click, how do you make sure that click is safe? Singapore's strategic response, including regulation, OT, Cloud and AI security, educating the population, strengthening the Cybersecurity Ecosystem and talent, while addressing Supply Chain Risks is admirable. But we at ViewQwest are trying to do our part too. We built our SecureMail Gateway — not just to see, but to stop: Blocking phishing and spoofing before they hit inboxes Data Loss Prevention Detecting AI-generated threats in real time Aligning with CSA’s recommended frameworks for resilience Because resilience starts with your inbox — and it ends with the people who can trust it.

The FBI Internet Crime Complaint Center released a PSA this week identifying nearly $55B in exposed losses due to #BEC—up from $50B in 2023, $43B in 2022, and more than double the estimated $26B that the FBI announced in 2019. Despite years of ongoing awareness campaigns and companies investing heavily in email security technology, BEC attacks are continuing to rise year over year and it’s because they’re becoming increasingly advanced. There’s been a shift away from classic phishing attacks—characterized by misspellings, poor grammar, and irrelevant context—to attacks that closely mimic legitimate communications. Generative AI tools like ChatGPT have catalyzed the social engineering threat, giving criminals a tool to scale their BEC attacks in both volume and sophistication, ultimately improving their attacks’ success rates. Until organizations find a radically different approach to detect these advanced social engineering attacks, I expect that BEC losses will continue to tick upwards. Unfortunately, as cybercriminals see less success with one tactic, they will switch to another. Security leaders should continue to focus on protecting their organizations from this threat, while also working with vendors and partners that are stopping the threats of tomorrow. https://bit.ly/3XrsENm

Imagine clicking a “Launch Stack” button in an email that looks like it’s from AWS Support. Seems harmless, right? Unfortunately, it’s the start of a sophisticated AWS account takeover attempt. I’ve published a new blog post discussing how attackers are using CloudFormation StackSets in phishing campaigns to target AWS environments. In the blog, I provide actionable advice, including: - Details about this sophisticated threat. - Detecting attacks with CSPM platforms or open-source tools. - Countermeasures to slow down or stop attackers, such as analyzing phishing domains and disrupting their API endpoints. Cloud security threats evolve fast — stay informed, stay sharp, and secure your environment!

Impersonation scams are up 148% and every CISO has seen it- on everything- email, text, messaging apps, phone calls…. Whether it’s fake CEO emails/texts, vendor fraud, or BEC-enabled theft, the rise is sharp and real. Key threats: * BEC 2.0 — Generative AI makes executive impersonation far more convincing * Retail risk — Fake purchase orders, refund fraud, and supplier cons are on the rise * CEO impersonation — Used to push urgent transfers, influence M&A, or mislead staff A few things to do as we get smarter about this evolving threat: - Lock down email: SPF, DKIM, DMARC - Confirm financial instructions out-of-band (make this part of procedure!) - Teach employees to pause, question, and escalate (tough to do!) - Use behavioral AI, if you can, to detect anomalies - Have a BEC-ready incident plan- including your law enforcement contact info (probably should be the #1). For US- Report impersonation scams: https://www.ic3.gov

‼️ Insikt Group has reported that threat actors are increasingly taking over company cloud accounts and using built-in tools to steal data, disrupt operations, and demand payment. ✏️ Key points: Misconfigured internet-facing services and stolen credentials are giving attackers a path to seize powerful cloud roles, often gaining broad control with a single account. They then use legitimate cloud features to copy data, erase backups, and alter systems in ways that look like normal activity. For executives, this means a breach can spread faster, last longer, and cause greater financial and reputational damage before it is even detected. 💡 Key takeaway: The wider strategic shift this represents is a move toward exploiting cloud identity and built-in trust rather than relying on obvious malware. As more core systems, suppliers, and artificial intelligence services run in shared cloud environments, one compromised account or partner can create enterprise-wide consequences. Cloud exposure is now directly tied to business continuity and board-level risk. ❓ Resilience question: Ask your teams if a top-level cloud account were hijacked, how fast could we detect it and stop damage to data and backups? 📜 Read the report: https://lnkd.in/edPkjY9Z

Beware of an active integrated credential phishing and cloud Account Takeover (ATO) campaign. It was originally detected by Proofpoint researchers in late November 2023. This campaign uses individualized phishing lures within shared documents, including embedded links to 'view document' that lead to a malicious phishing webpage. The targets of this attack are often senior positions, including sales directors, account managers, and finance managers. Even individuals holding executive positions such as 'vice president, operations,' 'chief financial officer & treasurer,' and 'president & CEO' were among those targeted, according to the researchers. During the access phase of the attack, the attackers use a specific Linux user-agent for accessing OfficeHome sign-in application and gain access to a range of native Microsoft365 apps. Defenders can use this information as an indicator of compromise (IOC) as the user-agent reads: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36". Once the initial access succeeds, the attackers manipulate multi-factor authentication (MFA) to maintain persistence. This can include registering a fake phone number for SMS authentication or adding a separate authenticator with notification and code. Subsequent activity is likely to include data exfiltration, internal and external phishing, financial fraud, and compromise obfuscation through new mailbox rules to cover tracks and remove evidence of malicious activity from the victims’ mailboxes. Stay vigilant, and be cautious when clicking on shared documents or links, especially if they are individualized and come from an unverified source.

𝗢𝗳𝗳𝗶𝗰𝗲 𝗼𝗳 𝘁𝗵𝗲 𝗖𝗼𝗺𝗽𝘁𝗿𝗼𝗹𝗹𝗲𝗿 𝗼𝗳 𝘁𝗵𝗲 𝗖𝘂𝗿𝗿𝗲𝗻𝗰𝘆 (𝗢𝗖𝗖) suffered a recent cloud email breach, that highlighted critical vulnerabilities in email security and access management that have broader implications for all federally regulated institutions. 𝚂̲𝚞̲𝚖̲𝚖̲𝚊̲𝚛̲𝚢̲ ̲𝚘̲𝚏̲ ̲𝚝̲𝚑̲𝚎̲ ̲𝙾̲𝙲̲𝙲̲ ̲𝙱̲𝚛̲𝚎̲𝚊̲𝚌̲𝚑̲ ̲An attacker gained unauthorized access to a privileged administrative email account within the Microsoft environment. The breach went undetected for 8 months, during which sensitive government communications were silently exfiltrated. More than 150K email messages were compromised, affecting around 100 officials. The incident exposed critical shortcomings in access control enforcement, monitoring, and response protocols. 𝙺̲𝚎̲𝚢̲ ̲𝙵̲𝚊̲𝚒̲𝚕̲𝚞̲𝚛̲𝚎̲𝚜̲ ̲𝙸̲𝚍̲𝚎̲𝚗̲𝚝̲𝚒̲𝚏̲𝚒̲𝚎̲𝚍̲ 1. Overprivileged Access – An administrative account with wide mailbox visibility was compromised, facilitating prolonged data exfiltration. 2. Delayed Detection – Anomalous behavior went unnoticed for months, raising concerns about the efficacy of real-time monitoring and alerting. 3. Stale and Unlocked Service Accounts: There were no policies in place for password rotation, inactivity lockout, or login attempt lockout for service accounts, making them vulnerable to brute-force or credential stuffing attacks. 4. Unaddressed Internal Warnings – Known risks flagged in prior audits related to email and access security had not been remediated in time. 5. Insufficient Conditional Access Policy Enforcement – The compromised account, linked to Azure, bypassed MFA and geo restrictions due to a poorly enforced conditional access framework. VPN usage further masked malicious activity.   𝙻̲𝚎̲𝚜̲𝚜̲𝚘̲𝚗̲ ̲𝚕̲𝚎̲𝚊̲𝚛̲𝚗̲𝚎̲𝚍̲:̲ 1. Enforce Microsoft Conditional Access Policies – Ensure all accounts, including service accounts, are subject to robust Conditional Access, MFA, and geo-restrictions. 2. Tighten Access Control – Limit and monitor privileges of administrative and service accounts; apply just-in-time access models. 3. Audit and Harden Service Accounts – Eliminate hardcoded credentials, enforce regular password rotation, enable account lockouts after failed login attempts, and setinactivity thresholds. 4. Strengthen Detection – Invest in behavioral analytics, adaptive authentication, and cloud-native threat detection tools. 5. Review and Limit Privileges – Conduct a review of privileged accounts and implement RBAC and JIT access where possible. 6. Ensure compliance with secure baseline configurations like those in DHS CISA BOD 25-01 - Secure Cloud Baseline [SCuBA] (stated in OCC response) The 𝗢𝗖𝗖 𝗯𝗿𝗲𝗮𝗰𝗵 is a cautionary tale—reactive controls alone are insufficient in today’s environment. Proactive hardening of identity, access, and cloud email infrastructure must be a top priority. https://lnkd.in/ef_4DQ3V

Headline: Google Warns 1.8 Billion Users of New AI-Powered Cyber Threat Introduction: Google has issued an urgent cybersecurity alert to all 1.8 billion Gmail users, warning of a rising danger fueled by generative AI—indirect prompt injections. Unlike traditional hacking methods, these attacks target the AI systems themselves, embedding hidden malicious commands in everyday content like emails and documents. Key Points: • Nature of the Threat: • Indirect prompt injections differ from direct ones by hiding harmful instructions in external data sources. • These can be embedded in emails, documents, calendar invites, or other shared files. • When an AI tool processes this content, it may be tricked into leaking sensitive data or executing unauthorized actions. • Why It’s Emerging Now: • The rapid adoption of generative AI in daily workflows has created new vulnerabilities. • Attackers exploit AI’s trust in incoming data, bypassing traditional security filters. • Potential Impact: • Risks extend beyond individuals to businesses and governments, as AI assistants become embedded in operations. • Could enable large-scale phishing, corporate espionage, or data exfiltration without the user realizing. • Google’s Advice: • Be cautious when granting AI tools access to emails, calendars, or cloud files. • Keep AI integrations updated with the latest security patches. • Limit AI’s ability to automatically act on unverified external inputs. Why This Matters: As AI becomes a core part of productivity tools, attackers are shifting from targeting humans to targeting the AI systems that humans trust. Indirect prompt injections represent a new frontier in cyber threats, requiring both users and organizations to rethink how they secure AI-powered workflows. I share daily insights with 22,000+ followers and 8,000+ professional contacts across defense, tech, and policy. If this topic resonates, I invite you to connect and continue the conversation. Keith King https://lnkd.in/gHPvUttw