Threat actors exploit Microsoft, Google platforms to send malicious emails

With an increasing number of organisations worldwide adoption cloud collaboration tools, threat actors are using Microsoft and Google’s infrastructure to host and send threats, according to Proofpoint.

Last year, 59,809,708 malicious messages from Microsoft Office 365 targeted thousands of Proofpoint customers. And more than 90 million malicious messages were sent or hosted by Google, with 27% sent through Gmail. In Q1 2021, the company observed seven million malicious messages from Microsoft Office 365 and 45 million malicious messages from Google infrastructure, which far exceed per quarter Google-based attacks in 2020.

Malicious messages are being sent across Office 365, Azure, OneDrive, SharePoint, G-Suite and Firebase storage. The volume from these trusted cloud services exceeded that of any botnet in 2020, and the trusted reputation of these domains, including outlook.com and sharepoint.com, increases the difficulty of detection for defenders, Proofpoint said.

Ninety-eight per cent of nearly 3000 monitored organisations across the US, UK and Australia received a threat from a supplier domain over a 7-day window in February 2021, according to Proofpoint’s latest supply chain findings.

Given the level of access that can be granted from a single account, over the last year threat actors targeted 95% of organisations with cloud account compromise attempts, and more than half have experienced at least one compromise. Of those compromised, over 30% experienced post-access activity including file manipulation, email forwarding and OAuth activity. If stolen, threat actors can leverage credentials to log into systems as imposters, move laterally across multiple cloud services and hybrid environments, and send convincing emails cloaked as a real employee, orchestrating potential financial and data loss.

Ryan Kalember, Executive Vice President of cybersecurity strategy at Proofpoint, said, “Our research clearly demonstrates that attackers are using both Microsoft and Google infrastructure to disseminate malicious messages and target people as they leverage popular cloud collaboration tools. When coupled with heightened ransomware, supply chain and cloud account compromise, advanced people-centric email protection must remain a top priority for security leaders.”

Image credit: ©stock.adobe.com/au/yingyaipumi