Phishing through encrypted email services

24 March 2021 · Phishing


Most users know not to open an encrypted .zip, Excel, or Word attachment when the password is sent in the same email. The bad guys used this technique to keep antivirus programs from catching malicious attachments. They kept doing it when sending phishing emails when email filters started to look for known phishing sites and those that were likely compromised.

Fortunately, most targets don't fall for that scam anymore, so what's a bad guy to do?

Last summer, we notified our clients about new attacks that were exploiting vulnerable and unmonitored Sharepoint, Dropbox, and Google Drive sites. These attacks typically abused reused passwords and unmonitored cloud services. In our phishing training simulations, about 75% of our clients fell for them the first time they were exposed to this sort of attack. They were successful because they came from known contacts using trusted services like Microsoft 365. However, they are a lot of work for the attackers, who have to break into a system, monitor for useful messages, and then imitate them. On top of all of this work, some comapanies wised up and started to secure their Microsoft 365 and Google Workspace accounts to prevent these altogether. Our managed security clients were protected from this sort of attack because they had location-based access restrictions, trusted computer restrictions, Multi-Factor Authentication, password management, active monitoring, and other controls in place.

This brings us to the next evolution in this sort of attack: encrypted email services.

Encrypted email services: better for bad guys than good guys

Security requirements around the world, such as PIPA in Alberta and BC, PIPEDA in the rest of Canada, GDPR in Europe, and various health information standards have increased the popularity of encrypted email services. These allow businesses to include some sensitive information in emails without worrying about them being intercepted -- although we generally don't encourage them except when required for regulatory reasons because of their overall lack of true security when passwords aren't communicated through a separate method (such as on a piece of paper at a dentist's office or text message) or using encryption certificates that are difficult to deploy.

Despite their limited benefits to legitimate users, these services are great for the bad guys! Just like the old-fashioned encrypted emails, bad guys can now send links to phishing websites and ransomware through these services without firewalls or antivirus products catching them! For this reason, it's important to be especially cautious when receiving messages from encrypted email services. Make sure to mouseover any links and double-check with the sender through chat, phone, or SMS before clicking any links in the "encrypted" message.

In the video above, Tyson gives some examples of such encrypted email attacks and how to protect yourself.