Here’s a security scenario that’s all too common: A company suffers from a cyberattack, then responds to it promptly and alerts its customers, warning them to change their passwords. But the company remains vulnerable through the very means it uses to alert those customers: Email. In fact, attackers can exploit that vulnerability using email that pretends to be a security warning from the company, targeting customers and wreaking even more damage.
For example, on May 31, popular cloud-based password manager OneLogin announced that it had suffered a serious security breach, and it updated its report the next day with a few more details.
The company communicated with its customers and the public promptly. OneLogin said the breach involved a hacker obtaining a set of Amazon Web Service keys and using them to gain access to OneLogin’s servers on AWS and create several new instances, which they then used to do reconnaissance. According to a customer email reported by TechCrunch, “All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data.” To its credit, OneLogin responded quickly, shutting down the hackers’ access within hours and alerting its community the same day.
One detail OneLogin has not shared yet is exactly how the attackers gained access to its AWS keys, so at this point, we can only speculate. We can say, however, that if this attack is like 91 percent of cybersecurity intrusions, the initial attack vector was a phishing email.
For instance, a hacker could have posed as a member of the OneLogin security team and sent an email to another security team member that looked for all intents and purposes like a legitimate OneLogin email with the intent of obtaining more information to assist with the breach or get an employee to click on malware.
We know OneLogin is vulnerable to these impersonation attacks because, while OneLogin has set up a DMARC record to authenticate its emails, that DMARC record is not set to enforcement mode. That means email servers can check inbound messages that appear to come from OneLogin.com for validity, but are not instructed to do anything different with messages that fail the DMARC authentication check. This image shows it all.
The fact that OneLogin has a DMARC record configured shows that the company is aware of the importance of email authentication. We commend them for doing the right thing here. But, like 70 percent of companies that attempt DMARC authentication, they haven’t completed its configuration yet. The result is that they remain vulnerable to phishing attacks.
Even if a phishing attack wasn’t the root cause of this week’s hack, the lack of authentication creates a secondary vulnerability, which is now a clear and present danger. That is, it’s now possible for malicious actors to create fraudulent messages from OneLogin.
It’s a time tested strategy for malicious actors: Strike with phishing attacks while a company and its clients are dealing with the aftermath of a hack. A classic tactic is to send an email to customers that appears to be a message from the CEO, warning people to change their passwords because of the recent attack, but which contains a password-reset link that leads to a website controlled by the hacker. Perhaps that’s the same hacker who invaded the company’s system earlier this week, or it could be a new, unrelated actor who is just taking advantage of the situation.
Unfortunately, until its DMARC authentication setup is complete, there’s no reliable way for OneLogin customers, partners or employees to be certain that email coming from the company really does originate with the company.
It’s notable that DocuSign, which also suffered a devastating security breach recently, is in a similar position. It is also not protected by email authentication.
No question, DMARC configuration is difficult to do, and OneLogin is certainly not alone in leaving it unfinished. In fact, that’s what businesses like ours are based on: automating the process, because this stuff is genuinely hard!
But what’s especially dangerous is when a company thinks it’s protected because it has a DMARC record, but actually remains vulnerable because the DMARC policy is set to do nothing different with messages that fail authentication. That can make cybersecurity crises like these even worse. In the aftermath of a cyber attack, it’s the last thing a CIO needs is to worry about.
Properly configured email authentication is crucial for all companies to protect against current and future phishing attacks.
This article is published as part of the IDG Contributor Network. Want to Join?