Email Security

The Future Of Phishing: How To Protect Your Collaboration Apps Against Social Engineering 

David Habusha, Senior Vice President of Product Management at IRONSCALES, discusses how organizations can protect their end users against social engineering via email and collaboration platforms such as Microsoft Teams.

Expert Insights Interview With David Habusha Of IRONSCALES

Social engineering—such as phishing and account takeover—is one of the most prevalent threats that modern workplaces are currently facing. Last year, one in five companies that suffered a malicious data breach was compromised using lost or stolen credentials—and the consequences of such a breach can be devastating, not only in terms of financial loss but also reputational damage, data loss, and concerns for the security of company employees and stakeholders.

Traditionally, social engineering attempts are delivered via email. A threat actor emails an employee impersonating a trusted contact and manipulates them into divulging sensitive information such as login credentials. With those credentials, the attacker can take over their victim’s account and use it to send more phishing emails throughout the company, accessing more areas of the corporate environment and stealing more data as they go.

However, as the modern workplace embraces a hybrid “work from anywhere” culture, threat actors are beginning to turn their attention to new platforms from which to launch their attacks: collaboration apps. Once they’ve stolen a user’s login credentials, an attacker can then log into their victim’s Teams or Slack accounts and message their contacts. And because these apps tend to be used mainly for internal communications, we usually trust that the messages we receive are genuine—making the attack much more likely to succeed.

To find out how organizations can protect their end users against social engineering—not only via email but also via collaboration platforms such as Microsoft Teams—we spoke to David Habusha, Senior Vice President of Product Management at IRONSCALES. Habusha has been in the cybersecurity space for almost 15 years. During that time, he co-founded MyPermissions, a security company that helps users manage their privacy permissions across various website and applications, before moving to run the product team of an app vulnerability remediation company. Habusha joined IRONSCALES in 2021, where he now leads the product team and drives the development of new functionality within the IRONSCALES platform.

Who are your typical customer base, and what are the main challenges you’re helping them solve today?

Our customers are any businesses, small or large, that are subject to attacks such as business email compromise, vendor account compromise, financial fraud, and identity theft. There are a lot of different attack methods out there that even small businesses are subject to. And they all need the level of defense that we provide—whether it’s directly from us, or through managed service providers that work with the small and medium businesses.

Another challenge they’re facing is saving the resources of their data and SOC analyst teams. So, we give them the ability to navigate more easily through incidents that are being detected by the platform, by automatically classifying incidents and resolving them.

The final challenge is protecting the users wherever they are. How do you educate users? How do you make sure that they’re aware of risks, and know how to respond when an illegitimate message comes through?

Why does email remain one of the most prevalent attack vectors in the modern workplace, despite the increasing popularity of other communications mediums, such as instant messaging and video conferencing apps?

First of all, I think that it takes time even for bad actors to move to new platforms. Instant messaging, SMS, voice messages, and now Teams and Slack and other collaboration platforms are starting to be targets for attacks. So, we’re starting to see them, but it takes time to shift gears and create a new breed of attacks targeted towards these platforms.

Also, email is still the number-one tool for businesses to communicate with other businesses, while we see people using Teams, Slack and Google for internal messaging. More messages are being sent over these platforms than by email; we’re sending probably tens of thousands of messages a day, while there are only hundreds being sent by email. But the ones that are more important for the business—the collaborations with accounting firms, the vendors that we work with, digital signing, transferring documents—are still happening via email. And that’s the reason that email is still the number one attack vector.

How does the IRONSCALES platform combine technical and human protection to help prevent email threats?

Part of our vision is that we help organizations become safer together.

When we say “together”, we first of all mean together across different organizations, because we take data from any decisions that a SOC analyst somewhere in the world is making in terms of classifying an incoming email, and we feed that data into the machine, so it influences our other customers and stops them falling victim to that same threat.

But we also mean the combination of the human and machine factors in threat detection, because we look at the human factor as important for decision making. If 90% of classification efforts are automated, there’s still the 10% human factor that complements those 90%. Even if your processes are 99% automated, there will be that 1% that requires the human factor.

The human factor is firstly end users who are aware of the risk and know what to do when they detect signs of compromise or malicious intent in an email. They report any threats to the organization using the platform, and that ignites an automated test on the email, where we scan it for malicious activity and feed the results back into our community. So, end users influence the way the platform makes decisions on emails.

And human factor is also the SOC analyst who is exposed to the decisions other SOC analysts have made in other businesses. The machine takes into consideration the decisions of these more experienced and knowledgeable persons, who know how to look at incoming attacks and classify them. And using this data to inform the machine makes the machine itself better.

So, we always use the human plus machine factors. And that’s what differentiates us when you’re looking at other solutions and other vendors.

What plans do you have to expand the IRONSCALES platform to further support your customers?

We’ve recently launched protection for Microsoft Teams. A lot of our customers use Microsoft 365; most of them use Microsoft Teams to collaborate internally, and many of them also externally. And we’ve seen attacks being sent within Teams—mostly involving malicious URLs and malicious attachments.

So, there are the attacks that come from external parties because, in Teams, every time you collaborate with other vendors, a chat is opened and you can exchange information.

But the main threat we’re seeing is the lateral movement when an internal account has been compromised. One of the ways to try to hijack more accounts or to steal more sensitive information is actually not by using email, because it may be tracked, but by trying to log in to Teams or Slack via the same credentials used to log into the main account.

Slack is also something that we’ve started working on, as a lot of enterprises are using Slack as well. Slack has an app ecosystem—Teams also has one, but Slack is a bit more advanced in that regard—and every application you install on Slack requires some permissions to be filled out so they may discover your users and understand who those users are. So, if somebody hacks into one of these apps and obtains the permissions to access some of your accounts, just think about the types of social engineering, they could carry out. They could read a user’s messages, or even write messages on their behalf.

So, we’re looking towards the future. We see the proliferation of attacks on these platforms and, although email is still the number one threat vector, we believe that in the next two to five years, there’s going to be an imminent threat to these platforms that organizations will need to start understanding and defending against.

And that’s why we’ve positioned the solution to be able to protect organizations against these new types of threats.

You mentioned that these attacks spread laterally when an internal account is compromised. How does that work?

Once an account has been compromised, bad actors will try to extract information in different ways—not just over email, because a lot of DLP solutions will probably flag it when they see that sensitive information is going to the wrong person. So, they try to do that using different means—it could be using Teams, or by downloading sensitive information to their laptop or mobile, then sending it from those devices. So, if, for example, suddenly you see a user that doesn’t usually do mass downloads, downloading a lot of materials to their personal computer, it may indicate something suspicious that you should be aware of. And then you can find out whether there was any bad intent behind the action.

This is also relevant to a lot of the supply chain attacks that we see today. Bad actors are trying to steal information in regard to how software is being built, and are getting into your system using Teams. We saw an organization in which somebody hijacked an account using Teams, then collaborated with one of that organization’s developers, asking them, “What are your credentials to GitHub? I can’t log into mine and have to work on my code!” And the guy co-operated with that, thinking, “Sure, you’re my friend, I want to help you.”

That attacker could have stolen the source code, or changed it so that the next version of the software to be deployed to other companies was malicious.

That’s why we have to protect these environments as well.

Are social engineering attacks more successful on communication apps such as Teams?

I think so, yes. Because it’s new, everybody believes that it’s internal only, and that it’s protected by Microsoft. But a collaboration platform is intended to send and receive data. At the end of a meeting on Teams, people send their presentation data and, if you need some more information, they can send you links that may be malicious. You just never know.

The proliferation of users across these platforms will also bring in bad actors, so you have to have protection in place to stop these attacks.

What would your final piece of advice be to organizations struggling to secure themselves against today’s email threats?

We need to understand that the human or the end user is the new endpoint. Everybody talks about endpoint security; there are a lot of tools out there, and we think they’re all very important and you should keep them. But the real threat is users communicating—receiving data and sending data out of the organization on different platforms. This is where the risk lies as well.

This is the modern world; people work from home. So, keep these channels open and allow your users to collaborate, but understand that there’s a threat associated with it.

We need to protect any information coming into the organization and being sent out of the organization by end users. And the way to do it is to look not only at the content of the message—like whether there’s a malicious attachment or link—but also to look at the intent of the message; the actual meaning of it.

Social engineering is all about luring users into doing things they’re not supposed to do, just by writing simple text and spoofing someone else’s account so that it looks normal, but it’s actually not the person that the user thinks they’re talking to. So, you need to understand each user’s normal behavior so you can identify and deviation from the norm, whether it’s incoming messages and emails, or Teams or Slack, or even outgoing messages.

Most often, this behavior is unintentional. For example, I want to send you a summary of this call, but I have another Caitlin in my contacts and my autofill adds the wrong one. I might not notice that, so could send the message to the wrong person.

But malicious or unintentional, you need to be able to track that and protect against it.

This is what we’re trying to bring to the market at IRONSCALES. This is the type of solution we’re trying to provide our customers.

Thank you to David Habusha for taking part in this interview. You can find out more about the IRONSCALES platform via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.