Sandbox is a controlled and isolated environment where security professionals analyze, observe, and execute suspicious or potentially malicious software, files, or code without harming their actual systems. Think of it as a digital quarantine zone for testing and assessing the behavior of unknown or untrusted programs.

Sandboxes are essential for looking into and finding malware, infections, and other online cyber threats, which then security teams have the freedom to examine the malware’s operations meticulously, ascertain its primary goal, and develop effective countermeasures to safeguard their environment after observing these potential threats, their interactions with the system, and their behavioral trends in a controlled virtual environment.

Below, we will explore how to utilize a sandbox in your environment, including its perks, functionality, limitations, and its role in safeguarding against cyber-attacks.

Sandboxing is a critical cybersecurity technique that IT professionals often rely on. Untrusted code is isolated within a secure environment using techniques like virtualization or process separation, later executed and observed by monitoring its interactions with certain processes or files.

No matter how a sandbox is utilized, every environment runs on the same feature, isolation. Sandboxing involves isolating the code or application being tested or analyzed from the rest of the system. This isolation is achieved through various means, including:

To choose the right sandbox environment, consider your purpose (malware analysis, testing, or browsing), operating system compatibility, isolation level needed, ease of use, and performance impact.

Security features, community support, and tool compatibility are crucial. Factor in resource requirements, costs (for commercial solutions), customization options, update frequency, and user feedback. Make a decision that aligns with your specific goals, ensuring it meets your needs while balancing security and usability.

Testing and experimenting with different sandboxes can help you find the best fit for your requirements.

Again, the specific steps to create a sandbox may vary depending on your needs and the tools available, but here are some general guidelines:

To properly protect your cyber environment and minimize the risk it is important to educate your employees with Security Awareness Service, and Advanced Threat Protection to secure your critical data.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.

In today’s digital world, every click, every share and every bite of data we transmit tells a good story about us. People trust this world, often more than they should, secrets, memories, finances – their very lives – into it.

And yet many are oblivious to the fragility of this trust, where the lines between right or wrong often blur. Mitigating those risks by employing a safe, controlled sandbox environment to detect, prevent and analyze the online threats is only a fraction of the security controls that organizations need to employ.

What Is an Insider Threat?

An insider threat is like a wolf in sheep’s clothing. Outwardly, they appear just like any other trusted member of your enterprise, but inside, they have the potential and agenda to destroy whole infrastructures or manipulate data for their satisfaction or monetary end goal.

They can be a current or former employee, a disgruntled system administrator, an outside contractor, cyber intrusion, or an infiltrator from a business competitor. Their objectives can range from fraud and intellectual property theft to plain and simple revenge.

When you first think of insider threats, the first thing that comes to mind is a person with a privileged access system, a system/database administrator, or individuals with capabilities within applications, but that’s not always the case.

Today, anyone can become an insider threat, willingly or unwillingly, by providing valuable information to an external source delivered with a successful phishing attempt.

However, the motives fluctuate, and there are various reasons why one might become an insider threat:

The term “insider threat behavior patterns” describes the visible behaviors and acts that people within an organization display that may point to the possibility of an insider threat. Understanding these trends is essential for early insider threat identification and mitigation. The following are typical insider threat behavior patterns:

1. Access abuse: Insiders may frequently access private systems, documents, or locations outside the bounds of their official duties. Unauthorized access to financial information, private papers, or intellectual property is a few examples that indicate an employee might have an agenda that differs from their role.
2. Data Hoarding/Exfiltration: Insiders may be planning to misuse or exfiltrate this information if they gather or download an excessive amount of data, especially if it has nothing to do with their job responsibilities.
3. Unauthorized Software Installation: Installing malicious or unauthorized software on work-issued devices is cause for concern because it can be leveraged to cover up insider activity or exploit security holes.
4. Social Engineering: One of the main signs of insider threats is manipulative behavior intended to deceive coworkers into disclosing private information, getting over security measures, or helping with insider attacks.
5. Unauthorized Physical Access: Employees who have physical access to a company’s facilities run the risk of abusing it to steal devices and private documents or compromise physical security.

Do you know your people? Detecting an insider threat can be a difficult task, but not impossible, as every employee has a certain amount of power and a baseline behavior within the company. Before you can look for anomalies, you must create a baseline of “normal” behavior in both people and systems.

Typical login times, data access patterns, communication styles, and job-related tasks should all be part of this baseline.

Exfiltration of data can be averted by enforcing Data Loss Prevention (DLP) solutions by continuously monitoring data movement and transfers across the network. Any employee retrieving or exfiltrating sensitive data could be a potential malicious behavior that should not go unnoticed by the DLP solution, which can be an early detection of an insider threat.

No matter how secure you think your company is by implementing different kinds of solutions, Security Awareness Training should be the first priority of the company, as humans are the weakest link in the organization.

Training and raising the awareness of your employees while encouraging them to report any suspicious activity is the single greatest shield against a malicious insider threat.

In order to protect against cyber attacks, the most important thing for corporate security is to mitigate insider risks. Start by enforcing rigorous access controls in place and limiting unnecessary access, following the principle of least privilege.

• Establish clear security guidelines and provide staff training to encourage a vigilant culture.
• Urge the creation of solid and one-of-a-kind passwords that require frequent changes.
• Keep an eye out for anomalies in user behavior, particularly regarding system logins and data access.
• To encourage employees to raise suspicions, create a confidential reporting method.
• When employing new employees, make sure they have undergone extensive background checks. You should also implement security safeguards for outside vendors accessing your systems. These steps can aid in defending your company from insider threats.

Your IT security staff needs to understand the importance of confidentiality and integrity in the data they process and possess. Knowing what to protect is the most critical thing when it comes to security, whether digital or physical property.

Advanced Threat Protection is essential for preventing insider threats. Offering cutting-edge tools and technologies to identify anomalous activity, illegal access, and data exfiltration. It improves overall security by reducing the risks associated with both deliberate and unintentional insider threats.

Enhance employee awareness and safeguard critical data by leveraging Hornetsecurity’s Security Awareness Service for comprehensive cyber threat education and protection.

To keep up with the latest articles and practices, visit our Hornetsecurity blog now.

In conclusion, in the present-day technological setting, shielding an organization from insider threats is vitally important. The significance of taking proactive efforts to identify, stop, and lessen internal security threats has been emphasized in this article.

Through a focus on staff awareness, rigorous access controls, ongoing monitoring, and a solid security culture, companies can effectively mitigate the risk of insider threats.

It is critical to keep in mind that insider threats can come from a variety of sources, such as coercion, negligence, or malicious motivation.

No, this guide does not relate to any sort of attack on potato hash or anything to do with the passing of other versions of hash. This is a brief peek behind the curtain on how a hacker might exploit your account to gain privileged access to your environment with a pass-the-hash attack.

Unlike in the movies, a hacker usually doesn’t type away on the keyboard for a few seconds to crack a password. Instead, they typically don’t even need to know or decrypt your password to exploit your account. It’s all about how the attacker can move laterally through an environment, for example:

• Mary is a receptionist for Vandelay Industries, an import company. She uses the same password for her personal and work accounts. Unfortunately for Mary, she was the victim of a phishing campaign and unwittingly gave her password out to an external attacker.
• The attacker could then log into her personal email and locate some key information about Mary; in particular, they discovered she had sent some recipes to her work email to print out.
• The attacker can now create a method to get Mary to install some malware onto her work computer. The next time the attacker saw her sending recipes to her work, they added another email with a Word attachment and a payload. Mary opens this and infects the computer with remote access tools.
• Next, the attacker gets to work discovering what they have access to in the environment and what they can move to laterally. They decided to create a simple issue on Mary’s work on a computer that locks up her print spooler. This is now preventing her from printing, so she calls the help desk for assistance. The help desk engineer happily connects to her computer with their elevated account and proceeds to repair the spooler services. The attacker continues to cause these small issues until Mary is provided with temporary local administration access so she can keep working and not always call the help desk.
• With these new privileges, the attacker can now execute their password hash extraction tool to gather all the hashes from the system. Fortunately for the attacker, the help desk engineer has logged onto this system with their support account. With the NTLM hash of this account, the attacker is then able to connect directly to one of the administrator’s jump boxes.
• On the administrator jump box, the attacker repeats the process and gathers another account with Domain Admin privileges. They then proceed to exploit a Domain Controller and inject backup administrator accounts and services into the environment.

Although this scenario does have some points of mitigation, it isn’t an unlikely event for this type of lateral movement and social engineering to occur in the workplace.

Pass the Hash (PtH) is the method of capturing “hashed” user credentials and exploiting authentication protocols to gain lateral access to other systems. The term Pass the Hash is taken from the fact that the hashed password doesn’t need to be decrypted into plain text for authentication systems to accept the user session.

Instead, this password hash can be reused to generate new sessions as the user, as the hash will remain static until the password is rotated.

The entry point for an attacker can vary, sometimes from malware or baiting attacks, but more commonly, it is gained via some version of social engineering. In most scenarios, the target has been the victim of phishing or spear phishing attack, so the attacker can gain credentials or access to the system.

Once on the system, the attacker will scrape the system for hashes of every account logged into that machine. These hashes can be stored within the LSASS process memory, Windows Memory dumps, Page Files, Credential Manager, and SAM registry hives.

To extract these hashed passwords, an attacker can use tools such as Mimikatz to pass the extracted hashed password back to the authenticator and successfully authenticate.

The best way to understand proactive methods and mitigation strategies for pass-the-hash attacks is to show an example of how these tools can be utilized. For education purposes, we have outlined the steps in a pass-the-hash tutorial for the more common method of hash extraction from the LSASS.

The first step we must consider is extracting an NTLM hash. This can then be passed back to authentication systems to allow us access to privileged systems. The tool we will use for these examples is Mimikatz.exe, and we will run the following commands to elevate and extract the hashes and simulate the pass-the-hash attack.

1. Run Mimikatz.exe as an administrator and grant the current account permissions to debug processes.
   privilege::debug
2. We then want to list all the active user sessions and their hashes
   sekurlsa::logonPasswords full

As we can see, a user called “notadadmin” has an RDP session on this computer. We can capture their NTLM hash and save this for the next step.

NOTE: If a user has saved a password into Credential Manager, this can also be extracted when reviewing the outputs.

Next, we can use our newly gathered hash to exploit some services within the domain and execute the pass-the-hash attack. We know that this user is called “notadadmin” so it’s possible they might be a domain administrator. Let’s try to create a new CMD.exe session with our new account.

1. While still in our Mimikatz session, run the following command to create a CMD session as the user
   sekurlsa::pth /user:<username> /domain:<domain name> /ntlm:<NTLM Hash>

2. This will now open a new CMD window for this user. Let’s now invoke a remote session onto the domain controller within this environment. We can utilize the PsExec.exe tool to initiate a remote CMD session on the IP of the Domain Controller. To validate our access, let’s list the NTDS directory.

3. We can also confirm that we are using the correct account with the “whoami” command. We can take it one step further, and RDP onto the Domain Controller for more freedom. We can add a new registry item to the Domain Controller to allow RDP-restricted admin with the following command in PowerShell.
   New-ItemProperty -Path “HKLM:\System\CurrentControlSet\Control\Lsa” -Name
   “DisableRestrictedAdmin” -Value “0” -PropertyType DWORD

4. After successfully allowing RDP-restricted access, we can run the following command back in Mimikatz to initiate an RDP session with the NTLM hash.
   sekurlsa::pth /user:<username> /domain:<domain name> /ntlm:<NTLM Hash>
   /run:”mstsc,exe /restrictedadmin”

5. The RDP window will appear as usual with a user account already filled in. We can ignore what this says as we have passed our desired account NTLM hash in the background. Click connect, and it will initiate the RDP session. We can list our accounts to validate who we are and the groups we are a member of.

Although we have shown how simple it can be to perform a pass-the-hash attack, it can be a little trickier in reality. In most scenarios, AV and EDR will block Mimikatz from downloading, along with restricting the execution of the process.

However, pass-the-hash detection can be difficult as the foundation of the attack is to use existing authentication mechanisms. The best way to reduce and mitigate a pass-the-hash attack is to leverage the following recommendations:

Enhance employee awareness and safeguard critical data by leveraging Hornetsecurity’s Security Awareness Service for comprehensive cyber threat education and protection.

To keep up with the latest articles and practices, visit our Hornetsecurity blog now.

In conclusion, understanding the intricacies of Pass-the-Hash attacks is crucial for bolstering cybersecurity measures. This comprehensive guide sheds light on the methods, risks, and preventive strategies associated with such attacks.

By staying informed and implementing security best practices, individuals and organizations can fortify their defenses against potential breaches, safeguarding sensitive data and maintaining the integrity of their systems.

In an age where the digital landscape is continually evolving, businesses and individuals alike face increasing threats from a myriad of cyber adversaries. To navigate these challenges, there has been a growing emphasis on the value of threat intelligence in the cybersecurity domain.

But what exactly is threat intelligence, and why has it become a cornerstone of contemporary cyber defense strategies? In this article we’ll look at threat intelligence (TI), the different flavors of threat intelligence, how it can be operationalized in a business, and the different stakeholders that can benefit from it.

At its core, cyber threat intelligence (CTI) is a comprehensive understanding of potential threats that could target an organization or individual. This knowledge isn’t merely about being aware of possible cyber threats, but it encapsulates the wider context in which these threats operate. It dives into the motivations, Tactics, Techniques, and Procedures (TTPs) used by threat actors.

CTI is derived from an analysis of both raw and processed data. The data’s source can range from open sources (like news articles or blogs) to dark web forums and technical data from internal and external threat feeds. The ultimate aim is to convert this vast amount of data into actionable intelligence that can guide both strategic and tactical decisions.

Obviously, the concept and application of threat intelligence will differ greatly between smaller and larger organizations.

For very small SMBs, threat intelligence may simply be having awareness that there are threat actors that pose a cyber threat to them and maybe (if they can afford it), outsourcing their cyber security team to a provider, such as a Managed Security Service Provider (MSSP), or a Managed Service Provider (MSP). This organization will then enlist threat intelligence as described in this article to keep their clients safe.

Larger organizations with their own security team and cybersecurity professionals will have a different approach to threat intelligence.

Some teams will merely consume cyber threat intelligence prepared by external vendors in a threat intelligence platform, in even larger organizations there might be a whole team of security analysts investigating the cyber threat landscape, emerging threats, and preparing actionable cyber threat intelligence for the larger security operations teams.

One might wonder why threat intelligence is suddenly in the limelight. The importance of threat intelligence lies in its proactive nature. Instead of waiting for an attack to happen, organizations can use threat intelligence to anticipate potential threats and fortify their defenses accordingly.

It’s akin to having a forward scout in a battle, providing information about enemy movement, enabling an organization to anticipate and strategize instead of merely reacting.

By understanding the motivations and Tactics, Techniques and Procedures (TTPs) of adversaries, businesses can build more robust security measures that specifically target these potential weak points. This contextual information makes all the difference; it’s the transformation of a generic defense strategy into one tailored to the specific threats an organization might face.

Where the organization is large enough to have cybersecurity professionals focused on gathering threat intelligence data and produce finished threat intelligence, the process generally goes through the following phases:

1. First the requirements are gathered from various stakeholders involved in the business.
2. Raw threat data is collected from internal logging systems such as Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), eXtended Detection and Response (XDR) and even Attack Surface Management tools. This is augmented by external threat data feeds and other publicly available data sources, information sharing communities and X (Twitter).
3. The collected data is processed to narrow down the relevant information.
4. In the analysis phase the filtered data is aligned with the requirements from phase one to produce actionable threat intelligence.
5. This is then disseminated to the stakeholders in the business, such as security personnel, and senior leadership, and also perhaps shared in a threat intelligence platform.
6. Once this threat intelligence lifecycle is complete, feedback is gathered so that the process flows smoother next time around.

The benefits of threat intelligence aren’t exclusive to large corporations with vast cybersecurity infrastructures. Multiple entities, ranging from individual users to governments and multinational corporations, can reap its rewards.

For instance, IT teams can leverage threat intelligence to prioritize patch management by understanding which vulnerabilities are being actively exploited in the wild. On the other hand, executive leadership can use threat intelligence insights to steer the broader organizational cybersecurity strategy.

Furthermore, even smaller businesses, which often believe they are not prime targets for cyber-attacks, can benefit immensely from threat intelligence. With the understanding that many cyber adversaries use automated attacks, small to mid-sized businesses realize they too can be collateral damage or a steppingstone in a larger attack chain.

As cyber threats evolve, the reactive approach of patching vulnerabilities and recovering from breaches is proving insufficient. Threat intelligence offers a proactive stance. It’s about understanding the threat landscape, anticipating potential risks, and taking appropriate preventive measures.

One very important point to realize is that threat intelligence on its own is of limited value. To achieve the best value out of any of the three or four types of CTI it must provide actionable advice. Ideal characteristics are organization specific, detailed, and contextual to the business and being actionable.

To properly protect your cyber environment, use Hornetsecurity Security Awareness Service, and Advanced Threat Protection to secure your critical data.

We work hard perpetually to give our customers confidence in their Spam & Malware Protection, Email Encryption, and Email Archiving strategies.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.

The realm of cybersecurity is no longer just about having the most substantial walls or the most robust firewalls. It’s about understanding the enemy – their motivations, their methods, and their tools. That’s where threat intelligence shines.

With an effective threat intelligence strategy, organizations are not only more informed but are also better equipped to thwart potential cyber threats.

Given the relentless evolution of the cyber threat landscape, the importance of threat intelligence cannot be overstated. It serves as a beacon, guiding entities through the intricate maze of cyber risks, ensuring that they remain one step ahead of potential adversaries.

In an increasingly digital world, staying informed and proactive with the help of threat intelligence will be the hallmark of a robust cybersecurity strategy.

On Monday morning, James in marketing at YOLO Pty Ltd sees an enticing email on his phone from a vendor that he does a lot of business with. It talks about the upcoming soccer finals being held in his city and offers two tickets for free as a thank you for being a great customer, along with a QR code link to a website to get the tickets.

James – a football fanatic – immediately scans the QR code, enters his work details and agrees to the application permissions screen that pops up.

Within a few minutes, attackers have used the OAuth permissions granted to them to gain full access to James’s Exchange Online inbox, a few hours later they’ve moved laterally from his account to others and within 24 hours they’ve obtained full access to YOLO’s entire network, with the ransomware attack following immediately after they’ve exfiltrated private corporate data for extortion and corrupted any backups they could access.

This is a fictional scenario but everything in it matches our Security Lab’s expert investigations, including the time spans.

If James had been protected by Hornetsecurity’s Advanced Threat Protection the malicious email would have been scanned, the QR code identified, the malicious form found, and the email would never had been delivered to James and his colleagues.

Email is by far the most common way attackers gain a foothold in your organization. And this is an ever-evolving arms race, the criminals (who are well funded and well organized) are always changing and improving their attacks, so yesterday’s defenses and yesterday’s technology are going to be bypassed.

To be protected and stay secure against new threats, you need Hornetsecurity next-gen technology in your corner, with new protections against novel attacks, such as malicious QR codes.

The news is often filled with headlines about Advanced Persistent Threats (APTs) and it seems that every organization that gets breached leads their PR response with “it was a very advanced attack”, the subtext being that it was really hard to defend against.

However, Hornetsecurity has produced many reports, along with others in the industry, showing that most successful attacks aren’t the result of some amazing, previously unknown attack vector – they’re the consequence of basic security hygiene failures, such as allowing phishing and spear phishing emails to end up in your users’ inboxes.

And not having a thorough and ongoing security awareness training program for all users, to strengthen the “human firewalls” throughout your business.  

A variant is Business Email Compromise (BEC) where an attacker has compromised one user’s email account and monitors normal communications over a period of time, then inserts a request to change a bank account for a regular payment (to the attackers account) for example. 

These examples are just scratching the surface. The real challenge is new and evolving threats. Attackers are always changing and improving their lures and attacks, and with their ill-gotten gains they can afford new technologies.

For example, just like marketing departments and app makers, they’ll A/B test different emails to see which wording and approach gets the most clicks. This approach is also being augmented by AI – where we use ChatGPT to improve the language in a presentation, they might use similar technologies to generate “psychologically appealing” email lures.

All of this is to say that you need a strong team, that’s ahead of the curve, to make sure your users don’t have to deal with these threats, and that’s where Hornetsecurity comes in.  

An analysis conducted by Hornetsecurity’s dedicated Security Lab of 25 billion business emails found that 40.5% were unwanted, and out of that portion, 94.5% were spam, and 5% malicious.

Social engineering is a large part of the threat landscape and email threats from 10 years ago that were filled with spelling and grammar mistakes and clearly fake, have been replaced with psychologically appealing, cunning text playing on human nature.

Brand impersonation is another part of the risk, with so many of the cues to assess trust we rely on when we first meet someone in the real world absent in emails, a message from a trusted brand is more likely to result in that unfortunate click.

As we saw with James, that single click can lead to your business data being encrypted, your backups corrupted, and sensitive data you hold exfiltrated and threatened to be disclosed publicly.  

There are many, many more varieties of email attacks and risks, our Cyber Security Report goes into much more depth.  

To mitigate the risks outlined above you need both basic and advanced email hygiene services. The basic approach, which every vendor provides, takes care of (most of) the spam so that your users don’t have to wade through enormous amounts of junk just to find their business emails.

It’ll also catch (some of) the malicious emails and attachments but given how central email communication is to business today – catching most isn’t good enough. You need the best protection possible, and that is Hornetsecurity’s Advanced Threat Protection – a next generation security service for Microsoft 365 that provides precise and comprehensive protection against all forms of malicious emails.  

This cloud service provides excellent spam filtering and email security, for both incoming and outgoing emails, you don’t want to be the unwitting spreader of malicious emails because one of your users was compromised. Both malware and malicious URLs are spotted and blocked before they can do harm.

Advanced Threat Protection goes beyond these basic services to specifically catch ransomware emails and lures, spear phishing campaigns and CEO fraud. Behind the scenes we use AI-based Targeted Fraud Forensics to spot risks that others miss.

Advanced Threat Protection also catches forged email headers, a popular attack method to make an email appear to come from someone trustworthy, when in fact it doesn’t.  

As for malicious email attachments, unless we’ve seen the file before and we know it’s benign (or malicious, in which case the email will be blocked outright), we use our proprietary Sandbox Engine to go through the steps a user would upon receiving the email, and then monitor very carefully what happens when the attachment is opened or executed, using over 500 behavioral analysis sensors.

These sensors detect attempts by the executable to detect if it’s running in a sandbox (a dead giveaway), and carefully monitors filesystem, processes, memory, and registry changes to catch evidence of a malicious payload. Filetypes such as executables, PDF, Office files and archive (ZIP etc.) are all identified and the engine looks at macros, embedded URLs, metadata, and JavaScript code.

If an email or attachment is identified as malicious after delivery, it’ll be automatically marked for deletion in the inboxes where it has already been delivered.

Like any good security solution, Advanced Threat Protection mostly does its work silently and provides your end users with clean inboxes but in situations where your attention is required such as when your organization is under targeted attack – Real Time alerts are issued to your administrators.  

Hornetsecurity’s complete portfolio also includes email encryption to ensure that only the sender and recipients can read the contents of sensitive emails, handling encryption keys and certificate management behind the scenes for ease of use.

If you have regulatory requirements to keep all emails for extended periods of time (6 months to 10 years), legally compliant archiving is built in. It also allows you to import data from other email systems.

365 Total Protection also provides an easy-to-use signature and disclaimer feature that lets you create individual signatures based on Active Directory user information automatically.  

A new, bleeding edge attack vector is malicious Quick Response (QR) codes and we’ve added scanning of these to keep your users safe. Remember James and his disastrous Monday?

Up until now, and in nearly all other email security solutions on the market, if the attackers included a QR code instead or a plain text link, it would have just been seen as a benign picture and not set off any alarms.

With Advanced Threat Protection, and the new QR Code Analyzer this gap has now been firmly closed.  

QR codes are a very popular way for businesses worldwide to advertise and engage customers and potential buyers, “just scan this code and receive a $ 5 voucher on your first purchase”. It’s amazing to think they were invented all the way back in 1994 in Japan.

They are everywhere, this one for example takes you to Hornetsecurity’s homepage.  

How popular are QR codes in marketing today? Bitly published a report filled with interesting statistics, but in summary, they saw 152% growth of their use in 2022, with Finance, Healthcare and Government Services seeing huge growth in 2022.

People are scanning QR codes more and they link to more diverse content, not just a single website. There are now QR codes that lead to coupons, events, social media content and marketing video content.  

This means end users are becoming more and more accustomed to scanning QR codes and expecting “something good” at the end of it. This is a perfect opportunity for criminals to hide their malicious links in innocuous looking picture files and bypass protections – except if you have Advanced Threat Protection guarding you.  

Our scanner looks for QR codes in GIF, JPEG, PNG, and BMP image files in emails and can extract both URLs and text from them, analyze them and only allows the email to be delivered if it’s benign.

There’s no configuration of the QR code scanner in Advanced Protection’s Control Panel, it’s simply turned on and protecting all your users, just like any good security service.   

Speaking of scanning links, Advanced Threat Protection has had URL Rewriting and scanning for a long time, the new version is called Secure Links and uses a new engine.

Using Hornetsecurity’s secure web gateway it doesn’t just scan the links in emails, it also “visits” the website and recursively scans links to establish if the site presents a risk to your users, and of course blocking access if it does. Most importantly it’ll do the check at the time the user clicks the link, not just when the email was delivered.

Sometimes attackers will compromise a site but not change anything until after their emails have been delivered, making time of click protection paramount.

No security service is perfect, there’s always a chance that something will slip through even the strongest net, so you need to add another layer of defense – your end users.

Hornetsecurity’s Security Awareness Service provides simulated phishing emails to train users to be wary, and not fall for lures, plus follow up short e-learning content to help cement the knowledge.

Unlike other solutions administration of the system is very lightweight and it’s mostly a “set and forget” solution, that uses an Employee Security Index to identify users most likely to click on links without hesitation and increase their training.  

There’s no doubt that hosting your email inboxes in Exchange Online is more secure than hosting them on-premises, especially given several high-profile vulnerabilities that were exploited in 2021, 2022 and now in 2023. To assist with your migration, Hornetsecurity now offers an easy-to-use Mailbox Migration Tool.

Once your users are onboarded in Control Panel, a simple Azure AD Application is configured with OAuth permissions and you can start migrating mailboxes to the cloud, which could take some time, depending on the number of mailboxes and their size. Once they’re migrated you can enable 365 Total Protection for them.  

Specifically designed for Microsoft 365, Hornetsecurity’s 365 Total Protection offers comprehensive protection for a wide range of Microsoft cloud services.

It is easy to set up, seamlessly integrates with your existing Microsoft 365 environment and is extremely intuitive to use. 365 Total Protection simplifies and strengthens your IT security management from the very start.