Can Email Be Trusted In New Threat Landscape?

The use of the Constant Contact email marketing service raises the question yet again of how do businesses protect themselves in an era where email is used to gain access to a government agency or organization’s crown jewels, solution providers said.

The account credentials attack raises yet again the specter of whether emails can be trusted without being verified, said Michael Luehr, a Microsoft 365 practice manager for Dynamic Consulting LLC, a Microsoft Gold partner that specializes in Dynamics 365 backed up by a full portfolio of Microsoft cloud and security services.

“It used to be that if you got an email you knew who it came from and there was no questions about it,” he said. “It is really getting to the point now where unfortunately email isn’t a trusted platform to go off of. I have had several conversations with our clients about just that topic. Really what it comes down to is letting your users know that email inherently can no longer be trusted at face value.”

The maddening thing about the latest attack, said Luehr, is that it was from a “legitimate email service (Constant Contact), using legitimate accounts, to legitimate end users but the payload was malicious,” said Luehr.

Luehr compared the attack to the Mission Impossible movie and TV show franchise in which the agency would use “masks and voice changers” to impersonate or effectively steal the identity of another person.

“That is what is going on here, but it is easier to do it over email since there was no physical interaction,” said Luehr. “There was a famous wrestler who used to say ‘don’t trust anybody.’ That is what is going on with email: don’t trust email.”