![]() MORE FROM FORBES SubdoMailing Threat To New Gmail Security Rules By Davey Winder Free SquareX Browser Extension Updated To Help Mitigate Email Attachments ThreatĬoncerned that the vulnerabilities found during the research amounted to a cybersecurity loophole posing a threat to millions of email users, SquareX has updated its browser extension in a bid to help mitigate the malicious attachment risk. I also reached out to Apple, Google, and Yahoo! but had not heard back from any of them ahead of publication. I am led to understand that Microsoft has no record of the SquareX report having been submitted to its response teams. I contacted Microsoft which did not want to provide a statement, but it did point me to a support document regarding email protection in Microsoft 365 which users can refer to. “To ensure that people can understand and validate our findings,” the SquareX spokesperson said, “the report includes all details of the files we used and video recordings of sending these files to the different mail providers showcasing how they tackle these malicious documents.” SquareX has assured me that it would be sending another support request to all the vendors 24 hours before my report published today. “We were unable to get a proper response via their online channels, which are primarily feedback forms that largely go unresponded to.” “One of the major challenges with almost all these email providers is the lack of an easy way to reach their technical support,” a SquareX spokesperson told me. I asked SquareX if it had approached the email vendors with its findings during the research process. ![]() He warns, however, that “this is akin to asking the free Wi-Fi at a Starbucks why are they not blocking more or all cyber attacks.” It’s tough balancing free and secure in the same sentence, Thornton-Trump told me, adding that anyone making an “assumption that security comes without cost is dangerous for any consumer.” From the commercial realities point of view, Thornton-Trump argues that so-called ‘advanced’ email security “can be deeply problematic with false positives which may involve the use of technical support resources to help or fix - that expense across millions of users on a free platform may be commercially untenable.” And that’s before you take the processing power required for any more advanced malware detection capabilities into account. Ian Thornton-Trump, CISO with threat intelligence experts Cyjax, says that he thinks there is an opportunity to do better when it comes to consumers using free webmail services such as these. Metadata changes are simple to conduct but should not then pass virus checks as this could very easily be abused by threat actors.” “Purporting to be a PDF sounds like an attack vector used by a cybercriminal of the 1990s,” Moore says, “so it is rather shocking that this is being found in modern-day threats. I spoke to Jake Moore, the global cybersecurity advisor at ESET, who told me that he thought it was worrying that such well-known technology giants have allowed malicious files to pass security tests, especially when millions of users rely on these checks to remain protected. ![]() Vivek Ramachandran, founder and CEO of SquareX, told me that while billions of internet users blindly trust public webmail providers to scan document attachments for security risks, “we recommend that webmail providers transparently publish details of their scanning technology's limitations and explicitly warn users about these caveats.” Doing this, Ramachandran says, would ensure “users understand the risks and the need to use additional security products.” Security Experts Have Their Say On Email Attachment Risk No email provider passed the SquareX test with flying colors SquareX On the other hand, if an email was delivered, it means that the user was able to interact with the malicious document, leaving them vulnerable to attack. If an email was undelivered, it means that the email server detected malware while processing the email. The table below displays the results of the research, indicating whether the emails were delivered or undelivered. MORE FROM FORBES New Gmail & M365 Warning As 2FA Security Bypass Hack Confirmed By Davey Winder However, renaming the code fragment to a PDF that warning vanished. In fairness, at least Gmail presented users with a warning whereas none of the others did. Just when you think things couldn’t have gotten much worse, the researchers discovered that all the email providers delivered a Microsoft Excel document with a macro containing well-known malware code. In this case, a relatively simple tweaking of the file metadata resulted in Apple iCloud Mail, Google Gmail and Microsoft Outlook all also letting the file through. Yahoo! Mail and AOL both failed to block another malicious file claiming to be a Microsoft Excel document, this time one that had failed to fool 35 virus scanners.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |