The Power of SaaS Security in Phishing Defense

By Tamara Bailey, Content Marketing Specialist, AppOmni

With nearly 90% of data breaches related to phishing attacks, this form of social engineering poses a massive threat to organizations. Cybercriminals’ track record of persuading recipients into revealing credentials and disclosing sensitive information shouldn’t be taken lightly.

The 0ktapus phishing scam in late Aug. 2022 demonstrates how threat actors successfully accessed enterprise companies such as Klaviyo, Mailchimp, and Twilio to exfiltrate sensitive data. In total, 0ktapus led to 9,931 compromised user credentials, 5,441 multi-factor authentication (MFA) codes, and 136 unique email domains associated with these credentials.

Phishing attempts are escalating, and cybercriminals are employing more sophisticated techniques to orchestrate attacks. By understanding the latest phishing tactics and automating your SaaS security posture management, your organization can stay ahead of malicious attackers.

The Most Popular and Successful Phishing Trends and Techniques

Before you can defend your organization against phishing attempts, you should know the common techniques attackers use to conduct phishing. These include:

  • SMS phishing: As the name suggests, SMS phishing (or “smishing”) happens over text messages. Threat actors will pose as trustworthy individuals or entities, such as company leaders or colleagues, when they send texts to employees. Their goal is to persuade recipients to open a link to a fake site that asks the victim to enter their login credentials or personal information. In recent years, more organizations use SMS two-factor authentication (2FA) for additional security, but attackers can bypass these measures as well.

  • Vishing: Otherwise known as voice fishing, vishing occurs when cybercriminals attempt to steal personal and confidential information from victims over the phone. They disguise themselves as trusted and reputable figures, such as an organization’s CEO or other leaders, to persuade the victim to reveal valuable information, such as their employee login credentials or company credit card information.

  • Spear phishing: These attacks target specific individuals or groups of an organization via email. Cybercriminals attempt to make their messages appear credible by writing them “from” a colleague, company leader, vendor, partner, etc. The malicious actor will usually send links or attachments containing malware for the recipient to download onto their device. Unlike yesteryear’s email phishing scams, these are better-written with more credible stories, formats, and layouts.

  • Whaling: This phishing method targets the high-level executives of an organization, like C-suite members, organizational presidents, and senior managers. Threat actors use “corporate speak,” spoofed email addresses, and personal information to make their messages sound authentic. In some cases, hackers may pose as a high-level executive and send emails conveying a sense of urgency to recipients.

Phishing has evolved tremendously. Once easy to detect, phishing attempts capitalize on technological advancements and messaging improvements to make the deception more difficult to identify. Additionally, cybercriminals can now make money with their technical skills without having to personally orchestrate the phishing scams.

Phishing-as-a-Service (PhaaS) Makes Phishing Easier

Phishing-as-a-Service, also called PhaaS, involves cybercriminals selling software designed to streamline phishing scams. These “phishing kits” allow novice cybercriminals to partake in attacks with minimal effort and limited experience. Phishing kits can include email and fake website templates, detailed instructions, sample scripts, and other “plug and play” attack frameworks.

Will PhaaS Put My Organization at Risk?

The short answer is … it depends. PhaaS does allow low-skill threat actors, like script kiddies, to perpetrate phishing attacks, but it doesn’t significantly change the landscape. In most scenarios, cybercriminals target large-scale organizations and reputable figures, but PhaaS increases their market segment to smaller organizations.

Ultimately, whether it’s an advanced or amateur cybercriminal conducting phishing campaigns, the results remain the same. If the recipient is misled and enters credentials or other key information on an illegitimate site, they’re a victim of phishing.

End-users must receive continuous training and education to prevent successful phishing attacks. And organizations should employ security posture management to reduce risk and attack vectors.

How Can My Team Thwart Phishing Attempts And Address Successful Scams Quickly?

Phishing attempts aren’t one-off situations. As organizations adopt more SaaS apps, the access points and side doors for threat actors to gain confidential information grow exponentially. During the 0ktapus phishing scam, attackers used these techniques to acquire 10,000 user credentials. The chain of events can be summarized as:

  • Attackers texted employees fake links to their employers’ Okta authentication page.
  • After recipients submitted their user credentials, attackers used these to log in to the official Okta authentication page which then texted MFA codes to the victims.
  • After the users entered these codes on the fake authentication page, attackers were able to fully compromise those accounts.

Securing your SaaS applications with the right SaaS Security Posture Management (SSPM) solution helps prevent costly data breaches and loss of resources. A robust SSPM solution should include:

  • General hardening options: Your SSPM solution should empower you to implement best security practices without learning the intricacies of each SaaS app’s security settings and configurations. For example, require 2FA and consider mandating time-based, one-time password (TOTP) tools like Google or Microsoft Authenticator. For additional security layers, your organization may opt for hardware keys like Titan Security Keys or Yubikeys.

  • Continuous monitoring: Receive automatic alerts if any suspicious phishing-related activity is detected within your SaaS apps, enabling you to restrict access to users and halt the spread of phishing attempts. Alerts your team could benefit from may include:
    • Implementation of conditional access policies, which requires a user to perform an action before accessing a feature within a network. This may involve obligating MFA for users and blocking or allowing access from certain IP locations. Using these policies, if an attacker attempts to infiltrate your network from an unusual IP address, you can block the IP address, making it more difficult for them to compromise accounts.
    • Detecting and informing your employees if an email is from an external and unknown source. With an SSPM solution, you can monitor the settings of your email provider’s anti-phishing tools and receive alerts if these settings are misconfigured.
    • Identifying and blocking malicious attachment files that may contain malware or can’t be saved locally. Email providers can often detect and block suspicious files that may compromise your organization if downloaded. Your SSPM solution can notify you if someone changes these settings to allow the sending of malicious files.

  • Threat detection: Facilitate threat hunting to monitor activity and investigate alerts. Organizations can survey their normalized log data to identify any events that may indicate a possible breach, such as login failures and mass downloads or deletes. If an account experienced a phishing attack, your organization could immediately edit their account’s access rights, preventing the attacker from further compromising an account.

  • Least privilege access enforcement: Ensure administrative privileges are restricted to select employees, and that non-admin users have the minimum amount of access necessary to perform job functions with permission drift detection. If an attack were to occur, cybercriminals would find their attack vector severely limited as the majority of accounts don’t have access to sensitive data. You can also employ role-based access control (RBAC) and apply continuous monitoring to constantly stay aware of unknown logins.

AppOmni offers all this and more to provide exceptional security for your SaaS applications. Request a free risk assessment for insights into any publicly exposed SaaS data, over-privileged access to data, and more.

Related Resources