‹  Back

June 04, 2024 · 3m read

John Hammond Video: What Secrets Are in Your Email?

Material Team 


John Hammond, the host of a YouTube channel focused on cybersecurity education and ethical hacking, dug into Material Security’s product suite. We’re encouraged to know that security practitioners realize the importance of protecting sensitive data, other SaaS applications, all in either Google Workspace and Microsoft 365.

Watch the full video or read the full transcript below to see how Material offers a multi-layered detection and response solution for email.

Full Video Transcript

What secrets are in your email inbox? I know it's not something you usually consider, but think about it. It's years worth of communication. There's certainly something sensitive in there and it is your email. After all that's access to and contact details for friends, family. peers, colleagues, other employees at your business.

And email is a huge attack surface. There are fishing campaigns, spearfishing attacks, whaling, whatever you want to call them out and about all the time. Anyone could fall for anything myself included. Like, look, I might just fall for a free pianos, uh, alongside some American university students and staff.

This was in the news the other day. Some recent work that I actually got to do was taking a look through a ton of the reported emails that anyone might click the button for in their inbox to submit it to it or their security team. And I'll tell you some of my takeaways just in a little bit, but first I'd like to show you something really cool.

Now, first things first, let me say straight up upfront, this is a full featured sponsored video from my friends at material security. But genuinely, honestly, what they have is really sweet for email security. When business email compromise is a hot topic in the cybersecurity landscape. So put your hacker hat on and act as the adversary.

See what information and details you can glean from me. Just accessing my email, say I'm an employee. Hey, just logging in for the day. I'll get to gmail. com. Take a look and see what I'm working with. And that's it. Look, I work at Renzu, that's the name of our company here, and we're using Google Workspace to manage the users, accounts, and identities for our organization.

You could be using Microsoft 365, but think about that identity. Think about the access that could come from just having someone's email. Say that you, as a hacker, had gained access to my account, and even just scrolling through the messages, you can get an idea for other software solutions across our organization.

Hey, maybe notifications from Slack. Hey, I don't know, anything from Dropbox. Of course, we've got Okta in here in the mix. Gmail, obviously. And those things could tell a threat actor other attack surface, hey, other SaaS applications may be used throughout that organization. And they have access to your email.

There's nothing stopping them from trying to, hey, force a password reset and sign into something else. That's the account takeover scenario. We've got sensitive information in the inbox. Phishing attacks, I don't know, CEO or other influential, authoritative person impersonation. You could do data exfiltration with rules to send stuff out.

Out of the inbox, or you could just start sending out your own phishing emails from this compromised account as a trusted user. Right? So let's get back to my email inbox, just as an example. And there are some more current emails that we received. Hey, some things that we got recently, but if we were to look back into the past, Hey, in the archives, cobwebs of your email inbox that might have thousands upon tens of thousands of emails in there.

There are a couple sensitive ones and these were automatically tagged as sensitive, which is kind of nice, but think about it, right? Hey, you've got a W 9 form, some maybe personal information, health, medical documents, employee details, net compensation, bank information. It could be anything, but let me show you what happens if we click into one of these emails.

Here's our closing balance file and a few more notes and questions. We'll go to the top of that thread, but Renzu, our org here, material security. has secured this message and I'll collapse this so you can see it a little bit better, but it says this email has been locked and protected, secured because it contains automatically detected sensitive content like financial reports, payroll information, and other things that you don't want any individual, hey, any, any, Ill intended actor, hacker, adversary, whatever, that might have gained access to your email to be able to just see on a whim.

You can still retrieve this message whenever you need it, and with that we'll click the button to retrieve message. Here we go, say if we wanted to actually validate, but we will need to go through some multi factor authentication. This is cool here that just pulled up on my phone with some octave verify.

Hey, push notification. Let me go ahead and say, yes, that was me. And there we go. Now we're connected. Now we can read the original email that would have came through. Hey, we could see a little bit more of the attachments. In fact, we wouldn't have been able to see those previously. I'll show you another quick example, but honestly, the gist is just having some speed.

speed bump, something in the way, some extra step of authentication, like multi factor authentication is an added layer of security and email security here. Let me take us back. I'll show you, uh, the W nine. I think that's kind of neat. Going to take a look at that content. Well, it does have an attachment that we might be able to explore at the very end here.

However. That will let us know that attachment is secured. You will need to achieve the message to be able to view that. Now I know that's just one roadblock, a speed bump, but honestly, I think that's really cool adding an extra layer of authentication and building up that defense in depth idea, especially for your email.

Now that might be a small showcase of the user's perspective, but I want to show you the management interface because my goodness, there is so much cool stuff there. And I have a hunch a good. Many of you are likely it admins. Hey, system administrators, network engineers, architects, folks running the show, keeping security afloat for your shop.

So let me go ahead and sign in to Renzu. This will send me another multi factor authentication push notification. Let me fire that up. And with that, we should be good to go back in action here. Now I'm signing in here through Okta, but I can fire up material security. And this is where the sweet stuff comes in.

There is a lot of cool stuff to drill down into. But when we're talking about email security, we have a couple things in mind. We've got data protection. We've got identity protection and phishing protection. But ultimately, this is all for your organization that may very well be using. Google workspace, like I've showcased or Microsoft 365.

So here you get a bird's eye view of your security posture across the whole org. And this is kind of cool. You can get a little bit of a health check. See, Hey, how many connected accounts do we have? Again, I was just showing little old me one email inbox, but this is for every employee, all the accounts set up with mailbox syncing, data protection, identity protection, and phishing protection.

And some of the big questions here. Look what users actually have multi factor authentication enabled and which don't. I know this sounds like such a simple thing to some folks, but seriously, genuinely, it is still a conversation that has to be had get multi factor authentication everywhere on every single account user.

No questions asked. It's always a case when there's an incident, the big bad B breach word. It's because the threat actor found one account that just happened to not have it configured. There's that cheesy adage. Look, the defenders have to be right all the time. The attackers only have to be right once.

That's a whole other can of worms. I'm not going to drill down into that, but having this visibility across the org is pretty cool. They're showcasing this just as well for Microsoft 365, everything in the mix. That way you can get, Hey, the identity, Hey, the user, that email and what employee to discuss a little bit more details here on which accounts have MFA bypasses.

Hey, some security mitigations that could be up in the mix and then auto forwarding rules, ones that we know that could, Hey, lead to that data exfiltration capability. I liked that. These are presented just as a simple question and answer. Look, honestly, that is the fastest way to get the detail that you need.

And even just the visibility on like, Hey, what sensitive content? Is out and about across the organization that is worth digging into. I don't mean to drag you down the rabbit hole here, but of course, you've got some public data breaches information that have I been pwned database post messages across Google groups, all off access based off apps that you might be using in the environment.

And then even the apps to begin with, I'm just scrolling through all this for the sake of showing it to you. Of course, over on the left hand side, you can see, you can filter drill down into what might be a little bit more pertinent to you, high risk, medium risk tasks that you might've completed, maybe alert certifications that you snooze and things that, Hey, just fall into any specific category like MFA mail forwarding, data breaches, et cetera.

With all that said, let me take a moment and actually just point out. Paul out of material. I want to show you something else that might be worth more of a conversation that we can continue to have like SAS applications, software as a service, other tools, toolkits that you might have use across your workplace.

Monday. com as an example, this is pretty recent. May 9th, they're removing some of the. Features and functionality that could very well have been used for phishing attacks. So at the very least having the visibility and knowing that oh monday. com is or is not Part of your regular organization stack that helps clue in on look are these emails that come through going to be a phish or not. Obviously this looks legitimate because it's coming from mondays.com actual capability of sharing updates. But I think it is worthwhile knowing what is in your org to begin with. Most folks don't even have that asset application inventory list and even just applications. But I do think there is one easy way to track down that information, compile and pull it all together.

If you have visibility and telemetry into email for everyone in your org, you are absolutely going to end up seeing all of the emails. Sign in alerts, verification codes, notifications, messages, things from Duo, things from Slack, Asana, Notion, Evernote, LastPass, DocuSign, VirusTotal. This list can go on and on, but I think it's cooler to see what accounts actually have ties to it.

Hey, what users are using this application and getting those emails back and forth? Hey, I'm in there! You can tie that to department, you can tie that to organizational structure, whether or not those users should even be using that in the first place. And you've got some quick visibility on whether or not that has a multi factor authentication enabled or single sign on capability, just good visibility.

And on that note, I think this one is really sweet. The domains capability kind of tracks down, Hey, information pertinent to data breaches, other orgs that might have communication with you. Hey, things sent back and forth because of your users, your identity's access through their email, what they might have already have had exposed in previous data breaches.

Other domains, other third party applications, tracking things that could very well have had some of your details, your data spilled and out there on the internet. That's all just visibility, though. It's getting that telemetry, hey, pulling together those insights, but it's not so much the capabilities. We got to see this in action already.

Remember that secured or speed bump email that we weren't able to actually open up the attachments for? Trying to open this W9 document that had told us, hey, look, that's secured. But how did they do that? So here's something really cool. If we drill down into the data protection dashboard here, the overview gives us a little bit more insight as to how many emails, messages do contain sensitive content, at least the percentage out of all the emails that it observes.

And this is automatic detection of those sensitive categories. You get your pretty charts and some graphics here, the protection is pretty sweet, but with that you can actually drill down into the failed retrieval attempts to see what accounts might actually be compromised or trying from an IP address over and over again based off of the multi factor authentication.

Lot of really cool visibility here and maybe that's worthwhile to see. Marina, she's doing some strange stuff. Will Ferrell too, okay. Obviously, you can see at the top here, if you want to change the time duration on all of these metrics, you absolutely can bring that to a month or a year. But that does mean if you were wearing your hacker hat acting as the adversary in that little scenario earlier, look, we'd be able to see the access requests that came from you for that email.

And again, you can even see mine. Loading this all together here, whoops, there's my IP address. You can see the target message that it was on, and we can actually drill down into that message and see all that came to light there. I'll move my face so you can see this a little bit better, but hey, that's one that we did go through our multi factor authentication push prompt.

We can see all the details about the email, the actual content itself, and all the headers, everything that might've been pertinent to look, the actual protocol, transport messaging, and details for that email. I'm super duper zoomed in. Obviously, this is a heck of a lot easier to read if you were at regular scale.

You do, of course, have visibility into all the accounts that would have seen this email, whether or not it was locked, maybe some links, if this just happened to be a phishing email and attachments that are included that you'd be able to see, let me hop over to the identity protection dashboard. Again, this gives us some sweet details.

You could drill down and toggle into any of these to get some visibility on what services seem to be actually having. Communication regarding password resets, sign up confirmation, and other account verification emails, which again, could lead to that account takeover that we discussed previously. This does include some extra protection, by the way, that'll actually intercept these account verification messages and add extra validation, more verification to access those.

I know that does add time to your workflow. Hey, cruising through a little bit more security mechanisms, but seriously it is so that you don't pay thousands of dollars in a business email compromise, millions in ransomware. Your imagination can take that as far as you'd like. And speaking of those real threats, goodness gracious, the phishing protection work is the coolest thing here because you automatically, Hey, have all of the.

Potential phishing emails curated for you and the cases as to what email would have came from who, how it was analyzed, whether it was strictly by material and their work. Look, this was Kakbot. That's crazy. Cool. Or other members of your organization. Whenever someone would report a phishing email and you could see, look through mediation efforts, whether or not they blocked links, whether or not they've added the speed bump.

Let me go look at that Kakbot email. That's this, uh, delinquent car payments. Oh, so we're back to being able to see the email itself, get a little bit more details on the analysis and Oh, it actually works with sandbox iframe. So if you wanted to, you could view the full like HTML email if there were to be, you know, pictures and decorations and all that, but you've got all the details in here.

Now they would end up blocking links, right? You can see the accounts that it would have been sent to. Oh, a link to example. com. Okay. Sure. Oh, example. com. br. That might not be real malicious. That might just be cooking show magic. But with that said, Hey, you still got the remediations for what would be legitimate, actual malware and phishing campaigns.

You block links and attachments. You add a banner to the note. Look, this is big red, loud alert for the end user. And it's just going to be moved to spam in the first place. Oh, and there's a timeline up here. Look, if you're doing incident response, if you're doing a legitimate IR from a breach or incident that came from, hey, phishing email, this is a godsend.

Like if we've done this, like, uh, folks might've heard my baby shark story for some APT malware shenanigans, this would have been incredibly helpful. Oh, and you can drill down into each of these. You can see what actually happened to where, when, and how that's sweet. We've also got a metrics tab. Oh, and these are the same kind of stats that you could be able to drill down into.

Neat. Up at the top here, if you needed to do a little bit more manual classification, you can totally do that. But still, I think on its own, this is pretty neat. Being able to drill down into all of these that are automatically detected. Oh, here's a call me. Is a CEO impersonation? It's urgent. Use the number below.

Phishing emails are just sometimes so funny. What else do we have to explore here? Oh, we do have reports and this is kind of neat. Oh, you can actually take a look at different case trends. That might be interesting Intel for your own organization, depending on the work that you do. Hey, how many times are you getting hit with phishing emails?

What campaigns and how is the security of your users? Do they have the security awareness to actually report these things? You might've seen it. I know my face is in the way. You can of course, toggle this to any timeframe that you'd like. And these are just the summary. If you want to go take a look. at the full report.

It has a little bit more details that's also available in the navigation and uh, you could click on that full report down below. But this includes a little bit more sweet deets that would be worth checking out. Like any tag, threat actors, actual malicious phishing campaigns, etc, etc. And this drills down, of course, if you want to take a look at any of the other categories, you can get a little bit more insight there as to what they're pulling together for that telemetry.

I think that's just genuinely cool. I see this is in beta, but Material does have the capability to send out phishing simulations. So if you wanted to try to test your own team, hey, see their security awareness training, you could drill down into what users did what. Coming from a lot of these different domains that you might be able to toggle in or off.

Hey, configure however you'd like different HTML, any of the content there. And you could see given a specific campaign when you're sending these out into what users, then you'll see the response, whether or not someone actually passed or failed. Let me actually choose one that had a user enrolled. And that way you could see, Hey, whether or not they passed or failed, in which case this poor person failed, they clicked the link.

Sorry about that, Sean. Oh, wait a second. No, this was for the delinquent car payments. This is QuackBot. No. I'm curious though, could we actually track down other QuackBot or whatever other phishing campaign or real malware, uh, across all of our employees and their emails and their accounts and their entire organization, right?

And that is where the search functionality could come to light. You could actually search for anything about, Any email, like, Oh, do you want an attachment in the mix? Do you want any subject or body? This is pretty cool to see it again, across everyone's inbox. If you're reading some new threat Intel report or some malware campaign right up, this is pretty awesome because say you could see, Oh, what the phishing email might regularly look like search for that body or message or attachment and see, has anyone seen this across our entire Google workspace or Microsoft 365 account?

Let me see everything that has an attachment. Will it enter to search for that? Oh, there are a lot of notifications for Star Wars. Okay. Oh, and then you can toggle these and mark them however you'd like, or create a new case and drill down into any of the attachments. If anything, that's just super cool for like research.

An app direct invoice? That one's marked as sensitive. Let's explore. There is that sandbox iframe. We can actually see everything here. Traditional invoice. Good. Nothing with a, like, scam phone number to call. You know, like, fake tech support scams from Geek Squad or Best Buy or Norton. Whatever. Oh, I'm sorry.

While we're talking about some of these attachments and files, I realized I never particularly threaded it all together as to how we can lock down, secure, and restrict some of the attachments and files that are included. Because look, if you're in Google Workspace or Microsoft 365, you might share files with other employees, and we could just simply search for Any of them as to whether or not they're actually allowed and given access out to anyone external to the organization.

That's pretty cool to be able to see the permissions for everything. Again, all in one place, bird's eye view. You can see if these have any sensitive details in there, like passport numbers, passwords, health records, banking details. Okay. Oh, and here's one at top talent for this individual. Anyone with a link, anyone on the open internet could go take a look at poor Tina.

With that, we just click a button to. Clean it up. But Eugene is probably at fault for that. We can see the analysis things that we're flagging on. Okay. Classic do not share, do not distribute confidential, but the details early where this all comes to life. Cause this is just in Google docs. Can I go to this?

It's public, right? Oh, I'm so sorry, Tina. All right, Eugene will need a little bit of a scolding and we could clean that up. But like, we could search for any of these that might be shared with just external access. Hey, anyone just being on the public internet and anyone's personal email address. That's so sweet.

Our secret project design document is out and about. Whoops. Oh, it's pretty cool. These are actually tracking in trash because that doesn't just go away immediately for cloud documents, sass, stuff like that. Derek at the DMV? Oh, I wish I could see that one. Thanks to Will making that available to the whole wide world.

That has his driver's license, presumably. Okay. I'm not going to lie, this is just kind of fun to look through. You've got some EXEs here, yep, some executive compensation, net pay. Alright, I don't mean to beat you over the head with it anymore, but honestly, genuinely, I just think it is super duper cool. I think in cyber security we now reach, look, the identity being the crown jewel for a threat and attack vector.

It's not strictly, oh, run malware on the endpoint. No, it's like, Swing between different SAS or cloud applications that an organization just might use and getting into an individual's email just opens a door for so much. So adding in all these protections is a really good thing. I showed you, Oh, just a quick handful of.

phishing emails that I get to see when, oh, we see things reported to us. And I really had the takeaway, I know I teased it at the start of the video, that like, none of this is all that fancy. Like, there's no sophisticated, oh, hardcore leak complex, uh, threat actor activity in Tradecraft here, it's not sexy.

There weren't any scan this QR code hooks or lures, just the same old boring, run of the mill, typical common phishing pretense in social engineering. I say that, but I don't mean to say that that, oh, just means we let security and caution out the window. I had that analogy of Swiss cheese, right? Where you're just layering up what might have different holes in different parts.

But if you add more and more layers, the holes get closed and boarded up. That's that defense in depth idea. That's why those extra layers of authentication and validation are awesome. And you shouldn't just like, oh, disable multi factor authentication because evil jinx exists. You should have that security in place.

And honestly, I gotta admit, I think Material stuff is pretty sweet. I say that pretty confidently because we use Material. I've met, hey, some other engineers, developers, nerds, and geeks, and they're all super smart folks. And I think what they have is just really cool. With that, I do hope you give it a try.

Big thanks to Material Security for sponsoring this video. There is a link in the video description. If you'd like to kick the tires, play with it a little bit more. And especially, thank you to you. For tuning in, watching this video, please do all those YouTube algorithm things, like comment, subscribe, and I'll see you in the next video.