Blog

Eメール

セキュアEメールゲートウェイの先を見据えたDarktrace/Emailの最新イノベーション

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
07
Apr 2024
07
Apr 2024
2024年、サイバー攻撃者はますますAIを活用し、組織のコミュニケーションのあらゆる側面に侵入するマルチベクトル技術を採用するようになり、Eメールセキュリティの課題はインバウンド攻撃をはるかに超えて進化しています。Darktrace/Emailの過去最大規模のアップデートでは、現代のEメールの脅威の性質に対処するために設計された新たなイノベーションが導入されています。

組織はEメールセキュリティにもっと多くを求めるべき

より複雑化する脅威の状況に対応するため、企業は従来のセキュアメールゲートウェイ(SEG)で受信トレイだけを防御するのではなく、Eメールセキュリティを深層防御戦略の重要な要素として捉える必要があります。組織は、従来のゲートウェイ(ネイティブのセキュリティベンダーが提供する機能を置き換えるのではなく、倍増させるもの)以上のものを必要としており、受信、送信、横方向のEメール、さらにTeams上のメッセージなど、すべてのメッセージングを同じようにきめ細かく分析する必要があるのです。  

Darktrace/Emailは、自己学習型AIを搭載した業界最先端のクラウドEメールセキュリティです。AI技術を組み合わせて、主要なセキュリティソリューションの精度と効率性を凌駕し、ネイティブのEメールセキュリティを重複させるのではなく、向上させるために構築された唯一のセキュリティツールです。  

過去最大のアップデートとなるDarktrace/Email では、以下のイノベーションが導入され、ついにセキュリティチームは自律的なAI技術によって安全なEメールゲートウェイを超越することができるようになりました:

  • AIを駆使するデータ損失防止機能で、送信メールのあらゆる脅威を阻止
  • AIでDMARCを素早く導入する簡単な方法
  • SOCのワークフローを合理化し、巧妙なフィッシングリンクの検知率を高めるための大幅な機能強化
  • 横方向のEメール、アカウント侵害、Microsoft Teamsに業界屈指のDarktraceのAIによる予防策を拡大

Darktrace/Emailの最新機能

データ損失防止  

ネイティブEメールのタグを基にした高度なデータ損失防止機能により、送信メールのあらゆる脅威をブロックし、未知のデータ損失、偶発的なデータ損失、悪意のあるデータ損失を阻止します。

Darktrace はユーザーの異常な行動や動的なコンテンツの変更を検知する多数の実績を擁するAIにより、個人ユーザー、グループ、組織レベルで正常を理解します。この理解をもとに、Darktrace/Emailは、未知の、偶発的な、悪意のあるデータ損失を阻止するために、送信メールに対してアクションを実行します。  

従来のDLPソリューションでは、分類されたデータしか考慮しないため、各データのラベル付けを手作業で入力したり、特定の種類のデータが組織から出るのを阻止しようとするパターンマッチをキャッチするルールを作成したりする必要がありました。しかし、データが絶えず変化する今日の世界では、正規表現やフィンガープリンティングによる検知ではもはや十分ではありません。

  • ヒューマンエラー- Darktrace/Emailは、すべてのユーザーの正常な動作を理解しているため、Eメールの誤送信のケースを認識することができます。たとえデータが正しくラベル付けされていても、あるいは無感覚であっても、Darktrace は送信されるコンテキストがデータ損失のケースである可能性を認識し、ユーザーに警告します。  
  • 未分類データ- 従来のDLPソリューションが分類されたデータに対してのみアクションを起こすことができるのに対し、DarktraceはすべてのEメールのコンテンツとコンテキストを理解することにより、ラベル付けが保留されている、または一般的な機能ではラベル付けできないデータの範囲を分析します。  
  • 内部脅威- 悪意のあるアクターがアカウントを侵害した場合でも、暗号化されたデータ、知的財産、またはその他の形式のラベル付けされていないデータに対して、検知を回避するためにデータ流出が試みられる可能性があります。Darktraceはユーザーの行動を分析し、個々のアカウントからの異常なデータ流出のケースを捕捉します。

これまでに組織が分類にかけてきた労力は無駄にはなりません。Darktrace/Emailは、MicrosoftのPurviewポリシーと機密ラベルを拡張し、セキュリティチームのワークフローが重複しないようにして、双方のアプローチの長所を組み合わせることで、組織がデータの管理と可視性を維持できるようにします。

エンドユーザーとセキュリティのワークフロー

エンドユーザーによるフィッシング報告および巧妙で悪質なウェブリンクの検知の質を60%以上改善1

Darktrace/Email は、セキュリティチームのリソースを節約するために、エンドユーザーレポートをゼロから改善します。従業員は常にEメールセキュリティの最前線にいます。他のソリューションでは、エンドユーザーからのレポーティングは自動的に質の低いものになると考えられていますが、Darktrace では、ユーザーのセキュリティ意識の向上を優先し、初日からエンドユーザーからのレポーティングの質を向上させます。  

ユーザーは、文脈に沿ったバナーや、Cyber AI Analystが生成した潜在的に疑わしいEメールのナレーションを使用して、疑わしい活動を評価し報告する権限を与えられ、その結果、報告された良性の電子メールが60%減少しました。  

最終的に報告される質の高いEメールのうち、次のステップはSOCに到達するメールの量を減らすことです。Darktrace/Emailのメールボックス・セキュリティ・アシスタントは、従来よりも20倍多いメトリクスを使用した追加的な行動シグナルと高度なリンク分析を組み合わせた二次分析により、トリアージを自動化し、70%以上のより巧妙な悪意のあるフィッシング・リンクを検出します

SOC が受信するEメールについては、Darktrace/Email を使用して自動化し、インシデントごとの調査に費やす時間を短縮します。受信トレイのライブビューにより、セキュリティチームは、直感的な検索機能、Cyber AI Analystレポート、モバイルアプリケーションアクセスを組み合わせた一元化されたプラットフォームにアクセスできます。アナリストは、Darktrace/Email 内から修正アクションを実行できるため、コンソールのホッピングが不要になり、インシデントレスポンスが加速します。

Darktrace は、セキュアメールゲートウェイの攻撃中心のルールとシグネチャのアプローチとは対照的に、ユーザー中心、ビジネス中心のEメールセキュリティのアプローチを取ります

Microsoft Teams

アカウント漏えい、フィッシング、マルウェア、データ損失など、Teams環境内の脅威を検知します。

Fortune 500を構成する企業の約83%がMicrosoft Office製品およびサービス、特にTeamsとSharePointを利用しています。3

Darktrace がユーザーの行動を自己学習するAI技術を365やTeamsを利用するMicrosoftの顧客向けに活用することにより、組織はソーシャルエンジニアリング、マルウェア、データ損失など、Teams環境内の脅威やアカウント侵害のシグナルを早期に検知することができます。  

Microsoft Teams保護の主な用途は、潜在的な侵入経路ベクトルとしてのものです。メッセージングは従来、社内でのみ使用されてきましたが、組織がオープン化するにつれて、Eメールと同レベルの注意が必要な侵入経路になりつつあるためです。そのため私たちは、メッセージの背後にいるユーザーを理解する、実績のあるAIのアプローチをMicrosoft Teamsに導入しているのです。  

異常なメッセージング行動もまた、ユーザーが侵害されているかどうかの非常に関連性の高い指標です。ペイロードに焦点を当てたMicrosoft Teamsのコンテンツを分析する他のソリューションとは異なり、Darktraceは基本的なリンクとサンドボックス分析を超えて、コンテンツとコンテキストの双方の観点から実際のユーザーの行動を調査します。この言語的理解は、シグネチャを悪意のあるペイロードに一致させるという要件に縛られることなく、むしろメッセージが配信されたコンテキストに注目します。この分析から、Darktraceはペイロードが配信される前に、初期段階のソーシャルエンジニアリングなどのアカウント侵害の初期症状を発見することができます。

横方向のEメール分析

アカウント乗っ取り、ラテラルフィッシング、データ漏えいを防ぐため、多層構造のAIで内部メールフローを検知し、対処します。

業界で最も堅牢なアカウント乗っ取り防止機能により、横方向のEメールアカウント侵害を防止できるようになりました。Darktrace は、インバウンドとアウトバウンドの意思決定に情報を提供するために、常に内部Eメールを見てきましたが、インバウンド、アウトバウンド、およびチーム分析のための同じAI技術を使用して、疑わしい横方向のEメールの動作を昇格させるようになりました。

Darktrace はEメールフロー全体と通信パターンのシグナルを統合し、横方向のEメールフローも含め、アカウント侵害の兆候を判断します。

ペイロードのみを分析する他のソリューションとは異なり、Darktrace は、ペイロードが配信される前に横方向の動きをキャッチするために、あらゆるシグナルを分析します。各ユーザーのAI行動プロファイルにさらに別のレイヤーを追加することで、セキュリティチームは横方向のEメールからのシグナルを利用して、アカウント乗っ取りの初期症状を発見し、さらなる侵害を防ぐために自律的な行動を取ることができるようになりました。

DMARC

業界初となるAIアシスト型DMARCにより、お客様のドメインを使用するサードパーティの詳細な可視化と制御を実現します。

Darktrace は、新しいDarktrace/DMARCにより、ブランド保護とコンプライアンスへの最も簡単な道を作りました。この新機能は、企業ドメインからのなりすましやフィッシングを継続的に阻止するとともに、Eメールのセキュリティを自動的に強化し、攻撃対象領域を縮小します。

Darktrace/DMARCは、ステップバイステップのガイダンスと自動化された記録提案を提供することにより、企業のスキルアップを支援し、施行への明確で効率的な道を提供します。DMARCは、GoogleやYahooなどの要求事項に迅速に対応し、Eメールが確実にメールボックスに届くようにします。  

一方、Darktrace/DMARCは、認証されていないDMARCソースから自分のドメインからのEメールが送信された場合、受信者に通知する一方で、組織のブランドを代表して送信するシャドーITやサードパーティベンダーの可視性を提供することにより、全体的な攻撃面を減らすのに役立ちます。

Darktrace/DMARCは、Darktrace の製品プラットフォームと統合され、Eメール攻撃経路とアタックサーフェス管理に関する洞察を共有することで、お客様のビジネスの安全性を高めます。

結論

Darktrace/Email の新機軸の詳細については、こちらからソリューション概要をダウンロードしてください。

Darktrace/Emailのすべての新しいアップデートは、新しいDarktrace ActiveAI Security Platformに含まれており、Eメールセキュリティとその他のデジタルエステート間のフィードバックループを作成し、より良い保護を実現します。 Darktrace ActiveAI Security Platformの詳細や、重要インフラ向けに構築された最も包括的な防御、検知、対処ソリューションである Darktrace/OTの最新イノベーションについてはこちらをクリックしてください。  

サイバーとAIの交差点について学ぶには、「AIサイバーセキュリティの現状2024」レポートをダウンロードし、驚くような世界的な調査結果や、セキュリティリーダーからの洞察、今日の最重要課題に対処するための推奨事項をご覧ください。

参考文献

[1] Internal Darktrace Research

[2] Internal Darktrace Research

[3] Essential Microsoft Office Statistics in 2024

INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Carlos Gray
Product Manager

Carlos Gonzalez Gray is a Product Marketing Manager at Darktrace. Based in the Madrid Office, Carlos engages with the global product team to ensure each product supports the company’s overall strategy and goals throughout their entire lifecycle. Previous to his position in the product team, Carlos worked as a Cyber Technology Specialist where he specialized in the OT sector protecting critical infrastructure.  His background as a consultant in Spain to IBEX 35 companies led him to become well versed in matters of compliance, auditing and data privacy as well. Carlos holds an Honors BA in Political Science and a Masters in Cybersecurity from IE University.

Book a 1-1 meeting with one of our experts
この記事を共有
USE CASES
該当する項目はありません。
PRODUCT SPOTLIGHT
該当する項目はありません。
COre coverage

More in this series

該当する項目はありません。

Blog

Inside the SOC

Stemming the Citrix Bleed Vulnerability with Darktrace’s ActiveAI Platform

Default blog imageDefault blog image
28
May 2024

What is Citrix Bleed?

Since August 2023, cyber threat actors have been actively exploiting one of the most significant critical vulnerabilities disclosed in recent years: Citrix Bleed. Citrix Bleed, also known as CVE-2023-4966, remained undiscovered and even unpatched for several months, resulting in a wide range of security incidents across business and government sectors [1].

How does Citrix Bleed vulnerability work?

The vulnerability, which impacts the Citrix Netscaler Gateway and Netscaler ADC products, allows for outside parties to hijack legitimate user sessions, thereby bypassing password and multifactor authentication (MFA) requirements.

When used as a means of initial network access, the vulnerability has resulted in the exfiltration of sensitive data, as in the case of Xfinity, and even the deployment of ransomware variants including Lockbit [2]. Although Citrix has released a patch to address the vulnerability, slow patching procedures and the widespread use of these products has resulted in the continuing exploitation of Citrix Bleed into 2024 [3].

How Does Darktrace Handle Citrix Bleed?

Darktrace has demonstrated its proficiency in handling the exploitation of Citrix Bleed since it was disclosed back in 2023; its anomaly-based approach allows it to efficiently identify and inhibit post-exploitation activity as soon as it surfaces.  Rather than relying upon traditional rules and signatures, Darktrace’s Self-Learning AI enables it to understand the subtle deviations in a device’s behavior that would indicate an emerging compromise, thus allowing it to detect anomalous activity related to the exploitation of Citrix Bleed.

In late 2023, Darktrace identified an instance of Citrix Bleed exploitation on a customer network. As this customer had subscribed to the Proactive Threat Notification (PTN) service, the suspicious network activity surrounding the compromise was escalated to Darktrace’s Security Operation Center (SOC) for triage and investigation by Darktrace Analysts, who then alerted the customer’s security team to the incident.

Darktrace’s Coverage

Initial Access and Beaconing of Citrix Bleed

Darktrace’s initial detection of indicators of compromise (IoCs) associated with the exploitation of Citrix Bleed actually came a few days prior to the SOC alert, with unusual external connectivity observed from a critical server. The suspicious connection in question, a SSH connection to the rare external IP 168.100.9[.]137, lasted several hours and utilized the Windows PuTTY client. Darktrace also identified an additional suspicious IP, namely 45.134.26[.]2, attempting to contact the server. Both rare endpoints had been linked with the exploitation of the Citrix Bleed vulnerability by multiple open-source intelligence (OSINT) vendors [4] [5].

Darktrace model alert highlighting an affected device making an unusual SSH connection to 168.100.9[.]137 via port 22.
Figure 1: Darktrace model alert highlighting an affected device making an unusual SSH connection to 168.100.9[.]137 via port 22.

As Darktrace is designed to identify network-level anomalies, rather than monitor edge infrastructure, the initial exploitation via the typical HTTP buffer overflow associated with this vulnerability fell outside the scope of Darktrace’s visibility. However, the aforementioned suspicious connectivity likely constituted initial access and beaconing activity following the successful exploitation of Citrix Bleed.

Command and Control (C2) and Payload Download

Around the same time, Darktrace also detected other devices on the customer’s network conducting external connectivity to various endpoints associated with remote management and IT services, including Action1, ScreenConnect and Fixme IT. Additionally, Darktrace observed devices downloading suspicious executable files, including “tniwinagent.exe”, which is associated with the tool Total Network Inventory. While this tool is typically used for auditing and inventory management purposes, it could also be leveraged by attackers for the purpose of lateral movement.

防衛回避

In the days surrounding this compromise, Darktrace observed multiple devices engaging in potential defense evasion tactics using the ScreenConnect and Fixme IT services. Although ScreenConnect is a legitimate remote management tool, it has also been used by threat actors to carry out C2 communication [6]. ScreenConnect itself was the subject of a separate critical vulnerability which Darktrace investigated in early 2024. Meanwhile, CISA observed that domains associated with Fixme It (“fixme[.]it”) have been used by threat actors attempting to exploit the Citrix Bleed vulnerability [7].

Reconnaissance and Lateral Movement

A few days after the detection of the initial beaconing communication, Darktrace identified several devices on the customer’s network carrying out reconnaissance and lateral movement activity. This included SMB writes of “PSEXESVC.exe”, network scanning, DCE-RPC binds of numerous internal devices to IPC$ shares and the transfer of compromise-related tools. It was at this point that Darktrace’s Self-Learning AI deemed the activity to be likely indicative of an ongoing compromise and several Enhanced Monitoring models alerted, triggering the aforementioned PTNs and investigation by Darktrace’s SOC.

Darktrace observed a server on the network initiating a wide range of connections to more than 600 internal IPs across several critical ports, suggesting port scanning, as well as conducting unexpected DCE-RPC service control (svcctl) activity on multiple internal devices, amongst them domain controllers. Additionally, several binds to server service (srvsvc) and security account manager (samr) endpoints via IPC$ shares on destination devices were detected, indicating further reconnaissance activity. The querying of these endpoints was also observed through RPC commands to enumerate services running on the device, as well as Security Account Manager (SAM) accounts.  

Darktrace also identified devices performing SMB writes of the WinRAR data compression tool, in what likely represented preparation for the compression of data prior to data exfiltration. Further SMB file writes were observed around this time including PSEXESVC.exe, which was ultimately used by attackers to conduct remote code execution, and one device was observed making widespread failed NTLM authentication attempts on the network, indicating NTLM brute-forcing. Darktrace observed several devices using administrative credentials to carry out the above activity.

In addition to the transfer of tools and executables via SMB, Darktrace also identified numerous devices deleting files through SMB around this time. In one example, an MSI file associated with the patch management and remediation service, Action1, was deleted by an attacker. This legitimate security tool, if leveraged by attackers, could be used to uncover additional vulnerabilities on target networks.

A server on the customer’s network was also observed writing the file “m.exe” to multiple internal devices. OSINT investigation into the executable indicated that it could be a malicious tool used to prevent antivirus programs from launching or running on a network [8].

Impact and Data Exfiltration

Following the initial steps of the breach chain, Darktrace observed numerous devices on the customer’s network engaging in data exfiltration and impact events, resulting in additional PTN alerts and a SOC investigation into data egress. Specifically, two servers on the network proceeded to read and download large volumes of data via SMB from multiple internal devices over the course of a few hours. These hosts sent large outbound volumes of data to MEGA file storage sites using TLS/SSL over port 443. Darktrace also identified the use of additional file storage services during this exfiltration event, including 4sync, file[.]io, and easyupload[.]io. In total the threat actor exfiltrated over 8.5 GB of data from the customer’s network.

Darktrace Cyber AI Analyst investigation highlighting the details of a data exfiltration attempt.
Figure 2: Darktrace Cyber AI Analyst investigation highlighting the details of a data exfiltration attempt.

Finally, Darktrace detected a user account within the customer’s Software-as-a-Service (SaaS) environment conducting several suspicious Office365 and AzureAD actions from a rare IP for the network, including uncommon file reads, creations and the deletion of a large number of files.

Unfortunately for the customer in this case, Darktrace RESPOND™ was not enabled on the network and the post-exploitation activity was able to progress until the customer was made aware of the attack by Darktrace’s SOC team. Had RESPOND been active and configured in autonomous response mode at the time of the attack, it would have been able to promptly contain the post-exploitation activity by blocking external connections, shutting down any C2 activity and preventing the download of suspicious files, blocking incoming traffic, and enforcing a learned ‘pattern of life’ on offending devices.

結論

Given the widespread use of Netscaler Gateway and Netscaler ADC, Citrix Bleed remains an impactful and potentially disruptive vulnerability that will likely continue to affect organizations who fail to address affected assets. In this instance, Darktrace demonstrated its ability to track and inhibit malicious activity stemming from Citrix Bleed exploitation, enabling the customer to identify affected devices and enact their own remediation.

Darktrace’s anomaly-based approach to threat detection allows it to identify such post-exploitation activity resulting from the exploitation of a vulnerability, regardless of whether it is a known CVE or a zero-day threat. Unlike traditional security tools that rely on existing threat intelligence and rules and signatures, Darktrace’s ability to identify the subtle deviations in a compromised device’s behavior gives it a unique advantage when it comes to identifying emerging threats.

Credit to Vivek Rajan, Cyber Analyst, Adam Potter, Cyber Analyst

付録

Darktrace モデルカバレッジ

Device / Suspicious SMB Scanning Activity

Device / ICMP Address Scan

Device / Possible SMB/NTLM Reconnaissance

Device / Network Scan

Device / SMB Lateral Movement

Device / Possible SMB/NTLM Brute Force

Device / Suspicious Network Scan Activity

User / New Admin Credentials on Server

Anomalous File / Internal::Unusual Internal EXE File Transfer

Compliance / SMB Drive Write

Device / New or Unusual Remote Command Execution

Anomalous Connection / New or Uncommon Service Control

Anomalous Connection / Rare WinRM Incoming

Anomalous Connection / Unusual Admin SMB Session

Device / Unauthorised Device

User / New Admin Credentials on Server

Anomalous Server Activity / Outgoing from Server

Device / Long Agent Connection to New Endpoint

Anomalous Connection / Multiple Connections to New External TCP Port

Device / New or Uncommon SMB Named Pipe

Device / Multiple Lateral Movement Model Breaches

Device / Large Number of Model Breaches

Compliance / Remote Management Tool On Server

Device / Anomalous RDP Followed By Multiple Model Breaches

Device / SMB Session Brute Force (Admin)

Device / New User Agent

Compromise / Large Number of Suspicious Failed Connections

Unusual Activity / Unusual External Data Transfer

Unusual Activity / Enhanced Unusual External Data Transfer

Device / Increased External Connectivity

Unusual Activity / Unusual External Data to New Endpoints

Anomalous Connection / Data Sent to Rare Domain

Anomalous Connection / Uncommon 1 GiB Outbound

Anomalous Connection / Active Remote Desktop Tunnel

Anomalous Server Activity / Anomalous External Activity from Critical Network Device

Compliance / Possible Unencrypted Password File On Server

Anomalous Connection / Suspicious Read Write Ratio and Rare External

Device / Reverse DNS Sweep]

Unusual Activity / Possible RPC Recon Activity

Anomalous File / Internal::Executable Uploaded to DC

Compliance / SMB Version 1 Usage

Darktrace AI Analyst Incidents

Scanning of Multiple Devices

Suspicious Remote Service Control Activity

SMB Writes of Suspicious Files to Multiple Devices

Possible SSL Command and Control to Multiple Devices

Extensive Suspicious DCE-RPC Activity

Suspicious DCE-RPC Activity

Internal Downloads and External Uploads

Unusual External Data Transfer

Unusual External Data Transfer to Multiple Related Endpoints

MITRE ATT&CK マッピング

Technique – Tactic – ID – Sub technique of

Network Scanning – Reconnaissance - T1595 - T1595.002

Valid Accounts – Defense Evasion, Persistence, Privilege Escalation, Initial Access – T1078 – N/A

Remote Access Software – Command and Control – T1219 – N/A

Lateral Tool Transfer – Lateral Movement – T1570 – N/A

Data Transfers – Exfiltration – T1567 – T1567.002

Compressed Data – Exfiltration – T1030 – N/A

NTLM Brute Force – Brute Force – T1110 - T1110.001

AntiVirus Deflection – T1553 - NA

Ingress Tool Transfer   - COMMAND AND CONTROL - T1105 - NA

Indicators of Compromise (IoCs)

204.155.149[.]37 – IP – Possible Malicious Endpoint

199.80.53[.]177 – IP – Possible Malicious Endpoint

168.100.9[.]137 – IP – Malicious Endpoint

45.134.26[.]2 – IP – Malicious Endpoint

13.35.147[.]18 – IP – Likely Malicious Endpoint

13.248.193[.]251 – IP – Possible Malicious Endpoint

76.223.1[.]166 – IP – Possible Malicious Endpoint

179.60.147[.]10 – IP – Likely Malicious Endpoint

185.220.101[.]25 – IP – Likely Malicious Endpoint

141.255.167[.]250 – IP – Malicious Endpoint

106.71.177[.]68 – IP – Possible Malicious Endpoint

cat2.hbwrapper[.]com – Hostname – Likely Malicious Endpoint

aj1090[.]online – Hostname – Likely Malicious Endpoint

dc535[.]4sync[.]com – Hostname – Likely Malicious Endpoint

204.155.149[.]140 – IP - Likely Malicious Endpoint

204.155.149[.]132 – IP - Likely Malicious Endpoint

204.155.145[.]52 – IP - Likely Malicious Endpoint

204.155.145[.]49 – IP - Likely Malicious Endpoint

参考文献

  1. https://www.axios.com/2024/01/02/citrix-bleed-security-hacks-impact
  2. https://www.csoonline.com/article/1267774/hackers-steal-data-from-millions-of-xfinity-customers-via-citrix-bleed-vulnerability.html
  3. https://www.cybersecuritydive.com/news/citrixbleed-security-critical-vulnerability/702505/
  4. https://www.virustotal.com/gui/ip-address/168.100.9.137
  5. https://www.virustotal.com/gui/ip-address/45.134.26.2
  6. https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
  7. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a
  8. https://www.file.net/process/m.exe.html
続きを読む
著者について
Vivek Rajan
Cyber Analyst

Blog

Eメール

How to Protect your Organization Against Microsoft Teams Phishing Attacks

Default blog imageDefault blog image
21
May 2024

The problem: Microsoft Teams phishing attacks are on the rise

Around 83% of Fortune 500 companies rely on Microsoft Office products and services1, with Microsoft Teams and Microsoft SharePoint in particular emerging as critical platforms to the business operations of the everyday workplace. Researchers across the threat landscape have begun to observe these legitimate services being leveraged more and more by malicious actors as an initial access method.

As Teams becomes a more prominent feature of the workplace many employees rely on it for daily internal and external communication, even surpassing email usage in some organizations. As Microsoft2 states, "Teams changes your relationship with email. When your whole group is working in Teams, it means you'll all get fewer emails. And you'll spend less time in your inbox, because you'll use Teams for more of your conversations."

However, Teams can be exploited to send targeted phishing messages to individuals either internally or externally, while appearing legitimate and safe. Users might receive an external message request from a Teams account claiming to be an IT support service or otherwise affiliated with the organization. Once a user has accepted, the threat actor can launch a social engineering campaign or deliver a malicious payload. As a primarily internal tool there is naturally less training and security awareness around Teams – due to the nature of the channel it is assumed to be a trusted source, meaning that social engineering is already one step ahead.

Screenshot of a Microsoft Teams message request from a Midnight Blizzard-controlled account (courtesy of Microsoft)
Figure 1: Screenshot of a Microsoft Teams message request from a Midnight Blizzard-controlled account (courtesy of Microsoft)

Microsoft Teams Phishing Examples

Microsoft has identified several major phishing attacks using Teams within the past year.

In July 2023, Microsoft announced that the threat actor known as Midnight Blizzard – identified by the United States as a Russian state-sponsored group – had launched a series of phishing campaigns via Teams with the aim of stealing user credentials. These attacks used previously compromised Microsoft 365 accounts and set up new domain names that impersonated legitimate IT support organizations. The threat actors then used social engineering tactics to trick targeted users into sharing their credentials via Teams, enabling them to access sensitive data.  

At a similar time, threat actor Storm-0324 was observed sending phishing lures via Teams containing links to malicious SharePoint-hosted files. The group targeted organizations that allow Teams users to interact and share files externally. Storm-0324’s goal is to gain initial access to hand over to other threat actors to pursue more dangerous follow-on attacks like ransomware.

Darktrace がMicrosoft Teamsのフィッシングを阻止する方法について、さらに詳しく知りたい方は、ブログをお読みください: 餌に喰いつくな:Darktrace Microsoft Teamsのフィッシング攻撃を阻止する方法

The market: Existing Microsoft Teams security solutions are insufficient

Microsoft’s native Teams security focuses on payloads, namely links and attachments, as the principal malicious component of any phishing. These payloads are relatively straightforward to detect with their experience in anti-virus, sandboxing, and IOCs. However, this approach is unable to intervene before the stage at which payloads are delivered, before the user even gets the chance to accept or deny an external message request. At the same time, it risks missing more subtle threats that don’t include attachments or links – like early stage phishing, which is pure social engineering – or completely new payloads.

Equally, the market offering for Teams security is limited. Security solutions available on the market are always payload-focused, rather than taking into account the content and context in which a link or attachment is sent. Answering questions like:

  • Does it make sense for these two accounts to speak to each other?
  • Are there any linguistic indicators of inducement?

Furthermore, they do not correlate with email to track threats across multiple communication environments which could signal a wider campaign. Effectively, other market solutions aren’t adding extra value – they are protecting against the same types of threats that Microsoft is already covering by default.

The other aspect of Teams security that native and market solutions fail to address is the account itself. As well as focusing on Teams threats, it’s important to analyze messages to understand the normal mode of communication for a user, and spot when a user’s Teams activity might signal account takeover.

The solution: How Darktrace protects Microsoft Teams against sophisticated threats

With its biggest update to Darktrace/Email ever, Darktrace now offers support for Microsoft Teams. With that, we are bringing the same AI philosophy that protects your email and accounts to your messaging environment.  

Our Self-Learning AI looks at content and context for every communication, whether that’s sent in an email or Teams message. It looks at actual user behavior, including language patterns, relationship history of sender and recipient, tone and payloads, to understand if a message poses a threat. This approach allows Darktrace to detect threats such as social engineering and payloadless attacks using visibility and forensic capabilities that Microsoft security doesn’t currently offer, as well as early symptoms of account compromise.  

Unlike market solutions, Darktrace doesn’t offer a siloed approach to Teams security. Data and signals from Teams are shared across email to inform detection, and also with the wider Darktrace ActiveAI security platform. By correlating information from email and Teams with network and apps security, Darktrace is able to better identify suspicious Teams activity and vice versa.  

Interested in the other ways Darktrace/Email augments threat detection? Read our latest blog on how improving the quality of end-user reporting can decrease the burden on the SOC. To find our more about Darktrace's enduring partnership with Microsoft, click here.

参考文献

[1] Essential Microsoft Office Statistics in 2024

[2] Microsoft blog, Microsoft Teams and email, living in harmony, 2024

続きを読む
著者について
Carlos Gray
Product Manager
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

無償トライアルを開始
Darktrace AI protecting a business from cyber threats.