The CrowdStrike global IT outage was an unfortunate event for millions worldwide ranging from IT services downtimes to airport delays and serious healthcare disruptions.

Threat actors swiftly exploit real-world events, launching targeted phishing attacks that capitalize on recent disruptions in emails. By leveraging the context of these incidents, they establish credibility and prey on employees’ fear and stress. The Security Lab at Hornetsecurity recently detected several new targeted phishing campaigns exploiting the CrowdStrike IT outage, using sophisticated social engineering tactics and harvesting Microsoft credentials.

In this blog, we will share real-world examples of the phishing attacks that we’ve intercepted in the past week, providing you with the knowledge to identify and avoid them, thereby safeguarding your business during these vulnerable times.

In the phishing attempts listed below, we discuss key characteristics that reveal their malicious intent. As attackers persist in exploiting the CrowdStrike bug, they will likely adapt and use variations of these tactics.

The emails claim to be from “Department Internal” and use urgent subject lines about a “Global Outage” and “IT-Ticket” issues.

• They create a sense of urgency by mentioning a “GLOBAL IT OUTAGE REPORT” in all caps.
• The phishing emails falsely claim that a global IT outage occurred, blaming it on Microsoft and Windows updates.
• They state that general services have been disabled as a precaution, adding legitimacy to the fake scenario.
• The emails mention potential impacts on banks, airlines, and media outlets to increase concern.

A “RE-FIX ALL ISSUES” button is prominently displayed, likely leading to a malicious link.

• The HTML attachment names include terms like “sys_update” to appear legitimate.
• When opened, the HTML attachment shows a nearly identical message to the email body.

• The link in the HTML attachment leads to a suspicious external site (share-eu1.hsforms.com), abusing HubSpot forms.
• This page shows a generic “Click here if you’re not automatically redirected” message.
• The final destination appears to be a fake Microsoft login page aiming at harvesting legitimate users credentials.
• It displays a Windows logo and email icon to mimic a legitimate Microsoft site.
• A CAPTCHA is present, likely to give a false sense of security to the targeted user and to evade automated detection systems.
• When the user passes the CAPTCHA, a fake M365 login page is displayed.

As we’ve demonstrated in this article, threat actors are constantly looking to exploit real-world events that would be known by the average end-user. Here are practical measures your organization can implement to enhance your defenses and ensure your business remains secure against these sophisticated and opportunistic threats.

Train your employees

Security awareness training will train your staff to be wary of emails from unknown or unexpected sources, be cautious of emails that create a sense of urgency, avoid clicking on links, and avoid downloading attachments from suspicious emails.

Implement Advanced Threat Protection

Hornetsecurity is pioneering the threat intelligence capability to actively track and analyze the impact of significant world events on the cybersecurity landscape in real-time. Our proactive approach allows us to adapt our protection measures quickly, keeping you one step ahead of emerging threats and ensuring your organization stays secure.

Advanced Threat Protection (ATP), available within 365 Total Protection is specifically designed to neutralize these risks before they reach your inbox. Start your free trial today.

Email delivered threats such as phishing, malware attachments and Business Email Compromise (BEC) are still the number one favorite attack vector for cyber criminals. And they’re not letting up, with new flavors of attacks being tested every day. It just takes one legitimate looking email to sneak through into a user’s mailbox, and an unsuspecting user to click a link or open an attachment to open a door into your business for the bad guys.

In this article we’ll explain and provide a comparative analysis of the two main approaches to email security. We’ll then look at a few fictitious companies that suit one approach over the other and finally demonstrate how a hybrid approach, such as the one deployed by Hornetsecurity 365 Total Protection, offers the best of both worlds.

Email security isn’t a new problem. Even a decade ago when most businesses were still running their own email servers, they either had to install software on their edge servers to filter out the dross or subscribe to a hosted service to filter the incoming email feed before it reached said servers.

Today most organizations rely on hosted email, with Microsoft 365 and Google Workspaces being the most popular options. This provides the foundation for the two different approaches: Secure Email Gateway is the single point cloud service where all the incoming emails to your organization are filtered, and clean emails are delivered to your mailboxes.

The other approach is using Application Programming Interfaces (APIs) in the email cloud service to detect and respond to email threats, often called Integrated Cloud Email Security (a term coined by Gartner in 2021). This isn’t an either / or proposition either, you can combine both techniques, something called Hybrid Cloud Email Security.

This is the older of these two methods, having its roots in the appliances or hosted services that businesses used a decade or two ago. They filter incoming and (often) outgoing emails, removing spam, malware, and other threats, sometimes also providing data loss prevention by identifying sensitive data in outgoing emails. They can also encrypt outgoing emails with standard TLS (formerly SSL) encryption, as well as other approaches such as DNS-based Authentication of Named Entities (DANE), Mail Transfer Agent-Strict Transport Security (MTA-STS) and venerable encryption protocols such as S/MIME and PGP.

Secure Email Gateway

An in-depth exploration of DANE and MTA-STS are beyond the scope of this article but suffice to say that they make sure that traffic between mail servers on the internet are always protected with TLS encryption, and not susceptible to attackers changing IP addresses in the DNS infrastructure.

Not all Secure Email Gateway servers are created equally, and their defense mechanisms vary. Often, they apply advanced threat protection features such as opening attachments in sandbox environments to identify signs of malicious activity or use Machine Learning (ML) to identify potentially misleading or dangerous language in the text of a phishing email.

Once an email has been deemed safe and delivered to user’s inboxes, these gateways have no way to remediate threats if it’s later discovered that the message was malicious.

A big benefit of Secure Email Gateways is that all external email pass through them (if used for outgoing filtering as well), enabling easy archiving and journaling opportunities, to fulfil compliance regulatory requirements, as well as enabling e-discovery. These gateways also employ current technologies for identifying spam, phishing and spoofing and protecting organizations email reputation such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC).

They can also apply corporate template signatures to all outgoing emails, and because they’re a separate service they can provide continuity if Exchange Online or Google Workspaces is having an outage, providing webmail access, and queuing of emails until service is resumed. Depending on the service, there may limited integration with other security tools and services – if for example a user’s workstation becomes infected with malware, it’d be nice to easily know if they received any suspicious emails in the last few hours.

Finally, as a central service, they can provide excellent reporting and statistics on traffic volumes, threats detected, and actions taken.

They require some setup, and they’re not easy to “try out” in a proof of concept, because you must redirect your organization’s email domains (company.com) to the Secure Email Gateway service by changing the Mail eXchanger (MX) DNS entry. This will tell every email server on the planet where to send any emails for your domain, so you can’t do a test setup with just a few users for example.

The rise of large scale, cloud hosted email services such as Microsoft 365 and Google Workspaces have also spawned new integration points that weren’t available in the old on-premises world. The lifeblood of cloud services are APIs and the ease with which they facilitate integration between different services, and email is no exception.

These cloud services can easily integrate AI and ML for threat detection into user’s mailboxes (temporarily blocking access to delivered emails until scanning is complete), and unlike a gateway, they have continuous access to the entire platform, so that if an email is later identified as malicious, they can reach into mailboxes and delete or quarantine them “after the fact”.

Their ability to provide archiving is controlled by the APIs that the cloud provider offers, in fact, all their flexibility is entirely dependent on what the provider chooses to expose. They generally offer email authentication standards configuration (SPF, DKIM, DMARC) but this again depends on the underlying APIs.

Because they’re dependent on the cloud platform, they can only offer limited support for continuity in the case of an outage, and they don’t manage email encryption with PGP or S/MIME. Integrated Cloud Email Security services also don’t manage routing of emails, instead relying on the cloud platform for handling this. Reporting is likewise dependent on the APIs offered, but integration with other security tools is often excellent (as long as those tools are also cloud services). Being integrated “into the mailbox itself” means they can provide excellent data loss prevention services. If you have a large tenant, your provider must take into account API throttling limits as you can’t overwhelm the capacity of the platform with too many simultaneous requests.

Their real strength shines when it comes to setup – because no infrastructure or MX records need to change, they often only take a few minutes to deploy, and they can be scoped to a set of test users easily.

API – Approach default – (most common)

API – Approach – (safe mode)

In many scenarios, a combination of these technologies, like the hybrid model developed by Hornetsecurity, provides the best protection against email borne threats. The Secure Email Gateway will block most low-level threats, whereas the Integrated Cloud Email Security can deeply analyze the text of emails and attachments, using advanced AI and ML models to identify risks. Deployment is seamless, with easy integration into Microsoft 365 and Google Workspaces.

And the strength of each gives a better experience overall, if an email isn’t identified as malicious initially, but then received by other users later and this time blocked / quarantined (perhaps due to updated signatures), the gateway can tell the integrated service to delete the already delivered emails straight away.

During outages you get the benefits of continuing email access, reporting is even more comprehensive as not only incoming and outgoing emails are included, but also internal emails between employees which do not pass through the Secure Email Gateway. Data loss prevention is more comprehensive, with deep analysis of emails by the Integrated Cloud Email Security service, and the option to instruct the gateway to encrypt particularly sensitive emails based on the results.

Finally, because of the API driven nature of the Integrated Cloud Email Security they can extend beyond emails and mailboxes, such as managing permissions for attachments saved to OneDrive for Business from Outlook for example.

Hybrid (MX+API) – Approach – (safe mode)

Hornetsecurity’s hybrid technology enables it to leverage gateway technology to provide solutions such as its Spam & Malware Protection, Signature & Disclaimers, Email Encryption, Archiving, and Continuity Service in addition to featured powered by integrated cloud technology such as Advanced Threat Protection, AI Recipient Validation, and 365 Extended Email Protection.

As always in IT, the right solution depends on the specific needs and existing environment of an organization. We’ll look at four different fictitious companies, and their situation and recommend an email hygiene solution to suit.

GlobalTech Inc. is a large multinational corporation that has diverse email services across different countries, including on-premises, Google Workspace and Microsoft 365. In this mixed, complex environment, a single, cloud based Secure Email Gateway service, integrating the different email domains will provide comprehensive control and reporting.

They’ll need to meet varying regulatory requirements in different regions, so enabling data loss prevention and email encryption through the gateway will be crucial. If there are email system outages, they’ll rely on the gateway’s continuance services to minimize business impact. Depending on IT needs, they may also add Integrated Cloud Email Security to their Microsoft 365 and / or Google Workspace tenants.

GlobalTech email system

FinSecure Corp on the other hand relies on secure email communications with their clients. They’ve used S/MIME for many years to ensure end to end protection and non-repudiation of emails (proving that the sender of an email hasn’t been spoofed) and rely on DANE to mitigate the risk of criminals performing attacker-in-the-middle attacks against their email infrastructure. They will rely on a Secure Email Gateway service to enforce email encryption policies, and to demonstrate compliance with stringent regulations that are common for financial services firms.

FinSecure Corp

Our third example is CloudInnovate, a tech startup in Silicon Valley, relying exclusively on SaaS cloud services for collaboration and email. They’re growing rapidly and require an easy to integrate service for their cloud-first strategy. They’ll use an Integrated Cloud Email Security service for Microsoft 365 for easy scaling and providing advanced AI and ML protection against emerging threats.

CloudInnovate

Finally, TechGen Robotics, a leading robotics research and development company, operates at the forefront of innovation in autonomous systems and AI technologies. They have a lot of sensitive intellectual property, and are financially successful, making them targets for BEC attacks as well as industrial espionage. They’ll use both technologies together to ensure encryption of all sensitive emails (and attached documents), along with deep data loss prevention inspection to protect their IP.

They’ll need the advanced protection in their Integrated Cloud Email Security to identify and stop sophisticated attacks, and use the encryption provided by the gateway to protect communications end-to-end. They need the email continuity provided by the gateway in case of a service provider outage, whilst relying on the advanced protection of the API solution to inspect emails and attachments, including when those are saved in cloud storage.

TechGen Robotics

Hornetsecurity’s cutting edge email security solutions relies on providing both a Secure Email Gateway and Integrated Cloud Email Security for complete protection. As you have seen, both approaches have their strengths and weaknesses and by combining them, you truly get the best of both worlds, and the cleanest possible email feed.