Business Email Security After Google Breach

Attackers can send emails that look like they’re from your company without ever touching your systems. They spoof your domain, impersonate your executives, and target your customers. This can turn into real financial loss. Customers pay fake invoices. Vendors update payment details based on a fraudulent message. Employees get pulled into credential or payment scams that look legitimate. For a small business, that can mean lost revenue, recovery costs, and operational disruption. Email authentication helps reduce this risk. SPF and DKIM verify sending systems. DMARC ties it together and tells receiving servers how to handle messages that fail checks. When configured and enforced, many spoofed emails can be filtered or blocked before they reach inboxes. It also gives you visibility into who is trying to use your domain. It’s worth checking where you stand: Ask your MSP or IT team if SPF, DKIM, and DMARC are configured and actively monitored. Confirm your DMARC policy is enforced, not just set to monitor. Make sure you can review and act on DMARC reports. This is basic protection that’s easy to put in place, inexpensive to maintain, and can make a meaningful difference, especially given how much business communication and payments still rely on email. Learn more here: ➢ FTC: "How to Stop a Would-Be Business Impersonator" https://lnkd.in/gfjq6eEu ➢ FTC: "Email Authentication" https://lnkd.in/gmZuyxFj #Cybersecurity #EmailSecurity #EmailAuthentication #SmallBusiness #BusinessRisk

🔍 Anatomy of an Modern B2B Business Email Compromise (BEC) Attack A recent Trend Micro™ Managed XDR investigation uncovered a sophisticated B2B Business Email Compromise (BEC) attack, where a threat actor manipulated an ongoing email conversation between three business partners over several days. By compromising an email server and strategically replacing recipients, the attacker successfully redirected funds to their account—all while the victims believed they were communicating with their trusted partners. 🚨 Timeline of the Attack: 📅 Day 1: • T+0:00 – Partner A sends an invoice reminder to Partner B, copying Partner C. • T+4:30 – Threat actor intercepts and sends an email with fraudulent banking details from a compromised third-party email server. • T+11:00 – The attacker resends the email, this time using a compromised Partner C account to reinforce legitimacy. 📅 Days 2-5: • T+15:00 – Partner B, unaware of the compromise, acknowledges the invoice and requests additional details—unknowingly communicating with the attacker instead of the real Partner A. • T+5.02 days – Partner A (still unaware) provides business details, but the email is received by the attacker, not Partner B. • T+5.17 days – Attacker confirms details and reissues fraudulent banking instructions. • T+5.64 days – Partner B deposits the funds into the attacker’s account. • T+5.66 days – Partner B informs ‘Partner A’ (the attacker) that the transfer is complete. By the time Partner A and Partner B realized the fraud (12+ days later), the funds had already been moved. 🔑 Key Insights from the Incident: ✔️ Sophisticated Manipulation: The attacker gradually replaced real recipients in email threads, ensuring the conversation seemed normal. ✔️ Social Engineering & Trust Exploitation: By mimicking writing styles and leveraging auto-complete features, they maintained credibility. ✔️ Weak Email Security Enabled the Attack: A misconfigured third-party email server allowed fraudulent emails to bypass security checks. ✔️ Strategic Patience: The attacker waited 4.5 hours before injecting fraudulent banking details, ensuring it appeared as a legitimate correction. 🛡️ How to Defend Against BEC Attacks: ✅ Strengthen Email Authentication – Implement DMARC, SPF, and DKIM to verify sender legitimacy. ✅ Enable Multi-Factor Authentication (MFA) – Prevent unauthorized access to email accounts. ✅ Monitor for Anomalous Activity – Look for suspicious email forwarding rules and unauthorized logins. ✅ Educate High-Risk Employees – Train finance teams to verify banking details via secure channels before transferring funds. ✅ Establish Out-of-Band Validation – Require phone/video call confirmation for financial transactions to verify sender identity. 💡 BEC attacks are getting more sophisticated, but proactive security measures can significantly reduce the risk. 🔬 Full Research in Comments Section #DeepDive #CyberSecurity #BEC #ThreatIntelligence #EmailSecurity #TrendMicro #SOC

Attackers no longer need to build fake sites, your trusted platforms do the work for them. In June 2025, researchers documented AI-generated phishing campaigns exploiting Google Apps Script and DocuSign to bypass email filters and endpoint security. Cloudflare Turnstile was added to make the pages look legitimate, slipping past controls defenders assumed were airtight. The operational impact is measurable: • 16% of breaches begin with phishing through trusted services, with an average cost of $4.88 M per incident. • LOTS campaigns drove BEC losses past $2.8 B in 2024, according to the FBI. • Breaches involving unmonitored AI workflows add an average $670,000 in costs, because teams lack visibility into how trusted agents process inputs. If traffic runs through a known platform, most teams assume it’s safe but attackers know it’s not. What needs to change? • Treat every input into trusted cloud workflows as hostile until proven otherwise. • Monitor for anomalies inside sessions, not just at the perimeter. • Correlate activity to business intent, not to static allowlists. How confident are you that your controls would flag a malicious workflow running through a platform you rely on daily? Check https://malanta.ai for more insights

SalesLoft just announced they got breached through OAuth token theft. (https://lnkd.in/gdr4v3Rt) I think this is the canary in the coal mine for what's likely to become a massive problem. OAuth tokens are becoming the path of least resistance for attackers. Why spend months trying to breach Google, Salesforce, Shopify, Atlassian... (enter any SaaS app here) directly when you can compromise one small vendor that has OAuth access to thousands of accounts? The math is pretty straightforward - hack one app, get access to thousands of customer instances. That's an ROI any attacker would take. Pat Opet, CISO at JPMorgan, recently published an open letter that really resonated with me. He essentially said that third-party SaaS risk is one of their biggest concerns. When JPMorgan's CISO is publicly worried about this, I think we all need to pay attention. (Here's his letter: https://lnkd.in/g3vEAyZG) Here's something interesting - go to https://lnkd.in/g59W2D6N and look at all the apps that have access to your Google data. I did this and found apps I hadn't used in years. Some I didn't even remember installing. Many still had active access to my email, calendar, and documents. It's eye-opening, and honestly, a bit concerning. What Companies Should Be Doing? First, audit your OAuth grants regularly. Check every SaaS app that connects third-party apps. I guarantee you'll find surprises. Apps from former employees, tools nobody remembers approving, permissions that don't make sense. Second, actually vet vendors before connecting them. I know we all ask for SOC 2 reports, but that's not enough anymore. We need to ask harder questions like: What happens when you get breached? How do you store our OAuth tokens? Can you detect if they're being abused? Third, disconnect what you're not using. Those old OAuth connections are like leaving doors unlocked. There are actually some good tools now - companies like Nudge Security that can automatically monitor and manage OAuth sprawl. If you're not using something like this, you're basically flying blind. Fourth, and this is where my bias shows - backup your data! When someone uses legitimate OAuth tokens, your security tools just see normal API traffic. You won't know something's wrong until your data is gone. The ability to restore quickly might be your only real defense. The Bigger Picture I think we've all been so focused on the productivity gains from SaaS (which are real and substantial) that we haven't properly considered the security implications. Every OAuth token is essentially a permanent password to your data that you've handed to a third party. The companies affected by the SalesLoft breach are learning this the hard way. Their data was compromised not because their own security failed, but because they trusted someone else's.

I was hoping the news of a massive Gmail breach was sensationalism. Turns out this 'breach' may be worse: a long-term operational risk for every enterprise, courtesy of the quiet epidemic of infostealer malware. If you missed the latest news, Google wasn't breached; the 183 million exposed user credentials came from "infostealer databases," which routinely compile various credential theft activities occurring across the web. Users were infected with infostealer malware, enabling attackers to capture their Gmail credentials. (Analysis shows that over 90% of the email addresses were already circulating from prior leaks, with the full dataset being compiled from various sources throughout "2025". This model confirms the shift from a platform breach to a continuous stream of stolen credentials harvested via malware.) This is precisely why business leaders need to shift their focus and risk calculation from a single, catastrophic breach to the slow, cumulative damage of infostealer logs. It's the difference between a single, loud event and a quiet, relentless operational drain. Some thoughts that have been percolating in my mind: The Browser is the New Perimeter: Infostealers primarily target the browser, stealing credentials, session tokens (which bypass MFA), and autofill data. If your security strategy doesn't deeply secure the browser, you have a massive, unmanaged risk point. Credential Theft Powers Ransomware: The stolen credentials from infostealers are the initial access that groups like Scattered Spider use to launch high-impact attacks—including data theft, extortion, and ransomware deployment. They simply buy their way in. Stop building a strategy around the breach headline. Start building one around the daily threat in every employee's browser. The latest blog post from Neon Cyber dives deep into this infostealer epidemic, and the frighteningly effective attacks that power groups like Scattered Spider and Shiny Hunters. Link to the full post in the comments. #Cybersecurity #Infostealers #ScatteredSpider #EnterpriseSecurity #BrowserSecurity 

My inbox has been flooded this month. "Our emails are suddenly landing in spam." "Someone is spoofing our domain." "Our open rates dropped 40% overnight." Here's what's happening: Gmail is cracking down harder than ever. I'm seeing more spam placement in the past 30 days than the previous six months combined. And it's not just poor setup anymore - it's businesses with authentication that used to work fine suddenly getting flagged. Why now? Gmail tightened enforcement. Probably before Black Friday. SPF and DKIM that were "good enough" last quarter aren't anymore. DMARC at p=none? You're essentially inviting spoofers to impersonate you. The businesses reaching out thought they had a "content problem" or that "engagement dropped a little." No. Gmail never let your emails through. If you're seeing this: - Check your DMARC policy (p=none won't save you) - Review your SPF and DKIM records NOW - Monitor your deliverability weekly, not monthly - Look at your DMARC reports This isn't a trend. It's the new baseline. Your emails are either authenticated properly, or they're invisible. What are you seeing in your inbox placement lately?

According to the FBI's Internet Crime Report, phishing losses jumped from $18.7 million in 2023 to $70 million in 2024. 𝗕𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗘𝗺𝗮𝗶𝗹 𝗖𝗼𝗺𝗽𝗿𝗼𝗺𝗶𝘀𝗲 𝗮𝗰𝗰𝗼𝘂𝗻𝘁𝗲𝗱 𝗳𝗼𝗿 $𝟮.𝟳𝟳 𝗯𝗶𝗹𝗹𝗶𝗼𝗻 𝗶𝗻 𝗹𝗼𝘀𝘀𝗲𝘀 𝗹𝗮𝘀𝘁 𝘆𝗲𝗮𝗿 𝗮𝗹𝗼𝗻𝗲. Email is still one of the easiest ways for an attacker to get into the business and trigger real damage. That can mean a fraudulent wire transfer, a compromised Microsoft 365 account, stolen client or financial information, or hours spent sorting through who clicked what, what was exposed, and what now has to be reset, recovered, or reported. What has changed is how believable these messages have become. They are cleaner, better written, and much harder for employees to spot than they used to be. That is why basic spam filtering and a reminder to “be careful” are not enough anymore. 𝗛𝗲𝗿𝗲 𝗮𝗿𝗲 𝗳𝗶𝘃𝗲 𝗮𝗿𝗲𝗮𝘀 𝘄𝗼𝗿𝘁𝗵 𝗿𝗲𝘃𝗶𝗲𝘄𝗶𝗻𝗴 𝘄𝗶𝘁𝗵 𝘆𝗼𝘂𝗿 𝘁𝗲𝗮𝗺: 1. 𝗘𝗺𝗮𝗶𝗹 𝗽𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗵𝗮𝘀 𝘁𝗼 𝗱𝗼 𝗺𝗼𝗿𝗲 𝘁𝗵𝗮𝗻 𝗰𝗮𝘁𝗰𝗵 𝗼𝗯𝘃𝗶𝗼𝘂𝘀 𝗷𝘂𝗻𝗸. It should be set up to identify impersonation attempts, malicious links, suspicious attachments, and messages that do not belong in the environment. 2. 𝗬𝗼𝘂𝗿 𝗱𝗼𝗺𝗮𝗶𝗻 𝗻𝗲𝗲𝗱𝘀 𝘁𝗵𝗲 𝗿𝗶𝗴𝗵𝘁 𝗽𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗼𝗻𝘀 𝗶𝗻 𝗽𝗹𝗮𝗰𝗲. SPF, DKIM, and DMARC help prevent your company’s domain from being spoofed and used against your employees, clients, or vendors. 3. 𝗜𝗱𝗲𝗻𝘁𝗶𝘁𝘆 𝗰𝗼𝗻𝘁𝗿𝗼𝗹𝘀 𝗻𝗲𝗲𝗱 𝘁𝗼 𝗯𝗲 𝘁𝗶𝗴𝗵𝘁. Multi-factor authentication and conditional access help reduce the odds that a stolen password turns into a compromised account. 4. 𝗬𝗼𝘂𝗿 𝘁𝗲𝗮𝗺 𝗻𝗲𝗲𝗱𝘀 𝘂𝗽𝗱𝗮𝘁𝗲𝗱 𝘁𝗿𝗮𝗶𝗻𝗶𝗻𝗴. Modern phishing emails do not always look sloppy. People need to know what these attacks actually look like now. 5. 𝗬𝗼𝘂 𝗻𝗲𝗲𝗱 𝗮 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗲 𝗽𝗹𝗮𝗻 𝗕𝗘𝗙𝗢𝗥𝗘 𝘀𝗼𝗺𝗲𝘁𝗵𝗶𝗻𝗴 𝗵𝗮𝗽𝗽𝗲𝗻𝘀. If an account is compromised, the business should know who responds, what gets locked down first, how the threat is contained, and how normal operations keep moving. Protect your cash flow, client trust, and day-to-day operations. If you want a clear read on where your business stands, let’s schedule an IT discovery and look at your email security, identity controls, and response readiness before one bad email turns into a much more expensive problem: https://heyor.ca/6Wvfb3