Security News

Cybersecurity researchers have disclosed details of security flaws in the Roundcube webmail software that could be exploited to execute malicious JavaScript in a victim's web browser and steal sensitive information from their account under specific circumstances. "When a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim's browser," cybersecurity company Sonar said in an analysis published this week.

Researchers say cybercriminals can have fun bypassing one of Microsoft's anti-phishing measures in Outlook with some simple CSS tweaks. William Moody, IT security consultant at Certitude, blogged today about how First Contact Safety Tip - a banner displayed in Outlook when a user receives a message from an address that typically doesn't contact them - can be hidden using CSS style tags.

Two days is all it took for Interpol to recover more than $40 million worth of stolen funds in a recent business email compromise heist, the international cop shop said this week. Interpol was called in after an unidentified Singaporean commodity biz filed a police report on July 23 claiming it had been scammed out of $42.3 million four days earlier.

Two cross-site scripting vulnerabilities affecting Roundcube could be exploited by attackers to steal users' emails and contacts, email password, and send emails from their account. "No user interaction beyond viewing the attacker's email is required to exploit. For CVE-2024-42008, a single click by the victim is needed for the exploit to work, but the attacker can make this interaction unobvious for the user," Sonar vulnerability researcher Oskar Zeino-Mahmalat noted.

Email attacks have surged by 293% in the first half of 2024 compared to the same period in 2023, according to Acronis. Of note, attack vectors including phishing and social engineering, vulnerability exploits, credential compromises and supply chain attacks were highlighted as the most successful techniques used to breach MSPs' cybersecurity defenses.

In this post, we're going to look at some of the ways Material Security's unique approach to email security and data protection can dramatically-and quantifiably-save your security teams hours each week while improving the effectiveness of your security program. Just like your department has a budget that limits how much money you can spend on people and tools, your security teams have a limit to the amount of time they can devote to responding to threats on any given day.

Thousands of email addresses have been compromised after hackers used them to create Google Workspace accounts and bypassed the verification process. One impacted user that shared their experience on a Google Cloud Community forum was notified by Google that someone had created a Workspace account with their email without verification and then used it to log into Dropbox.

A huge phishing campaign exploited a security blind-spot in Proofpoint's email filtering systems to send an average of three million "Perfectly spoofed" messages a day purporting to be from Disney, IBM, Nike, Best Buy, and Coca-Cola - all of which are Proofpoint customers. Guardio dubbed the campaign EchoSpoofing - because the spam was "Echoed" from email relay servers owned and operated by Proofpoint itself.

A massive phishing campaign dubbed "EchoSpoofing" exploited now-fixed, weak permissions in Proofpoint's email protection service to dispatch millions of spoofed emails impersonating big entities like Disney, Nike, IBM, and Coca-Cola, to target Fortune 100 companies. The campaign started in January 2024, disseminating an average of 3 million spoofed emails daily and reaching a peak of 14 million emails in early June.

An unknown threat actor has been linked to a massive scam campaign that exploited an email routing misconfiguration in email security vendor Proofpoint's defenses to send millions of messages spoofing various popular companies like Best Buy, IBM, Nike, and Walt Disney, among others. "These emails echoed from official Proofpoint email relays with authenticated SPF and DKIM signatures, thus bypassing major security protections - all to deceive recipients and steal funds and credit card details," Guardio Labs researcher Nati Tal said in a detailed report shared with The Hacker News.