37% of third-party applications have high-risk permissions

Email attacks have increased in both sophistication and volume since the start of the year, according to Abnormal Security.

Examining data since 2013, Abnormal identified a massive increase in third-party applications (apps) integrated with email, underscoring the proliferation of an emerging threat vector that cybercriminals are exploiting as they continue to shift their tactics.

Third-party applications risk

The number of integrated third-party apps continued to rise in the first half of 2023 (between January and June), during which time Abnormal also observed overall increases in business email compromise (BEC) and vendor email compromise (VEC) attacks, continuing a trend that has persisted over the last five years.

Abnormal’s research showed that the average organization integrates 379 third-party apps with email—a 128% increase since 2020. And for large enterprises with 30,000+ employees, the number of integrated third-party apps shoots up to 3,973, on average. These include apps for collaboration, productivity, development, social networking, security, and more.

“So many of today’s organizations lack visibility into connected third-party apps within their email environment, and attackers are taking note,” said Mike Britton, CISO at Abnormal. “Historically, cybercriminals relied on sending credential phishing links via inbound email to access and compromise accounts. But as more security leaders began locking down this ‘front door’ with solutions to detect those malicious messages, attackers have adapted their tactics. Now, they’re increasingly targeting email ‘side doors’ via third-party app integrations to compromise accounts and read emails undetected.”

Across the integrated third-party applications, 37% have high-risk permissions, such as the ability to create and delete emails or users, and even reset user passwords. Britton continued, “These findings show us just how important it is for security teams to understand which apps are connected to email and what permissions they’ve been assigned. Understanding risk is the first step in ongoing efforts to manage security posture.”

BEC and VEC attack volumes

The report also showed a rise in both BEC and VEC attacks in the first half of 2023. BEC attacks increased by 55% over the previous six months, and 48% of all organizations received at least one VEC attack during that same time frame.

Additional findings from the first half of the year include:

• A 34% increase in VEC attacks over the previous two halves.
• BEC attacks outpaced malware in a reversal of findings from the previous half.
• Large organizations are especially at risk. There is a 90%+ chance of receiving at least one BEC attack and a 76% chance of receiving at least one VEC attack each week for organizations with 5,000+ mailboxes.
• The technology industry is the most popular target for BEC attacks, while advertising/marketing is the most popular target for VEC attacks. Other popular targets for BEC attacks include construction, advertising/marketing, finance, transportation, and media/entertainment.

“The fact that BEC and VEC attacks are continuing to grow—despite more security awareness and continued advancements in legacy security tools—shows us that email is still one of the easiest ways to infiltrate organizations,” said Britton. “And with the rise of generative AI tools like ChatGPT to help craft these emails, it’s only getting easier for threat actors to keep scaling their attacks in sophistication and in volume.”