Critical flaws in attachment scanning of major email services expose millions of users to security risks.
What do iCloud Mail, Gmail, Outlook and Yahoo! have in common? Email? Certainly, they are all mail services, but still? They share a similarity that they could have done without. Recent findings from SquareX security researchers reveal a major flaw in their attachment scanning process.
By gathering 100 samples of malicious documents categorized into four major groups, researchers were able to confirm that email services such as Gmail, Microsoft Outlook, Apple iCloud, Yahoo! Mail and AOL all fail to protect their users’ data: the analysis of email attachments has proven to be insufficient, to say the least.
4 categories of malware to develop tests
The SquareX study classified malicious documents into four main categories. The first category includes original malware documents from Malware Bazaar. The second category includes slightly modified malicious documents from Malware Bazaar, such as changes to metadata and file formats. The third category includes malicious documents modified using attack tools that have been around for many years. Finally, the fourth category includes basic documents supporting macros that run programs on users’ devices.
Researchers took samples of these malicious documents, attached them to emails, and sent them via Proton Mail to addresses on iCloud Mail, Gmail, Outlook, Yahoo! Mail and AOL, which are part of the Yahoo! group. If the emails were successfully delivered to users, they could be vulnerable to any threats contained in these attachments.
On the other hand, ” If an email was not delivered, it is a sign that malware was detected while the server was processing the email ”, according to the study.
Malware that has slipped under the antivirus radar and worries cybersecurity experts
Researchers showed how Apple iCloud, Yahoo Mail and AOL failed to block a sample of malware they introduced in a PowerPoint presentation. While 40 antiviruses detected it during testing, Yahoo! Mail and AOL failed to block another malicious file pretending to be a Microsoft Excel document, which failed to fool 35 antivirus programs. In this case, a relatively simple change to the file’s metadata allowed Apple iCloud Mail, Google Gmail, and Microsoft Outlook to also let the file through.
Jake Moore, global cybersecurity advisor at ESET, expresses concern about the permeability of tech giants towards malicious files, noting that millions of users rely on these controls to stay protected. Ian Thornton-Trump, chief information security officer at threat intelligence solutions company Cyjax says adding advanced email security features “ can be very problematic in cases of false positives, which may involve the use of technical support resources to help or correct – this expense for millions of users on a free platform may be commercially untenable “.
Finally, email providers are still turning a deaf ear. They believe that the game is not worth the effort and above all that such security measures would require considerable resources and would therefore have an impact on their results. Time is money.
Source : Forbes, 9to5mac, Squarex labs
2