Just as business users have turned to cloud computing services and online collaboration software to do their jobs, so too have cybercriminals according to new research from Proofpoint.
In recent months, the cybersecurity firm has observed a massive uptick in threat actors abusing Microsoft and Google’s infrastructure to host and send threats across Office 365, Azure, OneDrive, SharePoint, G-Suite and Firebase storage.
In 2020, over 59m malicious messages were sent from Microsoft Office 365 targeting thousands of Proofpoint’s customers while more than 90m were sent or hosted by Google with 27 percent sent through the world’s most popular email service, Gmail. During the first quarter of this year, the cybersecurity firm observed seven million malicious messages sent through Office 365 and 45m from Google’s infrastructure.
To make matters worse, the malicious message volume from these trusted cloud services exceeded that of any botnet last year. This is because the trusted reputation of both Microsoft and Google’s domains increases the likelihood that these messages will be delivered to their targets instead of being detected as malicious.
Compromise and conquer
As email recently became the top vector for ransomware once again, cybercriminals are increasingly leveraging the supply chain and partner ecosystem of organizations to compromise accounts, steal credentials and siphon funds.
According to a recent report from Proofpoint about supply chains, 98 percent of almost 3,000 organizations across the US, UK and Australia received a threat from a supplier domain during a seven-day window back in February of this year.
A singe compromised account can provide cybercriminals with a great deal of access to a company’s network and over the last year, the firm has observed threat actors targeting 95 percent of the organizations it protects with cloud account compromise attempts and more than half have experienced at least one compromise. Of the organizations compromised, over 30 percent reported experiencing post-access activity such as file manipulation, email forwarding and OAuth activity.
With an organization’s credentials in hand, cybercriminals can log into systems as impostors, move laterally across multiple cloud services and hybrid environments and send convincing emails while pretending to be real employees.
EVP of cybersecurity strategy at Proofpoint, Ryan Kalember provided further insight on the firm’s latest findings in a blog post, saying:
“Our research clearly demonstrates that attackers are using both Microsoft and Google infrastructure to disseminate malicious messages and target people as they leverage popular cloud collaboration tools. When coupled with heightened ransomware, supply chain, and cloud account compromise, advanced people-centric email protection must remain a top priority for security leaders.”