Why phishing isn’t going away…

We mentioned a few weeks ago that there’s actually quite a lot you can do about phishing emails – you may remember the terms DKIM, SPF, DMARC and MTA-STS (and if you missed it, the post is here). The technology isn’t particularly user-friendly, but it’s a start in slowing down people pretending to be something they aren’t.

?

Unfortunately…

?

…well, the malicious actors have discovered that businesses have long since started to use other communications channels aside from email. They use SMS… and WhatsApp... and QR codes… and Teams...

?

Users have, to a greater or lesser extent, understood that care is needed with email. They are less familiar with the idea that there is a threat from other systems. Part of this stems from the fact that email is a tool that allows people to communicate with the outside world ("isn't Teams just for work colleagues?"); part stems from not understanding how the other technologies can be abused. And part of it is nothing to do with the users: it’s that the security industry simply doesn’t provide the same level of anti-phishing support for non-email systems.

?

We’re going to have something to say about the way that QR codes can be misused in a future post, but for this morning let’s talk about Microsoft Teams. Everyone assumes Teams is an internal system, so where’s the danger going to come from? Well… it’s not actually quite like that. If security isn’t tightened down on Teams, external accounts – in this case, compromised 365 accounts - can leave messages on a Teams installation. There’s currently a campaign ongoing where people are lured into downloading a ZIP file, which contains what looks like a PDF file with details of changes to holidays. The file actually contains a script which fetches and installs a malware downloader.

?

The group at the back of this are pitching to the exclusive end of the market. They provide the malware as a service, priced at $333 per day; they say they limit access to n more than ten users at a time. But they are not the only people targeting Teams; the Russian foreign intelligence-backed team generally known as APT29 are in this game as well, alongside at least one other criminal gang. And it’s not just Teams – the same Russian intelligence team has been targeting Slack as well.

?

SMS is interesting. As we found out a month or two ago it’s very difficult to make it look official, so people who are legitimately careful may think something is fake when it’s actually genuine. But at the same time, many (we’d probably suggest the majority) would not stop to think about what the SMS was linking to. The other issue with SMS (and WhatsApp and similar tools) is that it’s an instant message – something that’s looking for a quick response by design. One of the drums we keep banging with email phishing is about slowing down and thinking about what the email is asking; doing this with messaging or QR (it stands for quick response) codes is just that much harder.

?

There’s two aspects to dealing with the problem. Yes, of course, people need to train staff to understand that phishing isn’t just an email thing. But realistically, people are the last line of defence, and there need to be better fortifications in front of them.

?

Microsoft are waking up to the issue with using Teams for phishing. There are configuration changes that can be made to make it harder for outsiders to get in: businesses need to sit down with their security teams or supporters and get them implemented.

?

The first of these is to put a structure in place to manage who can create groups and teams. The second is to understand the difference between guest access (designed around individual users) and external access (designed to give access across different domains). By default, external access is allowed: thought needs to be given to which domains are allowed eternal access and which are not. Guest access is also quite relaxed about permissions: basic rules – like stopping guests from editing or deleting sent messages, deleting chats, allowing guests to make private calls and use “Meet now” – should be applied. And thirdly, Teams and 365 generate logs: these really need to be checked for anomalies.

?

If it’s something other than Teams, and the security supporters can’t locate hardening guidance – ask them to push it with the suppliers. It’s the only way some companies will be persuaded that security features matter.

?

And finally: maybe some thought needs to go into whether an SMS or an instant message is the right answer, or if a response can wait for just a few more minutes.