Top Tips for MSPs to Protect Customers from Phishing and Ransomware

Unlike a couple of years ago, small and medium-sized businesses now deal with cyberthreats on a daily basis. Cybercriminals no longer overlook SMEs. They rather see them as valid targets, and a much easier prey than larger organizations. The fact that many small and medium businesses moved to working from home last year and started using collaboration tools like O365, OneDrive, Teams and Zoom makes the opportunity for bad actors even bigger. In fact, 43% of cyber attacks target small businesses. Ransomware and phishing attacks turned into significant threats for SMEs in 2020, with 66% of SMEs reporting that they are concerned or extremely concerned about cyber security risk.

How can you as an MSP help SMEs stay protected from these threats?

Many SMEs use external managed IT services and therefore want to trust their MSP to handle their cybersecurity too. There are some simple actions you can take in order to check your customers’ current security vulnerabilities, and then bridge these gaps. In this blog post, we will focus on what to consider when securing the customer’s email and other collaboration platforms used to exchange content internally and externally such as OneDrive, Sharepoint, Google Drive, Teams, Zoom and more.  

Assess the current security posture

Cyberthreats are constantly evolving (on a daily or even hourly basis) in order to bypass security solutions. With email being the main attack vector for such threats, it’s important to test your customers’ email security and better understand their current gaps. It’s recommended to do this regularly to accurately assess what’s going on. And even more crucial to do it before making any decision related to securing the customer. 

The good news is that there are free vulnerability assessment tools that are easy to use. Within less than an hour you can know your customer’s real exposure to cyberthreats. You can start by trying BitDam’s Breach & Attack Simulation (BAS) and BitDam BAS2.0 – Lucky Meter or search for similar tools online. 

Protect all collaboration platforms

The most burning need for most SMEs is protecting their email. We believe all organizations should use an Advanced Threat Protection solution for email (as a side note, Microsoft Defender/Office ATP doesn’t perform well when it comes to advanced threats). In addition to email, the risk of cyberthreats being delivered and spread via other collaboration tools is constantly growing. Ideally, you want to use a security solution that protects different channels, but is managed from one place. This will ensure your SME is protected, while reducing overhead and costs on your end.  

Considering that many SMEs use Office 365 or G-Suite for all their collaboration needs, or might be using additional tools such as Zoom, Slack or Dropbox, it’s relatively easy to find ONE security solution that covers ALL these tools. This will allow your team to manage the security of all customers and all their collaboration channels from one dashboard in a frictionless manner.   

Minimize your team’s overhead 

Providing your customers with effective cybersecurity doesn’t have to involve additional overhead. Just like you should select a security solution that helps you secure various collaboration tools at once, you should also choose a solution that makes it easier to manage many customers from one place. Selecting the right product allows you to quickly gather insights and easily take action across the different customers you manage, can save your team many hours, increase productivity, and make your business more competitive.

Being cautious of your team’s time, you should also check the ease of deployment and required maintenance before committing to a specific solution. Assuming that you’re planning to deploy the same security solution among many of your customers, you want to make sure the process is quick and doesn’t require any configuration or changes. It’s best to avoid products that require periodical maintenance or updates. There is just no reason to waste your team’s time on such activities. 

Try before you buy

Effective protection does not necessarily mean heavy commitment. In the world of cloud solutions, you can try several products before you engage with one. There are plenty of security tools that offer free trials so you can explore all options to ensure a good fit, and only then make a commitment. For Office 365 clients, the Azure Marketplace is a good place to start from. You can search for Email Protection, OneDrive Protection, Teams Protection and so on, and get a variety of solutions that are ready to install. Many of which offer free trials!  

Used by dozens of MSPs worldwide, BitDam Advanced Threat Protection ATP brings enterprise-grade security to small and medium-sized businesses while securing their email, cloud drives, chat and video conferencing from malware, phishing and more. You’re welcome to sign up for a free 30-day trial or read more about how we partner with MSPs

Learn more about our MSP Console by watching this short demo video below:

Alert: Microsoft’s email security lets fake Zoom emails in

There is a new phishing email in the neighborhood, and even though it leads to a fake Office 365 login page, Microsoft struggles to detect it and for days now, it keeps bypassing not just the basic Microsoft email security, but also the premium security – Microsoft Defender for Office 365 (also known as Office ATP).   

This phishing campaign, which BitDam detected at first encounter last week, started small and after 24 hours was sprayed all over. BitDam ATP first detected this phishing email in the UK on December 2nd. While I’m writing this blog post it has already spread to the US and other countries, targeting organizations of all sizes and from a variety of industries. 

The Attack

As many other phishing attacks aiming to harvest Microsoft users’ credentials, this attack is sent via email. The email looks like an invitation to a Zoom meeting that contains the link to the video conference. The email messages are all identical and look like this:

 join zoom meeting

While the message might not seem identical to the normal Zoom meeting email invitation (it typically includes a ‘Passcode’ rather than ‘PIN’ and doesn’t include the dial in numbers), it may trick the user. Moreover, even if the user is suspicious, he or she is very likely to go on and click the link once they see the URL looks perfectly real.

Clicking the link leads to a fake Microsoft outlook login page. In all the attacks we’ve identified, this page was hosted on various Google services that allow hosting such as googleusercontent.com or Google Storage API. The phishing page looks like this:

outlook

We saw different URLs and hosting websites used in this campaign, but all of them led to web pages that look almost the same, trying to phish for Microsoft credentials.  

Not surprisingly, the attackers use various URLs and keep changing them, probably in order to avoid reputation-based engines used by Microsoft and other security controls, which may identify the link after it’s being used for a while or reported as malicious. Unfortunately, in this campaign, some of the URLs were live for 24 hours or more (we didn’t check all of them, but the ones we did were kept live for way too long).

Why is this attack interesting?

It may be hard to believe but we see phishing scams that bypass Office ATP every day. We even see a lot of phishing emails that lead to fake Microsoft webpages which go undetected by Microsoft itself. Unfortunately, this isn’t new either. 

So what’s so interesting about this specific campaign? First, its volume. We saw it spreading quickly among our customers that use Microsoft email security worldwide, and Microsoft kept missing it again and again. Secondly, there is a new social engineering angle used here – the attackers could use a clickable button instead of writing the entire URL. They decided to include the URL in the email body, to reduce suspicion as some users wouldn’t click buttons or hyperlinks in unexpected emails. Once the attackers gained the user’s trust early in the ‘journey’, the user is more likely to keep believing and enter the credentials when requested.

Why does Microsoft’s Office ATP miss this attack?

We suspect that Microsoft doesn’t identify this phishing email campaign because Microsoft email defenses are based on statistical models and reputation. As long as the attack is new, and was not widely spread, Microsoft will not detect it. In addition, the constant amendment to the specific URLs used in this campaign, makes it difficult to track it when basing the detection on reputation. Using Google legitimate websites for hosting, makes it even harder. 

BitDam, on the other hand, doesn’t base its detection on knowledge about past attacks, which allows BitDam ATP to detect and stop new threats when they’re seen for the first time.  

How to avoid such attacks? 

The easiest way is to augment the security you get from Microsoft with a dedicated, more advanced email security defense layer that uses a different technological approach and which detects such phishing attacks and other threats that Microsoft tend not to identify when they’re still new.   

If you don’t have such a solution in place, it’s recommended to hover the mouse on the link and verify it goes to Zoom website. Many organizations use URL rewrite (i.e. safelinks or urldefense) which prevents users from actually seeing the domain the URL is pointing to. In that case, it is ok to click the link but never enter your Office 365 credentials. If you think about it, why should Zoom need your Office 365 authentication? 

And last but not least, if you aren’t sure about a link, you can alway scan it using BitDam online URL scanner and you’ll know if it’s a phishing scam in seconds.

Alert: The new phishing combo trick that bypasses Office ATP

A few weeks ago, BitDam ATP detected an outstanding attack that was sent over email to one of our European customers and easily bypassed Office ATP. We analyzed it and since it was super-targeted, we assumed it’s a one time thing and moved on. 

Surprisingly, since then we detected a few other attacks that use the same tactic. That’s when I thought it’s worthwhile to tell you guys about it!

Legitimate Sender and Email Address 

It all starts with an email that is sent from a real legitimate email account. Seems like the hacker gained control over a mailbox of a real person. Moreover, in all these instances that we detected, the sender was from an organization that is in constant relationship with the targeted organization. Obviously, the attacker did some research prior to launching the attack. He or she targeted a specific organization and searched for vulnerabilities in the organizations surrounding that target – vendors, clients or service providers. Once such an opening was found, the attacker used it to take over a real email and send messages on behalf of a real user. Since this is a very targeted scam, it is likely that the compromised email owner didn’t even notice that an email that he was not intending to send was sent out of his mailbox. 

Hiding Phishing in a Multiple-hop Journey  

The next step was luring the receiver to click something. In one of these cases, the receiver was sent a “document” that he was requested to sign using DocuSign. Clicking the DocuSign button took him to a fake DocuSign page hosted on SharePoint, with a button saying “Please proceed here”. Clicking that, the user was transferred to a phishing webpage that looks exactly like a Microsoft login page, asking for the victim’s Microsoft credentials.   

In another case, the excuse was “SENDER shared a file with you” using the sender’s real name.

Clicking the ‘open file’ button leads to what looks like a OneDrive webpage, which requires another link to access the document. This link is the phishing URL – taking the victim to a OneDrive login page that asks for username and password.  

The first hop in all these attacks was hosted on SharePoint, which makes them more reliable and helps them to evade both email security and suspicious users. 

Why are these attacks so dangerous? 

These targeted attacks are extremely dangerous from two main reasons:

  1. Office ATP misses them. Even though BitDam ATP stopped them, they are proven to bypass Office ATP as well as other email security solutions. Why? First, since these attacks are very targeted and unique, they go below the radar of statistic-based security solutions. Secondly, because the phishing link is hidden behind several steps (a few clicks are required before getting to the phishing URL), and most security solutions fail to follow all these steps when scanning emails.  
  2. They look very real! Sent from a real person’s mailbox, who the victim is in touch with, going through several web pages that all look legit and asking to login in order to access a file. All that looks like a normal and legit journey to access a file that someone you work with sent you. None of this is out of context so there is no reason the receiver will be suspicious. 

The main thing that makes these attacks so unique and successful is the trick they are using in order to evade anti-phishing solutions. Combining multiple hops while counting on the user’s behavior to move from one hop to another, makes it almost impossible for email security solutions to identify that there is a phishing URL hiding there. 

This, combined with the fact that these attacks are used rarely and are very targeted, turns them to undetectable by security solutions that base their verdict on statistical and machine learning models such as Office ATP and Proofpoint TAP. Using a different scanning approach that is 100% attack agnostic and doesn’t rely on knowledge of other threats, BitDam detects these attacks. 

The Benefits of Targeted Attacks

In our video series ‘Get into The Phisher’s Mind’ which covers the decisions hackers have to make when they plan a phishing scam, we discussed spraying vs. cherry-picking. As you can easily tell, the attackers in these cases chose to go cherry-picking and tailored the attack to their specific target. 

The cost for the attackers creating such a focused scam is clear – higher investment per attack.  So why would they do that? The reason is that using such a targeted method, these attacks go below the radar of reputation and statistic-based detection engines which dramatically reduce their chances to be caught. Since many organizations these days still count on Office ATP as their main email protection, it’s safe to assume that the attack will reach the victim’s mailbox and he or she will be tricked.   

The bottom line is that no matter how educated the receiver of these attacks is about phishing, the chances to realize that this is a phishing scam are very low. In addition, the commonly used anti-phishing solutions are struggling to detect these multiple-hop phishing attacks, especially if they are rare or targeted, so the risk is high. 

What Can Be Done?

Trying to finish this post with a positive tone, I would encourage you to test your email security against the newest and most sophisticated threats that are out there, and would offer to protect your email and other collaboration tools using an advanced solution like BitDam’s. You can register for a free trial and see how effective it is on your own.  

 

Schedule a Demo

Enter your email to get a free trial invitation