Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dcontesti
Community Champion
‎09-27-2022 02:41 PM
‎09-27-2022 02:41 PM

American Airlines learned it was breached from phishing targets

American Airlines says its Cyber Security Response Team found out about a recently disclosed data breach from the targets of a phishing campaign that was using an employee's hacked Microsoft 365 account.

 

https://www.bleepingcomputer.com/news/security/american-airlines-learned-it-was-breached-from-phishi...

 

Thoughts?

 

d

 

Reply
0 Kudos
5 Replies
JoePete
Advocate I
‎09-28-2022 03:49 PM
‎09-28-2022 03:49 PM

From the linked article:

"American has no reason to believe that syncing the contents of the mailboxes was the purpose of the access. Based on the fact, it appears the unauthorized actor was using IMAP protocol as a means to access the mailboxes and send phishing emails."

 

Seems a contradictory or at least convoluted response. Syncing contents wasn't the purpose; purpose was just to "access" mailboxes and send phishing emails. I'm not sure what they are getting at. Big picture: Phishing can be greatly diminished by banning HTML email - or at least having the awareness not to read in HTML. But we've actually gone backward on this topic in the past 20 years. There is no good reason to use HTML email. Don't send it, don't read it.

Reply
denbesten
Community Champion
‎09-28-2022 05:14 PM
‎09-28-2022 05:14 PM

@JoePete wrote:

There is no good reason to use HTML email.

That stance is non-tenable with many people, including executives and techies alike.  HTML has significant benefits --  highlighting important bits, embedded screenshots, automatic reflow so that messages take maximum benefit of both small and large screens, etc.  Banning HTML-Email risks creating entirely new risks -- that the execs will exert their influence and that techies will subvert the controls.

 

Phishing defenses need to be much more nuanced.  Specifically, executable content (most notably javascript) should be blocked, external content should not automatically load and hyperlinks need to be very transparent (show us the d*mn url).

 

 

Reply
JoePete
Advocate I
‎09-28-2022 09:43 PM
‎09-28-2022 09:43 PM

@denbesten wrote:
HTML has significant benefits --  highlighting important bits, embedded screenshots, automatic reflow so that messages take maximum benefit of both small and large screens, etc.  Banning HTML-Email risks creating entirely new risks -- that the execs will exert their influence and that techies will subvert the controls.

While I agree the execs think HTML is great, it has both limits and risks. The variability in email clients - both in how they write and render HTML - makes it difficult to reliably use HTML email  (especially when you get into areas of accessibility). If you are dealing with a fairly uniform organization, then maybe you can achieve the desired result. However, that only encourages bad habits when crafting external email, putting all this effort into a pretty appearance when in fact the result may be the opposite - an email that looks awful or even empty to an external recipient. Then you get into the issue of phishing, where HTML allows for the easy obfuscation of URLs, form elements, and even scripting.

 

I do realize that I'm trying to talk back the tide here, but I cannot see the benefits of HTML email offsetting the risks posed by it.

Reply
tmekelburg1
Community Champion
‎09-29-2022 08:50 AM
‎09-29-2022 08:50 AM

HTML emails aside, I see this as more of a misconfiguration within O365 and not having 2FA setup. Global policies can be applied within O365 to place unauthorized devices into quarantine, conditional access requirements with MDM, yada, yada, yada.

 

Things we can't control: Determining the business requirements for HTML email

Things we can control: Configuring our systems in a secure way

 

Reply
JoePete
Advocate I
‎10-03-2022 09:09 AM
‎10-03-2022 09:09 AM

@tmekelburg1 wrote:

HTML emails aside, I see this as more of a misconfiguration within O365 and not having 2FA setup. Global policies can be applied within O365 to place unauthorized devices into quarantine, conditional access requirements with MDM, yada, yada, yada.

But if the tail of using HTML email is wagging the email dog, then likely "ease of use" is also wagging the authentication dog. That said, we have seen cases where phishing defeats authentication schemes that use more than a password. Example: The attacker contacts the target and asks for them to provide the code they just sent as proof of identity. 

Reply