Beyond the Inbox: Protecting Against Collaboration Apps as an Emerging Attack Vector
Published 05/01/2023
Originally published by Abnormal Security.
Written by Mike Britton.
Email has always been a lucrative attack vector for cybercriminals. Even today, it continues to be their most common path into an organization, and enterprises are undoubtedly feeling the impact. Losses due to business email compromise (BEC) jumped from $2.4B in 2021, to over $2.7B in 2022—a nearly 15% increase—with no signs of slowing down.
As these attacks continue to become even more targeted and sophisticated, security leaders are increasingly investing in security tools to protect their email environment. And while this is certainly a step in the right direction, we have to remember that cybercriminals are clever and highly adaptable, constantly shifting their tactics to bypass defenses.
When one door closes, they look for another to open, and now, they’re increasingly eyeing collaboration applications.
The Attack Surface is Expanding Beyond the Inbox
Email is no longer the sole communication channel for most organizations. As businesses everywhere shifted to distributed and remote working models, the use of collaboration apps has exploded. There are now hundreds of millions of daily active users across Slack, Zoom, and Microsoft Teams—to say nothing of the dozens of other collaboration applications that are available.
These apps are attractive to bad actors for a few reasons:
- They’re frequently used to share sensitive company information—a prime motivation for criminals looking for a way in, as well as malicious insiders looking for data to exfiltrate out.
- They have inherent security vulnerabilities, and because they’re relatively newer technologies, cybercriminals are jumping at early opportunities to take advantage of them.
- Like email, collaboration apps have become tools that employees are very comfortable with—even dangerously so—to the extent that many people have their guard down when using them, oblivious to socially-engineered messages.
- Because many collaboration apps are integrated with cloud email platforms, they’re keys to the kingdom. A compromised Teams tenant may be a link in the attack chain that eventually leads to a compromised Microsoft 365 environment, for example.
Beyond the risk of external threat actors and malicious insiders, there is the added risk of unintentional insider threats, where expansive permissions and limited oversight across collaboration apps lead to users unwittingly gaining access to sensitive data or conversations that they shouldn’t be able to see.
A Look Into a Collaboration App Attack
Certain high-profile attacks, including the notorious Electronic Arts (EA) breach, are raising alarms around the growing risk of collaboration app-based threats. Hackers compromised EA’s Slack channels to steal a whopping 780GB of data, including the source code for some of their most popular games, before attempting to sell it on underground markets.
The criminals’ scheme was shockingly simple. They started by buying stolen cookies online for just $10 each and used those to access one of EA’s corporate Slack channels. From there, they took a page out of the classic BEC playbook, using social engineering to write a seemingly realistic email to EA’s IT support team, pretending they were a user who had lost their phone and requesting a multi-factor authentication token.
That was all they needed to access the corporate network and its trove of company data. And while this is one recent example, there are multitudes of organizations that have also been impacted in similar ways.
Visibility is Fragmented and Costly
So why is solving this problem so hard? While most security leaders recognize the risk presented by these collaboration apps, visibility tends to be a major blindspot—and one that’s costly to fix.
The legacy email security solutions that many organizations have in place today simply aren’t designed to detect collaboration app threats, which typically leaves security teams with two options:
- Installing additional point solutions that can flag collaboration app attacks
- Conducting time-consuming manual audits of each collaboration app.
Neither is ideal, and with reductions in both budget and headcount, these two options are increasingly unrealistic.
The problem is even worse for smaller organizations that don’t have the budget or staffing to maintain a string of point solutions. For these organizations, it’s less an issue of fragmented visibility into collaboration apps and more an issue of lacking visibility entirely.
Protecting the Communication Ecosystem Requires a Comprehensive Approach
With how quickly today’s threat landscape is changing, enterprises shouldn’t have to bear the responsibility of integrating new point solutions for each emerging attack vector. The onus is on vendors to broaden the scope of their platforms, providing security across the entire communications ecosystem, with the ability to scale to new attack points in the future.
For security leaders and practitioners, consolidating visibility across all their communications tools will significantly improve their ability to detect suspicious and malicious activity—no matter where attacks originate. To achieve the highest levels of comprehensive security, they should also consider:
- A tool that can highlight misconfiguration risks across the cloud environment and flag when changes occur. Knowing when a new collaboration application is installed or when a user receives elevated privileges helps expose vulnerabilities so you can make informed security decisions.
- Continued security awareness training. Your employees need to understand social engineering risks across all platforms to remain diligent, but remember that humans are distracted and susceptible to mistakes. The best way to ensure they do not become the victim of an attack is to prevent malicious attacks from landing in their inboxes or apps in the first place.
- Password management tools and multi-factor authentication. Even the best security solutions and awareness training are unlikely to stop every single attack, including brute force attacks or credential stuffing, which can provide access to email inboxes or workplace apps. In case attackers do gain access, security leaders should be prepared with tools that can highlight potentially compromised accounts and immediately take remediation actions like logging users out of accounts and forcing a password reset.
Securing Every Entry Point with Holistic Security Solutions
As organizations diversify their communication and collaboration tools beyond email, attackers will follow suit, diversifying their attacks in kind. We have to accept that email is no longer the exclusive default for communication in business.
Sure, it’s the most popular, and still the most widely attacked, but it’s just one piece of a growing communication and collaboration technology ecosystem that needs to be protected more holistically. It’s time to break from the confines of traditional email security and be more intentional about protecting the entire communications landscape.
Related Articles:
A Vulnerability Management Crisis: The Issues with CVE
Published: 11/21/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
AI-Powered Cybersecurity: Safeguarding the Media Industry
Published: 11/20/2024
Why Application-Specific Passwords are a Security Risk in Google Workspace
Published: 11/19/2024