All news with #email security tag

🛡️ Attackers have started embedding QR codes as ASCII art in phishing emails to bypass image and link scanners. The lure often impersonates services like DocuSign, instructing victims to scan and enter corporate credentials on mobile devices. Deploying secure email gateways with ASCII-decoding and endpoint protections helps detect and block these campaigns and reduce risk.

🔒 AI is reshaping work and accelerating threats, with AI-automated phishing reported to be 4.5× more effective than traditional attacks. Growing businesses must balance speed, stability, and risk while often lacking dedicated security teams. Microsoft Security promotes simple, integrated protections for devices, identities, email, and cloud apps. Microsoft 365 Business Premium provides centralized, automated defenses so operations stay resilient and customer trust is preserved.

⚠️ A critical user-after-free flaw in Exim (CVE-2026-45185) affects GnuTLS builds prior to 4.99.3 and can be triggered during TLS shutdown while processing BDAT chunked SMTP. The vulnerability allows an unauthenticated remote attacker to achieve arbitrary code execution and access mail data. OpenSSL-based builds are not affected. Administrators should apply Exim v4.99.3 updates immediately via their package managers.

📨 Amazon SES Mail Manager is now available in AWS GovCloud (US-East and US-West), expanding Mail Manager coverage to 30 AWS regions. The managed gateway centralizes inbound and outbound email routing, filtering, and archiving to simplify infrastructure and reduce reliance on multiple third‑party tools. This AWS-native solution aims to improve visibility and operational control while lowering cost and complexity for regulated and government customers.

🔒 Microsoft will block legacy TLS connections for POP and IMAP access to Exchange Online starting July 2026, deprecating TLS 1.0 and TLS 1.1. Connections that attempt to use those versions will fail, which may prevent older email clients, devices, or embedded systems from connecting. The company says most customers won't be affected because the majority of traffic already uses TLS 1.2 or later. Administrators are advised to verify client configurations, update custom or legacy systems, and avoid legacy endpoints to prevent disruption.

🔒 Threat actors abused a flaw in Robinhood's account creation flow to inject arbitrary HTML into account confirmation emails, producing convincing Unrecognized Device warnings that directed recipients to a phishing site. The messages originated from noreply@robinhood.com and passed SPF and DKIM checks, which made them appear legitimate. Robinhood confirmed there was no systems breach or impact to customer funds and removed the vulnerable Device: field to remediate the issue. Recipients are advised to delete the emails and verify any suspicious alerts through the official app or website.

📧 Threat actors are exploiting Apple account-change notifications to deliver callback phishing within legitimate emails sent from Apple's infrastructure. They place scam text into the account's first and last name fields, then trigger a shipping-info update so Apple sends the altered notification. Because messages are sent from appleid@id.apple.com and pass SPF, DKIM, and DMARC, they appear authentic and can bypass filters, increasing the risk of successful callback scams.

🔒 Security researchers report a rise in attackers abusing mailbox rules inside Microsoft 365 accounts to maintain post-compromise access, exfiltrate data and manipulate communications. The Proofpoint analysis found that roughly 10% of breached accounts in Q4 2025 had malicious rules created within seconds of takeover. Rules are often given minimal or nonsensical names and configured to delete messages or move them to low-visibility folders to evade detection. Defensive steps include disabling external auto-forwarding, enforcing MFA, monitoring OAuth and promptly removing malicious rules and revoking sessions.

🔔 Cisco Talos observed a rise in campaigns that weaponize SaaS notification pipelines in collaboration platforms to deliver phishing and credential‑harvesting lures. Attackers embed malicious content in GitHub commit messages and in user‑configurable Jira project fields so automated notifications, signed by the platforms, bypass SPF, DKIM, and DMARC checks. Talos describes this as a Platform‑as‑a‑Proxy (PaaP) abuse and recommends moving to Zero‑Trust, instance‑level verification, and API telemetry to detect and block these attacks.

📧 Microsoft is investigating a known issue that prevents some Classic Outlook users from sending messages via Outlook.com, causing non-delivery reports that indicate permission errors (0x80070005-0x0004dc-0x000524). The problem is more likely when the Outlook.com account is an Outlook profile linked to another Exchange account or when an Exchange Online mail contact shares the same SMTP address. Microsoft published temporary workarounds — remove the M365 account Address Book, hide the Outlook.com contact in the Global Address List, create a fresh Classic profile with only the affected account, or use the New Outlook client or webmail until a permanent fix is deployed.

📧 Amazon Simple Email Service Mail Manager now supports optional TLS (including STARTTLS) and certificate-based mutual TLS (mTLS) on Ingress Endpoints, plus two new rule actions: Invoke Lambda function and Bounce. These additions let organizations preserve compatibility with legacy email systems while implementing stronger authentication and custom processing workflows. The Invoke Lambda action enables direct serverless email processing and automation, and the Bounce action issues RFC-compliant SMTP responses to senders. The features are available today in all Regions offering SES Mail Manager except the Middle East (UAE and Bahrain).

⚠️ Kaspersky researchers have observed threat actors abusing Yandex Surveys to host phishing content and evade email filters by leveraging the platform's legitimate domain reputation. Attackers embed fraudulent pitches and malicious links in rich-text survey blocks, add official-looking logos, then hide interface elements with invisible padding; Kaspersky Premium blocked about 2,200 such messages in January and over 32,000 in February. Recipients who follow the links land on polished giveaway pages that harvest personal data, wallet addresses, or payments.

🔧 Microsoft has resolved a known issue that caused Classic Outlook to stop syncing Gmail and Yahoo accounts and to show 0x800CCC0F and 0x80070057 error codes. Affected accounts reportedly stopped syncing on February 26, 2026; Microsoft says the fix was applied in the Microsoft 365 service, but some users may still see issues until their OAuth token expires. As a temporary workaround, Microsoft recommends deleting the affected email address entries under the Identities key at Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities to force a sign-in prompt.

🔗 Phishers are exploiting the Bubble no-code app builder to host web apps whose URLs appear legitimate and thus evade email filters. The platform’s dense JavaScript and Shadow DOM output confuses automated scanners, masking simple redirects to credential-harvesting pages. These Bubble-hosted apps are embedded in phishing messages and lead victims to convincing Microsoft sign‑in clones. Organizations should combine user training with endpoint protections and gateway anti-phishing controls to reduce risk.

⚠️ Microsoft Azure Monitor alerts are being abused to distribute callback phishing messages that impersonate billing and security notices. Attackers create alert rules with custom descriptions and configure them to send emails to lists they control, causing legitimate azure-noreply@microsoft.com messages to reach targets and pass SPF/DKIM/DMARC checks. Recipients are urged to call listed numbers, a tactic that can lead to credential theft, payment fraud, or remote access compromise.

🛡️ Microsoft published updated email security benchmarks comparing Defender, secure email gateways (SEGs), and integrated cloud email security (ICES) solutions. The data shows Microsoft Defender removes an average of 70.8% of malicious email post-delivery, with ICES partners contributing the remaining 29.2% of post-delivery remediation. Layering matters: integrated ICES solutions improve marketing and bulk filtering by an average of 13.7%, while incremental gains for spam and malicious filtering were modest (around 0.29% and 0.24% respectively). The report also compares misses per 1,000 users, showing Defender had fewer high-severity misses than several evaluated SEG vendors.

🔔 Customers of restaurants using HungerRush, a provider of POS, online ordering, delivery, and payment services, reported receiving mass extortion emails claiming millions of customer records would be exposed if the company did not respond. The messages were delivered via Twilio SendGrid infrastructure and, according to headers, passed SPF, DKIM, and DMARC checks for the hungerrush.com domain. Security researchers also reported an earlier infostealer infection on an employee device that allegedly harvested corporate credentials, though a direct link to a confirmed breach has not been established. Customers should be vigilant for targeted phishing and SMS scams that may leverage any exposed data.

☁️ Cloudflare’s new Cloudy layer uses LLMs to translate complex security telemetry into concise, human-readable guidance inside Cloudflare One. It generates plain-language explanations for Email Security detections and structured Risk + Guidance summaries for CASB findings to help teams act faster. Phishnet reporting will surface real-time Cloudy summaries via Workers AI to reduce SOC noise and guide end users. Microsoft beta starts soon, with wider rollouts and Google Workspace support planned.

🔒Business email compromise (BEC) is a high-impact social engineering threat that targets organizations' financial and identity workflows. The article outlines pragmatic defenses: enforce MFA, validate DMARC/DKIM/SPF, deploy advanced phishing and spoofing filters, and maintain continuous security awareness training with simulated attacks. It also recommends dual-approval for large transfers, stricter help-desk verification, and monitoring for anomalies such as mailbox forwarding rules, impossible-travel logins, and last-minute bank-detail changes to accelerate detection and response.

🔔 Attackers are abusing Google Tasks notifications to bypass email filters and trick employees into submitting corporate credentials. Recipients receive legitimate-looking @google.com notices urging urgent action and a link to a credential-harvesting form. Organizations should train staff, maintain clear lists of authorized services, and consider mail gateway security and endpoint protection to block phishing sites. Use tools like Kaspersky Automated Security Awareness Platform to automate training.