The SolarWinds breach discovered in December 2020 was a stunning feat of cyber warfare that went undetected for nine months. The attack is one of the worst supply chain security breaches on record, impacting around 18,000 government and private networks. The growing list of compromised technology vendors sends a clear message: cybercriminals do not need to attack your business directly to take over your network.
A supply chain security breach like no other
Drawing comparisons to the devastating NotPetya attack of 2017, the SolarWinds breach featured high levels of sophistication. At least four malware variants were injected into the SolarWinds build process and then unleashed onto 18,000 unsuspecting SolarWinds customers during routine SolarWinds Orion updates.
Over the course of the next nine months, businesses and government organizations were unknowingly spied on, sharing their data with nation-state cybercriminals and unaware of what had transpired. What the hackers plan to do with the data is not yet known.
The US Departments of Treasury, Commerce, Defense, Homeland Security, Health, and Justice are among the most notable government victims of the breach. Along with government agencies, high-profile technology companies, many of them cybersecurity vendors, were also compromised.
Joining the legions of SolarWinds victims, Microsoft, FireEye, and Cisco are just a few of the technology vendors that installed trojanized SolarWinds updates. In January 2021, Malwarebytes revealed it had also been breached by the group that attacked SolarWinds, despite the fact that Malwarebytes is not a SolarWinds customer. Finally, Microsoft reported that, of the Microsoft customers compromised in the SolarWinds breach, 44 percent were technology companies, including software firms, IT services, and equipment providers.
Your supply chain is not a secret
As the SolarWinds breach has shown, sophisticated cybercriminals do not select victims at random but with precision and after conducting extensive research. It was widely reported in 2018 that the US Department of Justice migrated its Exchange Servers to Office 365. This report, and others like it, show the ease with which cybercriminals can identify a business’s suppliers and exploit weaknesses in their supply chain security.
But news reports aren’t the only way to discover a vendor’s supply chain. In email security, it takes only a matter of seconds to identify the email security solution protecting a business’s email. This is accomplished with a simple MX (mail exchange) record search, a task requiring only one line of code.
In the below image, you will see an MX record search for Home Depot, a US-based home improvement retailer, and Au Bon Pain, a US-headquartered fast casual restaurant, bakery, and café with 250 worldwide locations. On the right of the screen, you can see the domain of the email security vendor, whose name has been redacted.
MX search
By performing the above search, a cybercriminal can quickly identify the email security solution protecting a business. The cybercriminal can now adapt their attacks to exploit known weaknesses in the solutions—and a good hacker has studied those weaknesses in detail.
The power of invisibility
The SolarWinds breach reveals that cybercriminals have sophisticated ways of breaching a business without targeting it directly. By targeting the supply chain, a cybercriminal can aim for one target and hit hundreds and even thousands.
MSPs who are tasked with managing and protecting the IT of their clients are uniquely susceptible to supply chain security breaches. As we saw in 2020 with the onslaught of ransomware attacks against MSPs, MSPs are becoming top targets because they are gateways to their clients’ networks.
While more SMBs are turning to MSPs for cybersecurity, SMBs will also hold their MSPs responsible in the event of a breach. MSPs must invest in solutions that are invisible to cybercriminals to reduce the likelihood that hackers will bypass their defenses. For MSPs protecting Microsoft 365 clients, the number of available solutions that do not reveal themselves in an MX record search is small.
Vade for Microsoft 365 is integrated with Microsoft 365 via API. Sitting inside the Microsoft tenant, it is invisible to hackers. In an MX record search of a customer’s email, microsoft.com is the only email security domain of record. Another benefit of this architectural advantage is that if a hacker succeeds in bypassing EOP, Vade for Microsoft 365 can catch what Microsoft missed.
The added-value of Vade for Microsoft 365, in addition to EOP, is revealed through the Added Value Report. Available from the admin dashboard, the report is a real-time view of threats that Microsoft missed and Vade blocked.
Added Value Report
To learn more about the benefits of API-based email security for Microsoft 365, download our infographic, “Evaluating Microsoft 365 Email Security Solutions: Architecture Matters.”
