Personal email use increases enterprise risk: Employees are increasingly accessing personal email accounts from corporate machines; it is commonplace in hybrid and remote work environments. But considering that hackers have access to easily-usable tools like MatrixPDF, experts advise enterprises to be more vigilant.CISOs and CIOs should consider opportunities to either restrict access to personal webmail when on corporate infrastructure, or identify where it is legitimately needed, said InfoTech’s Avakian. Personal email simply doesn’t have the same safeguards as corporate email security services.PDFs don’t raise the same red flags as other attachment files such as .exe or .zip, he noted. “The bad guys know this and prey upon this type of psychological norm,” said Avakian. When successful, they can gain access to a network and move laterally, further escalate privileges, and plant more malware.This new email attack vector is a “dangerous evolution of social engineering,” noted Ensar Seker, CISO at threat intel company SOCRadar.”[It turns] the endpoint into the weakest link in the kill chain,” he said. “Once compromised, a single device can become a pivot point for lateral movement, credential theft, or initial access for ransomware deployment.”
How enterprises can arm themselves: The good(ish) news, however, according to Beauceron’s Shipley, is that of the various types of phishes, from link-based, to attachment-based, to QR-code scanning, attachments tend to have a lower success rate. This is because they require additional cognitive effort and steps performed by the user, versus just clicking on a link in an e-mail.Organizations should balance investment in email filters with security awareness training that’s done “frequently and effectively,” he noted. Ultimately, employees have to be motivated to remain vigilant.CISOs must go beyond technical defenses and establish clear guardrails, advised SOCRadar’s Seker. This means blocking known-bad file types, deploying robust attachment sandboxing, and using endpoint detection to monitor suspicious file behavior post-delivery.Enterprises should also enforce policies that prohibit employees from accessing personal email on corporate devices, he said. Educating employees on how these attacks work is especially important in an era where “[even] a benign-looking PDF can be the tip of a spear phishing campaign.”Seker added: “Ultimately, layered defense must include not just zero trust for users, but zero assumption for file safety.”Info-Tech’s Avakian agreed, saying the MatrixPDF type of attack provides a “fantastic opportunity,” particularly during Cybersecurity Awareness Month, to bake in awareness measures and training with simple visualizations and real-world “What-If” scenarios. Enterprises should also support a “Think Before You Click” culture and make it easy for employees, the first line of defense, to report suspicious emails.Just as importantly, he advised organizations to make a point of “catching people doing this right.””Recognition goes a long way,” said Avakian. “By recognizing employees who spot and report phishing attempts, security leaders can incrementally improve awareness and enable a security-minded culture.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4066707/that-innocent-pdf-is-now-a-trojan-horse-for-gmail-attacks.html
