When an employee’s social mindset becomes a threat to business

In today’s business environment, where innocent GIFs and shared documents can be weaponized, protecting cloud-based collaboration from the spread of malware should be a priority.

As our lives settle ever deeper into online environments and digital behaviors, cybercriminals are leveraging new vectors that allow for phishing, data theft, and spreading malware. Recent incidents show that mixing people’s professional and personal minds (an ever-present human factor) can create new weaknesses in a business’s cybersecurity. 

Imagine your employees browsing their favorite social media platform on their personal time; they might find an interesting picture or emoji and its embedded link, which they then share — no one would mind such a distraction. Now, imagine your employees checking their various professional chats and threads; something between their personal and professional interests sparks their minds. Hence, they react by sharing an article, an interesting picture, or an emoji and its embedded link. This time, they share with their colleagues on a cloud-based platform such as Microsoft Teams . . . just for fun or even for professional inspiration.

A pretty common thing in an office, right? Well, bad actors can abuse even these everyday activities. Putting it simply, behaviors common to navigating and enjoying social media platforms can raise risks for business platforms, which have now become ubiquitous for small and medium businesses (SMBs) and enterprises alike.
Fortunately, multilayered ESET cybersecurity technology has an answer for such incidents with ESET Cloud Office Security (ECOS), which is now expanding beyond Microsoft 365 applications to include the Google Workspace.

Let’s start with weaponized pictures, GIFs, and emojis. The technique of concealing a file, message, image, or video within another file, message, image, or video is called digital steganography, and it is nothing new in cybersecurity.

The first documented case of its use in a cyberattack dates back to 2011, when the Duqu malware was discovered. This malware gathers data about the infected device and transmits them back to the command-and-control (C&C) server hidden in a JPEG file meant to look like an innocent picture.  

Since then, ESET researchers have analyzed numerous similar attacks.

In 2022, BleepingComputer reported about a new attack technique called GIFShell that allows threat actors to abuse Microsoft Teams for phishing attacks and executing commands to steal data using GIFs.

Using numerous Teams vulnerabilities, GIFShell allows an attacker to create a reverse shell. This technique tricks users into installing malware that connects the victim’s device to the attacker’s command-and-control server. After the connection is established, the command-and-control server delivers malicious commands via weaponized GIFs in Teams. These commands can, for example, scan the device for sensitive data and then exfiltrate the output, again, through GIFs retrieved by Microsoft’s own infrastructure.

Large cloud-based platforms like Microsoft 365 with its Teams app saw rapid growth during the pandemic and, by Q1 2023, had approximately 280 million users. With such growth and new online behaviors, the scope for abuse on large platforms has only grown.

However, increasing attention has been shown to these threat vectors by researchers. In June 2023, UK-based security services provider Jumpsec's Red Team discovered an easy way to deliver malware using Microsoft Teams via an account outside the target organization. Even though Microsoft Teams has client-side protection preventing file delivery from external sources, Red Team’s members bypassed it by changing the internal and external recipient ID in the POST request of a message.

That way, researchers were able to fool the system into thinking that an external user was, in fact, an internal account. Specifically, they successfully delivered a command-and-control payload into a target organization’s inbox. If this attack had happened in a real-life environment, bad actors could have taken over the control of a business’s devices.

To deal with threats coming from increasingly popular cloud-based applications, ESET created its Cloud Office Security (ECOS) solution. It is a powerful combination of spam filtering, anti‑malware scanning, anti‑phishing, and advanced threat defense capabilities able to mitigate even never-before-seen threat types.

With this multitenant and scalable product, businesses can protect their entire Office 365 suite, including Exchange Online, MS Teams, OneDrive, and SharePoint Online. For example, one of the things that ECOS does is that it scans all files transmitted through MS Teams and those uploaded or downloaded to SharePoint Online, scanning it regardless of who the author of the content is.

ECOS effectivity in numbers:

• In the first ten months of 2023, ECOS detected and blocked over 1 million email threats, over 500,000 phishing emails, and over 30 million spam emails.
• Thousands of never-before-seen detections were made by the cloud analysis component of ESET LiveGuard Advanced.
• ECOS detected and stopped tens of thousands of threats in cloud storage and collaboration tools like OneDrive, Teams, and SharePoint.

In its latest offering, ESET goes even further, integrating ECOS with Google Workspace to protect users from the aforementioned threat types. This means that ESET now protects the major cloud email providers.

The many functions outlined here are critical for security in large part because they scale easily and provide concrete improvements for businesses. However, ESET has sought to do even more for SMBs. In October 2022, ESET endpoint security solutions integrated with Intel® Threat Detection Technology (Intel® TDT), which went live for select vPro 9th Gen (and higher) powered laptops, with integrated functionalities providing improved hardware-based ransomware detection.

This year has seen further improvements to the integration with the higher performance of the newly launched 13th Gen Intel® Core™ processors, which further enable unique ransomware detections shared between ESET endpoint security and its layers, and Intel’s performance monitoring unit (PMU) sitting beneath applications, the operating system, and virtualization layers gathering CPU telemetry as threats attempt to execute.

This solution is especially advantageous for SMBs because it further expands the comprehensive nature of our multilayered solution without the need for any direct management.  

Techniques that allow the breach of a business’s security through its employees and their (in-app) behaviors demonstrate that cybercriminals use every possibility to circumvent standard cyber defenses.

Via an ECOS’s easy-to-use dashboard, its Cloud Management Console, businesses can not only manage their security but also rapidly detect, assess, and respond to cyber incidents, making it a perfect solution for businesses of any size.