SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
SquareX reveals gaping hole in major email providers' security measures
Thu, 4th Apr 2024

SquareX, the browser-security startup, has recently completed an extensive study revealing a concerning lack of effectiveness among major email providers in their ability to identify and counteract malicious document-based threats. The study, conducted by SquareX's research and development team under the leadership of renowned cybersecurity entrepreneur Vivek Ramachandran, raises questions regarding the reliability of current email security measures and poses potential risks to millions of global users.

The investigation involved the study of 100 malicious document samples, which were subdivided into four unique categories: original malicious document samples sourced from MalwareBazaar, slightly altered versions, those modified using long-established attack tools, along with basic Macro-enabled documents. These documents were dispatched via a third-party email supplier, ProtonMail, to various principal email providers, inclusive of industry titans such as Gmail, Outlook, Yahoo, AOL, and Apple iCloud Mail.

Unsettlingly, it was discovered that, while Gmail and Outlook exhibited elementary detection abilities regarding the unaltered malicious document samples, they appeared compromised when attempting to detect the modified samples - exploited using readily available attack tools. This serious cybersecurity oversight could potentially threaten millions of users across the globe.

Given the global reliance on email services as secure avenues for communication, the results of this study highlight the necessity of questioning the effectiveness of existing email security measures. It further draws attention to a potentially damaging false sense of security that countless users and businesses worldwide may harbour. The unfortunate reality is that, as cyber threats become progressively more sophisticated, email providers appear inadequately equipped to detect and intercept these escalating threats, leaving their users exposed to potential exploitation.

SquareX's founder, Vivek Ramachandran shared this about the findings, "The inadvertent discovery of this significant lapse in email security during our product enhancement process was startling." Continued Ramachandran, "Our aim in publicising these findings is to stir a dialogue on the urgent requirement for fortified security measures. We also hope to prompt email providers to either augment their security protocols or transparently acknowledge their current limitations."

In an attempt to rectify this security loophole, SquareX has introduced an advanced in-browser malicious document scanning feature as an element of its browser extension, currently in its beta stage. This development is an indication of the company's dedicated commitment to improving web safety, and also acts as a call to other companies to collaborate in an effort to secure web activities against cyber-attacks for both individual users and enterprises.