The World Health Organization this week disclosed that some 450 active WHO email addresses and passwords were leaked online recently amid a big overall increase in cyberattacks directed at its staff
https://www.darkreading.com/attacks-breaches/who-confirms-email-credentials-leak/d/d-id/1337650
What this means is there is an opportunity for attackers to send phishing through authentic WHO addresses. This is holistic business email compromise at its best… well if they didn’t get caught. A large part of how filter solutions work is on the metadata in an email. What address did the email come from? Did SPF pass? Did DKIM pass? When attackers send through the compromised accounts, all of this metadata will pass. As long as the attackers don’t do something overtly stupid like sending malware attachments through, filters are in trouble.
Identification Is Not Authorization
Enveloperty will have a tricky time detecting phishing sent from these WHO addresses as well. We do similar metadata checks such as SPF and DKIM. But the key is we have an ace in the hole. Our users are encouraged to set contextual limits for contacts. A senior dev isn’t allowed to ask for medical insurance information. A human resources employee isn’t allowed to ask for credentials to the AWS instances.
This is the difference between identification and authorization. “Yes, I do believe you are Michael Greenburg a senior developer in good standing with our company. But you do not have authorization to ask me these questions”. This is the difference that protects from business email compromise such as at WHO. Firmly defining boundaries so even with a dramatic breach, there is limited impact.