Serviceteam IT Security News

Researchers at GreatHorn have identified what they are calling a widespread attack in which attackers spoofed both the Microsoft brand in the display name and the Barracuda Networks brand in the return path and received headers, with the goal of stealing credentials.

The team identified an attack notable in that the return path spoofs a noreply.barracudanetworks.com return path. “The attackers crafted the received headers so that it appears to have gone through multiple “Barracuda” hops prior to sending the email via a server designed to look like a Barracuda server. Microsoft has then automatically appended legitimate received header details to the spoofed headers, making it appear that much more legitimate,” researchers wrote.

According to today’s blog post, attackers leveraged a known security flaw in Microsoft’s handling of authentication frameworks. Rather than dictating how it wants domain-based message authentication, reporting, and conformance (DMARC) failures and exceptions to be handled, “Microsoft Office 365 typically ignores those directives and, at best, treats them as spam or junk instead of quarantining or rejecting them, making it more likely for the user to interact with such spoofs.”

That a major tech company has not embraced DMARC is in line with the findings of a recent report, Tech Companies Make Progress in Anti-Phishing Protection, published by ValiMail. The report found that 90% of large tech companies are vulnerable to spoofing, yet only 49% of global technology companies are already enforcing DMARC anti-phishing technology.

“This is a good example of how attackers are adapting to user awareness and preventative technology,” said Terence Jackson, chief information security officer at Thycotic. “User education and email protection technology is needed, but we have to make sure that user training is continuous and the technology we put into place is not static but dynamic and utilizes a degree of machine learning to analyze these types of new attacks.

“Attackers are going to great lengths to obtain user credentials to access sensitive data. Hopefully GreatHorn’s customers had multifactor authentication enabled, which should have limited the scope of this attack. But as we’ve seen before, users tend to reuse passwords on multiple sites, which again highlights the need for the use of password managers and better personal cyber hygiene.”

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!