In-depth analyses from Hornetsecurity’s Security Lab

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on industry items from the month of September, while discussing hard data points from our own services for Q3 of 2024.

As a reminder, some months ago we shifted from discussing the data points mentioned here on a monthly basis, to instead discussing them quarterly. We felt that this would more easily show the shifts in attack trends as opposed to the micro changes we had been seeing on a monthly basis outside of major incidents (which often warrant their own article).

Executive Summary

• There was a higher percentage of threats delivered by email in Q3 when compared with Q2.
• The amount of low-effort (and ultimately rejected) email attacks increased during the months of July, August, and Sept by a small amount.
• PDFs, archive files, and HTML files were the most popular malicious email file types during the data period for this report.
• Mining, entertainment, and Manufacturing are the most targeted verticals during the data period.
• There was a noted increase in the threat index for nearly every single industry vertical during Q3.
• DHL and DocuSign were the 2 most impersonated brands during Q3.
• We observed a marked increase in American Express brand impersonations during Q3, likely driven by the summer travel season.
• Microsoft recently held a Windows Security Summit to discuss the fallout from the CrowdStrike incident and are now beginning to discuss some long term plans to prevent the issue from happening again.
• A high severity CUPS vulnerability allow remote code execution has admins double-checking their Linux systems

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for Q2 (Apr-Jun) 2024 compared to Q3 (Jul-Sep) 2024.

Our data shows that more email threats were levied at businesses during Q3 than Q2. This is a fairly consistent trend from year to year as it’s common to see the amount of threats decrease during summer months. Threat actors know that fewer people are in the office during this time frame and as such less traffic during Q2 is normal. This trend frequently blends into Q3 somewhat as well as July and August are also heavy travel months. We suspect the amount of threatening email to increase now throughout the remainder of the year.

Worth noting for Q3 specifically, we saw an increase in the amount of rejected email threats. These are threats tend to be low-effort email attacks that cast a wide net instead their spear phishing counterparts. Regardless, the email security threat level remains high overall.

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

File Types Used in Email Attacks

The following table shows the distribution of file types used in email attacks throughout the data period.

Malicious PDFs, archive files, and HTML files continue to be the most popular amongst threat-actors for the delivery of malicious payloads. This is consistent with what we’ve observed for some time now reaching into last year. More interestingly is the increase in the amount of malicious Microsoft Word and Excel documents. Microsoft has made office macros disabled by default for some time now and despite this, threat-actors have found effective methods around the restrictions, such as instructing the user to re-enable macros..etc..etc.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Mining, entertainment, and manufacturing were the most targeted industries in Q3 which continues a trend that we’ve been seeing for some time. That is, these industries commonly being at or near the top of our impersonation list. These targeted organizations are typically large enough to have sufficient resources to pay ransoms but also may not fall into a heavily regulated industry, meaning less security infrastructure to deal with by threat-actors. Hence, it’s common to see them near or at the top of the list.

Also worth noting for this particular data point is we’ve seen an increase in the threat index for nearly every industry vertical across the board, which is consistent with our data (shown above) showing the number of clean emails going down vs. the number of malicious emails during the data period.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

DHL and Docusign are the two most impersonated brands during Q3. On top of that, we’ve noticed a marked increase in the amount of American Express brand impersonations as well indicating a potential targeted threat-actor campaign using that brand specifically. DHL is one of the largest shipping brands in the world and it’s common to see it near the top of the list. As for the more financial-oriented brands – we observe ebbs and flows in DocuSign throughout the year. As for American Express, this can most likely be explained due to the fact that we just wrapped up the summer travel months, and American Express was likely used more widely during these months than others. Threat actors know this, and as usual, will adjust their TTPs (Tactics, Techniques, and Procedures) accordingly.

Major Incidents and Industry Events

Microsoft Making Changes Due to CrowdStrike

The CrowdStrike incident from this summer is still clearly etched in the minds of IT pros and travelers alike. We wrote about the issue in our August 2024 edition of the monthly threat report if you’d like to know more about the incident. One of the key criticisms of the incident is the fact that had CrowdStrike not had the level of access to kernel mode in Windows that they did, the impact of the issue would not have been as widespread. This begs the question: “how much access should a third party vendor have in kernel mode?”.

It seems this is a question that Microsoft is indeed asking themselves, and thankfully, they aren’t asking it in a vacuum. In fact, Microsoft recently held a Windows Security Summit with key community members and security software vendors. Amongst talk of the security ecosystem, one of the key items discussed was the very question mentioned above, centered around kernel access.

As a result of the summit, Microsoft has indicated that they are working to build capabilities outside of kernel mode that will provide security vendors with the deep level of access needed in order to perform their core functions. In quoting Microsoft’s official blog post that followed the summit:

In addition, our summit dialogue looked at longer-term steps serving resilience and security goals. Here, our conversation explored new platform capabilities Microsoft plans to make available in Windows, building on the security investments we have made in Windows 11. Windows 11’s improved security posture and security defaults enable the platform to provide more security capabilities to solution providers outside of kernel mode.

Both our customers and ecosystem partners have called on Microsoft to provide additional security capabilities outside of kernel mode which, along with SDP, can be used to create highly available security solutions. At the summit, Microsoft and partners discussed the requirements and key challenges in creating a new platform which can meet the needs of security vendors.

What type of access this translates to for security vendors remains to be seen. We will continue to monitor this situation in the coming weeks and months.

New NIST Guidelines for Passwords

NIST has updated their password guidlines for identity providers and general use. A summary of guideline changes is as follows:

• New minimum password length guidance – 8 characters at an ABSOLUTE minimum, but 15 characters or more is recommended.
• NIST recommends that password composition rules be removed. Ex: the requirement that your password contain a number and a special character.
• A change from “recommendation” to “shall not” require periodic password rotations UNLESS there is evidence of breach.
• Allow the use of ASCII and Unicode characters in passwords

This is by no means a comprehensive list. The full document can be found via the name NIST-800-63b

Additionally, we discussed this topic extensively on a recent episode of The Security Swarm Podcast

CUPS Remote Code Execution Vulnerability

One other big security news item making headlines over the last month is the news or a new severe vulnerability in the Linux CUPS printing system. CUPS stands for Common UNIX Printing System, and is generally not in a running state on most Linux systems. That said, if the service is running it will listen on UDP port 631 and will allow connections from any device on the network for the purposes of creating a new printer.

This state could potentially allow a remote code execution via a number of different tracked CVEs listed below:

Effective mitigations includes disabling the running service, or blocking and/or tightly controlling access to UDP port 631.

Predictions for the Coming Months

• Email threats are likely to continue the upward trend for the remainder of the year due to the coming Christmas holiday shopping season
• due to the nature of threat finding, it’s possible we’ll see additionally discovered vulnerabilities in popular and common open source systems and libraries.

Monthly Recommendations

• Prepare your end users for the upcoming increases in email threats by leveraging a trusted security awareness training vendor to get them up to speed.
• If you’ve got any Linux systems in-house, make sure to check them for risks associated with the current CUPS vulnerabilities. Mainly check access to UDP port 631.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 120 countries through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 75,000 customers.