Attackers exploiting email security delays

🚨 𝗡𝗲𝘄 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗧𝗲𝗰𝗵𝗻𝗶𝗾𝘂𝗲 𝗔𝗹𝗲𝗿𝘁 A sneaky new attack method is making waves — exploiting 𝗲𝗺𝗮𝗶𝗹 𝘀𝘆𝘀𝘁𝗲𝗺𝘀 by "𝗮𝘁𝗼𝗺𝗶𝘇𝗶𝗻𝗴" 𝗺𝗲𝘀𝘀𝗮𝗴𝗲𝘀 to bypass 𝘁𝗿𝗮𝗱𝗶𝘁𝗶𝗼𝗻𝗮𝗹 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗰𝗵𝗲𝗰𝗸𝘀! 🔍 𝗛𝗼𝘄 𝗜𝘁 𝗪𝗼𝗿𝗸𝘀 : • Attackers split a single 𝗲𝗺𝗮𝗶𝗹 into multiple 𝗳𝗿𝗮𝗴𝗺𝗲𝗻𝘁𝘀 ("𝗮𝘁𝗼𝗺𝘀") before it reaches the inbox. • Each 𝗮𝘁𝗼𝗺 looks harmless alone — no full malicious payload is visible at once. • When the 𝗳𝗿𝗮𝗴𝗺𝗲𝗻𝘁𝘀 𝗮𝗿𝗲 𝗿𝗲𝗮𝘀𝘀𝗲𝗺𝗯𝗹𝗲𝗱 by the 𝗲𝗺𝗮𝗶𝗹 𝗰𝗹𝗶𝗲𝗻𝘁, the full phishing or malicious email is revealed. • This bypasses 𝗦𝗣𝗙, 𝗗𝗞𝗜𝗠, and 𝗗𝗠𝗔𝗥𝗖 𝗽𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗼𝗻𝘀, making the email appear 𝗹𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲. 🎯 𝗪𝗵𝗼’𝘀 𝗕𝗲𝗶𝗻𝗴 𝗧𝗮𝗿𝗴𝗲𝘁𝗲𝗱? • Enterprises relying on 𝗲𝗺𝗮𝗶𝗹 𝗴𝗮𝘁𝗲𝘄𝗮𝘆𝘀 and 𝘀𝘁𝗮𝗻𝗱𝗮𝗿𝗱 𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗰𝗵𝗲𝗰𝗸𝘀. • Organizations with 𝘄𝗲𝗮𝗸 𝗲𝗺𝗮𝗶𝗹 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗽𝗼𝗹𝗶𝗰𝗶𝗲𝘀. 🛡️ 𝗛𝗼𝘄 𝘁𝗼 𝗦𝘁𝗮𝘆 𝗦𝗮𝗳𝗲 : • Apply 𝘀𝘁𝗿𝗶𝗰��� 𝗶𝗻𝗯𝗼𝘂𝗻𝗱 𝗲𝗺𝗮𝗶𝗹 𝗽𝗼𝗹𝗶𝗰𝗶𝗲𝘀 — 𝗲𝘀𝗽𝗲𝗰𝗶𝗮𝗹𝗹𝘆 𝗳𝗼𝗿 𝗳𝗿𝗮𝗴𝗺𝗲𝗻𝘁𝗲𝗱 𝗲𝗺𝗮𝗶𝗹𝘀. • Monitor 𝗲𝗺𝗮𝗶𝗹 𝗯𝗲𝗵𝗮𝘃𝗶𝗼𝗿, not just static properties like 𝗵𝗲𝗮𝗱𝗲𝗿𝘀. • Educate teams about spotting suspicious 𝗳𝗿𝗮𝗴𝗺𝗲𝗻𝘁𝗲𝗱 𝗰𝗼𝗺𝗺𝘂𝗻𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀. • Strengthen 𝗲𝗺𝗮𝗶𝗹 𝘃𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗼𝗻 and 𝗮𝗻𝗼𝗺𝗮𝗹𝘆 𝗱𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝘁𝗼𝗼𝗹𝘀. ⚡ This isn’t just bypassing a filter — it’s a whole new way to weaponize the very structure of email itself. - #CyberSecurity #Phishing #EmailSecurity #ThreatIntel #InfoSec #AtomizedAttack #SPF #DMARC

AdvisorDefense: The Silent Persistence of BEC - When Expelling the Attacker Isn’t the End Business Email Compromise (BEC) remains one of the most devastating cyber threats to organizations worldwide. While many assume that kicking a threat actor out of their systems ends the attack, a recent Invictus Incident Response case proves otherwise. Sometimes, attackers persist even after being expelled. The Attack: A Sophisticated Adversary-in-the-Middle Tactic The attack began with a well-crafted phishing email disguised as a Dropbox invoice notification. The recipient, believing it to be legitimate, clicked the ‘View on Dropbox’ button and landed on a fake Dropbox login page. Here’s where the real trouble started: ✅ Credentials Captured – The victim entered their login details. ✅ MFA Compromised – The attacker also captured an MFA code, allowing them to bypass additional security layers. ✅ Persistence Achieved – With access to the email account, the attacker configured eM Client, a third-party email application, enabling them to maintain control even after passwords were reset. ✅ Forwarding Rules Set Up – To further maintain access, they created email forwarding rules, ensuring they could continue monitoring inbox activity unnoticed. The victim eventually caught on. After 3 weeks, IT stepped in to reset passwords, remove forwarding rules, revoke active sessions, and uninstall eM Client. The attacker was expelled, or so they thought! The Attack Didn’t End There… Days later, the attacker leveraged the victim’s email identity in new ways: 🚨 Created a Dropbox account using the victim’s email to send fraudulent invoices to the victim’s contacts. 🚨 Set up a WeTransfer account with the victim’s details to distribute more malicious emails. 🚨 Continued the scam, exploiting the trust associated with the victim’s email. Key Lessons: BEC Attacks Go Beyond the Inbox 1️⃣ MFA Alone Isn’t Enough – Many assume that MFA stops BEC attacks, but attackers are evolving. Adversary-in-the-middle (AiTM) tactics allow them to steal both credentials and MFA codes in real time. 2️⃣ Expelling an Attacker Doesn't Always Mean the End – Even after revoking access, attackers can reuse stolen identities elsewhere to continue fraud. 3️⃣ Continuous Monitoring – Check for newly created accounts using corporate email domains and implement dark web monitoring to detect compromised credentials. How to Protect Your Organization from BEC Attacks 🔒 Adopt phishing-resistant MFA solutions. 🔒 Use Conditional Access & Impossible Travel Policies to detect anomalous login activity. 🔒 Regularly review third-party email applications connected to business accounts to spot unauthorized apps. 🔒 Enable DMARC to prevent domain spoofing. 🔒 Educate employees on phishing techniques. Attackers Are Persistent — Your Defense Should Be Too! #Cybersecurity #BEC #EmailSecurity #ThreatIntelligence #Microsoft365Security https://lnkd.in/eNZcDd4X

🔍 Anatomy of an Modern B2B Business Email Compromise (BEC) Attack A recent Trend Micro™ Managed XDR investigation uncovered a sophisticated B2B Business Email Compromise (BEC) attack, where a threat actor manipulated an ongoing email conversation between three business partners over several days. By compromising an email server and strategically replacing recipients, the attacker successfully redirected funds to their account—all while the victims believed they were communicating with their trusted partners. 🚨 Timeline of the Attack: 📅 Day 1: • T+0:00 – Partner A sends an invoice reminder to Partner B, copying Partner C. • T+4:30 – Threat actor intercepts and sends an email with fraudulent banking details from a compromised third-party email server. • T+11:00 – The attacker resends the email, this time using a compromised Partner C account to reinforce legitimacy. 📅 Days 2-5: • T+15:00 – Partner B, unaware of the compromise, acknowledges the invoice and requests additional details—unknowingly communicating with the attacker instead of the real Partner A. • T+5.02 days – Partner A (still unaware) provides business details, but the email is received by the attacker, not Partner B. • T+5.17 days – Attacker confirms details and reissues fraudulent banking instructions. • T+5.64 days – Partner B deposits the funds into the attacker’s account. • T+5.66 days – Partner B informs ‘Partner A’ (the attacker) that the transfer is complete. By the time Partner A and Partner B realized the fraud (12+ days later), the funds had already been moved. 🔑 Key Insights from the Incident: ✔️ Sophisticated Manipulation: The attacker gradually replaced real recipients in email threads, ensuring the conversation seemed normal. ✔️ Social Engineering & Trust Exploitation: By mimicking writing styles and leveraging auto-complete features, they maintained credibility. ✔️ Weak Email Security Enabled the Attack: A misconfigured third-party email server allowed fraudulent emails to bypass security checks. ✔️ Strategic Patience: The attacker waited 4.5 hours before injecting fraudulent banking details, ensuring it appeared as a legitimate correction. 🛡️ How to Defend Against BEC Attacks: ✅ Strengthen Email Authentication – Implement DMARC, SPF, and DKIM to verify sender legitimacy. ✅ Enable Multi-Factor Authentication (MFA) – Prevent unauthorized access to email accounts. ✅ Monitor for Anomalous Activity – Look for suspicious email forwarding rules and unauthorized logins. ✅ Educate High-Risk Employees – Train finance teams to verify banking details via secure channels before transferring funds. ✅ Establish Out-of-Band Validation – Require phone/video call confirmation for financial transactions to verify sender identity. 💡 BEC attacks are getting more sophisticated, but proactive security measures can significantly reduce the risk. 🔬 Full Research in Comments Section #DeepDive #CyberSecurity #BEC #ThreatIntelligence #EmailSecurity #TrendMicro #SOC

AI is rewriting the rules of business email compromise (BEC). Last year, an Ontario-based company lost millions after attackers used AI to impersonate internal executives and send urgent wire transfer requests. The emails closely matched normal tone, timing, and formatting, close enough that no one questioned them until the money was gone. What’s striking about cases like this is that they often don’t rely on sophisticated malware. They exploit trust and routine. Here’s what actually helps reduce BEC risk: 1️⃣ Multi-factor authentication (MFA) — limits damage even when credentials are compromised. 2️⃣ Clear verification expectations for employees — urgency is a common manipulation tactic. 3️⃣ Dual-approval for high-risk transactions — one extra step can stop a fraudulent transfer. 4️⃣ Modern email security — traditional filters aren’t designed to catch AI-driven impersonation. 5️⃣ Immediate escalation — fast action with banks and authorities is critical once fraud is suspected. AI is making these scams faster and more convincing. Defending against them requires more than tools, it requires process discipline and awareness at every level of the organization. If you’re a founder, now is the time to review how financial requests are approved, before attackers do it for you.

As Incident Responders, we’re seeing an increase in attacks using classic smokescreen tactics, so I thought I’d share a few snippets that hopefully help you stay safe! The initial point of compromise is a phishing email. Nothing particularly sophisticated, just well-timed and well-crafted enough to have a target team member enter their login credentials into a spoofed site and prompt them for their MFA token. If all runs smoothly, for the bad eggs, the attackers are able to successfully proxy the MFA response, intercept the session token, and then bypass the victim’s “super secure” two-factor authentication. They use a real-time phishing kit like Evilginx2, which allows them to ride in on the back of a legitimate login session. So no brute force, no malware dropper, no obvious indicators until it’s too late. Once inside, the attackers monitor for an opportune time to strike, typically when a large payment is to be sent or due. They modify the payment instructions of one of the parties to make payment to a mule account they control. But they didn’t stop there! In order to mask their activity, because multiple users within the authorisation chain are on CC to the payment instruction, they launch a classic smokescreen campaign by flooding every inbox at the firm with hundreds of spam messages at the exact same time the crime is being committed. And this is ongoing and relentless.  The goal is simple: bury the wire transfer confirmation email in noise so it won’t get seen or detected, delaying any potential mitigation action. Effectively, the bad eggs are throwing a digital smokescreen. It worked. And is working across a multitude of cases we’ve seen. The transfer goes through, unnoticed, and the funds are gone before a team even has a chance to react.  Urgently add active monitoring for behavioural anomalies post-authentication, such as impossible travel, sudden privilege escalation, or new device profiles making high-value changes. Otherwise, you’re flying blind. For payment authorisation, MFA is not a panacea, especially for email accounts handling payment instructions. Implement manual processes to double and cross-check payments. Or reach it if you want to hear more about an automated payment protection solution we’ve built that fixes this. Not in full release but we’d love to hear your thoughts as we build it out. Stay sharp out there.

Cybersecurity Alert: Proofpoint Settings Exploited in Massive Phishing Campaign In a concerning development for email security, threat actors have found a way to exploit Proofpoint's email protection service to distribute millions of phishing emails daily. This sophisticated attack takes advantage of misconfigured Proofpoint settings, allowing malicious actors to bypass security measures and deliver potentially harmful content to unsuspecting recipients[1]. The exploit works by abusing the "On-Behalf-Of" (OBO) feature in Proofpoint, which is typically used for legitimate purposes such as allowing executive assistants to send emails on behalf of their managers. However, when improperly configured, this feature can be manipulated to send emails that appear to come from trusted domains[1]. Key points of the attack: - Attackers are sending up to 5 million phishing emails per day - The emails often impersonate well-known brands to increase credibility - Malicious content includes fake login pages and malware-laden attachments - Over 1,000 domains have been observed being abused in this campaign To protect against this threat, organizations using Proofpoint should: 1. Review and tighten their OBO configurations 2. Implement strict authentication policies 3. Regularly audit email security settings 4. Train employees to recognize phishing attempts This incident serves as a stark reminder that even trusted security solutions can become vectors for attack if not properly configured and maintained. As cyber threats continue to evolve, it's crucial for businesses to stay vigilant and regularly assess their security posture[1]. Citations: [1] https://lnkd.in/gQAq-_Bh

I've had a few clients mention the same weird email attack pattern, bounced messages that were never sent by the user. Turns out there's this ever so helpful Exchange behavior where spoofed emails from the attacker impersonating your domain get bounced back to real users - with the original attachments intact. Since these bounces come from the organization's own Exchange server, they often slip right through security controls. It looks like becoming a growing issue and security teams are definitely starting to notice an uptick in this attack pattern. The technical details are pretty straightforward: attackers spoof your domain, send malicious emails to internal users, delivery fails, and Exchange helpfully bounces everything back to your users. The attachments come along for the ride, and your security stack treats it as internal mail. Here's what's been working for the teams I've talked to: 1. Exchange admins can disable attachments in bounce messages entirely (PowerShell is your friend here). On-prem environments have more flexibility than Exchange Online. 2. Most email security vendors have bounce verification features - worth checking if yours is enabled. Some call it "bounce address tag validation" or similar. 3. Transport rules targeting bounce message patterns with attachments can catch a lot of these. Look for "undelivered mail returned" or "mail delivery failed" subjects. Nothing revolutionary, but sometimes the simple attacks are the ones that get through. Has anyone else been seeing more of these lately? Would love to hear what's working in your environments. #cybersecurity #exchange #emailsecurity

Your email can jailbreak your agent. Hidden text in routine emails can hijack AI assistants when you hit "summarize." This isn’t sci-fi. It’s how prompt-injection actually invades the enterprise inbox. Researchers showed Gemini for Workspace can be tricked via invisible text (0-pt font, white-on-white) embedded in an email; when users ask Gemini to summarize, it obeys the hidden instructions and can surface phishing-style messages or trigger risky actions. Google initially framed this as social engineering, not a fix-worthy bug. Similar indirect prompt-injection vectors exist across suites (email, docs, calendar). Microsoft calls this one of the most widely reported AI vulns and documents defense-in-depth for it. What the exploits actually do? • Fake "security alerts" in summaries that drive users to malicious flows, all generated by the assistant from hidden content the human never sees. • Attackers can hide commands using zero-size fonts, white text, or invisible Unicode in emails and files!    Vendors calling this "user-side social engineering" shifts blame to customers while shipping ever-deeper integrations. If an email becomes executable content to an AI, it’s the platform’s job to sandbox it. What smart teams can do now • Neuter invisible markup at the boundary. Strip/normalize HTML (remove zero-font/hidden CSS) before any agent sees it; summarize plain text only by default. • No-tools mode for summaries. Block tool calls, link-following, and data pulls during “summarize email” flows; treat summaries like reading an untrusted file. (This mirrors Microsoft’s layered controls advice.) • Telemetry + policy. Log every summary source, detect invisibility tricks (font size, color contrast), and auto-flag "security alert" phrasing in generated summaries.    If your AI can summarize email, assume it can be prompt-executed by email. Comment if you want are someone who actively uses AI to manage email. #promptinjection #AIAgentSecurity #ProductSecurity

Check Point Software Research detailed #ZipLine, an advanced #socialengineering #phishing campaign that primarily targets U.S. #manufacturing and #supplychain–critical companies. The attackers exploit legitimate-looking business interactions to deliver a custom malware implant stealthily. Successful attacks can result in stolen intellectual property, ransomware extortion, financial fraud through account takeovers or business email compromise, and significant disruptions to critical supply chains. ZipLine demonstrates how patient social engineering can bypass defenses. Attackers invest days or weeks in credible, professional conversations, often requesting that the victim sign a non-disclosure agreement (NDA). They also create fake company websites that, in some cases, mimic legitimate U.S.-registered LLCs. Only after establishing this appearance of legitimacy do they deliver a weaponized ZIP file with an embedded PowerShell execution chain. Unlike typical phishing attacks, attackers reverse the usual flow by first contacting victims through a company’s public ‘Contact Us’ form, tricking them into initiating email correspondence. The attackers then engage in professional, multi-week email exchanges and often request NDAs before sending a malicious ZIP file. The payload, known as #MixShell, is in-memory malware that uses DNS tunneling and HTTP fallback to maintain connectivity and execute attacker commands. A second wave of attacks exploits an AI transformation pretext, disguised as internal AI Impact Assessments.