Collaboration tools are now at the frontline in the battle against phishing
Boards and senior executives have been awake to the dangers posed by phishing and Business Email Compromise (BEC) for some time. That has seen them invest in sound email security tools, controls and user training to prevent employees - and the organisations they work for - falling victim to these kinds of threats.
As a result, most organisations now have mature email security capabilities and practices in place.
The challenge for these organisations, however, is that email is no longer the only way that employees collaborate and communicate. Communication is now split between email and collaboration tools such as Microsoft Teams.
That is leading to a new threat vector - Business Communications Compromise (BCC) - that requires attention to address. The way to do this is by extending existing protections around email to cover SaaS-based collaboration applications as well.
Collaboration platforms win over users
In the past year, organisations have become more mature and comfortable in the way they use collaboration tools. When collaboration tools first took root in organisations several years ago, their usage was often fairly limited. People were accustomed to using email for many project management-like tasks, and that continued.
It has taken a while for people to get used to collaboration tools and get across their breadth of capabilities. But the growing comfort level with these tools translates into a greater proportion of work-related interactions being run on them. Collaboration environments have become sizable repositories of sensitive corporate data and intelligence as a result.
A challenge for security teams is that employees have a tendency to treat collaboration as an inherently more trusted medium than email. It's been fairly well-drilled into employees that email is not a good medium through which to share sensitive information; in the event an email account is breached, that information can - and frequently does - end up in the wrong hands.
But users often don't feel as encumbered in how they utilise chat-based services. Perhaps due to a perception that whatever happens inside of chat stays within that collaboration ecosystem, employees are sharing a lot more sensitive data over these tools, seeing them as safer by design.
Opening the door to phishers
This level of user comfort around the security of collaboration tools is misplaced.
There's a big assumption with chat tools, such as the highly leveraged Microsoft Teams, that there's considerable native protection built in. Depending on the licensing level, there is some protection there, but it's not configured by default.
This was demonstrated, in the case of Teams, by an update that opened the possibility of starting chats with people external to an organisation, and sending them files. The intent was noble - to help collaborate with "external customers and partners". However, the implementation of that opened a door for threat actors to initiate chats with any organisation that didn't specifically whitelist their customer's and partners' domains.
Threat actors saw they could take advantage of this confluence of factors: the widespread use of Teams and other collaboration tools, coupled with relaxed attitudes among users to share sensitive data over these platforms and a newfound ability to initiate chats with people on any other Teams instance - to phish for information.
The effectiveness of launching phishing attacks via Teams was quickly apparent. Case-in-point: in July last year, the modus operandi of threat actor Storm-0324 evolved from using "email-based initial infection vectors" to gain initial access to a corporate account, compromising it before handing it off to ransomware groups, to "sending phishing lures through Microsoft Teams chats." In another report, a recently discovered vulnerability in Microsoft Teams opened the door for non-employees to effortlessly send harmful files to employees without undergoing any scanning process, according to researchers at JUMPSEC. They revealed that threat actors could essentially bypass any client-side security controls that prevent external tenants from sending files.
With that, the world of Business Communications Compromise (BCC) was born, making collaboration platform security the new attack vector for hackers.
Taking cues from email protection
The approach taken to securing collaboration environments against phishing is likely to be multifaceted but starts with enforcing multi-factor authentication (MFA) on everything - the M365 account and devices used to access it. While not 100% foolproof, MFA's presence should dissuade the majority of opportunistic attackers from proceeding.
Also important is to lock down the ability of external parties to start chats and send files. While this could annoy some users - such as salespeople who want to be able to start external chats easily - there needs to be an internal policy and approval process such that the people who can access a Teams environment and send files or links are known and auditable.
A third capability is being able to monitor and stop user behaviour anomalies. There are ways to do this using conditional access policies inside of Microsoft, but additional (third-party) layers of protection are possible. These include running any attachments uploaded to Teams through a sandbox environment to check first if it is malicious or not; and a similar capability to check URLs and QR codes as well. There should also be protections around monitoring the types of data being shared in the Teams instance and having visibility of account compromises.
Many of these are already effective strategies for protecting email-based communications against phishing attempts. By extending them to collaboration suites as well, organisations can be best-placed to deal with these tools being vectors for phishing threats.
