Security researchers at SquareX have discovered critical flaws in the attachment scanning process of major email service providers such as Apple, Google, Microsoft, and Yahoo, leaving millions of users vulnerable to potential security risks. The researchers conducted a study using 100 malicious document samples and found that all these email services lacked adequate protection when it came to scanning email attachments.
The study categorized the malicious document samples into four groups, including original malicious documents, slightly altered malicious documents, malicious documents modified using attack tools, and basic macro-enabled documents. These samples were sent as email attachments through a third-party provider to accounts with Apple iCloud Mail, Google Gmail, Microsoft Outlook, Yahoo! Mail, and AOL. Despite the presence of various virus scanners, the email providers failed to detect and block several malicious files posing as legitimate documents.
The results showed that Apple iCloud, Yahoo Mail, and AOL failed to block a malicious file posing as a PowerPoint presentation, even though 40 virus scanners had detected it. Another malicious file masquerading as a Microsoft Excel document also passed through Yahoo! Mail and AOL without detection. Although Gmail presented a warning to users regarding a Microsoft Excel document with a malicious macro, it failed to detect the threat when the code was renamed as a PDF.
Vivek Ramachandran, the CEO of SquareX, emphasized the need for webmail providers to be transparent about the limitations of their scanning technology and advise users to use additional security measures. Security experts such as Jake Moore from ESET highlighted the concerning issue of well-known technology giants allowing malicious files to bypass security checks and recommended stricter measures to protect users from modern-day threats.
The research findings have prompted SquareX to update its browser extension with an advanced in-browser malicious document scanning feature to help mitigate the risks associated with email attachments. This extension can be added to Chrome and Edge browsers and includes a privacy-safe mechanism that analyzes malicious office documents in memory. While SquareX reported its findings to the email vendors, it faced challenges in obtaining a proper response due to the lack of easy communication channels with their technical support teams.
Despite the vulnerabilities identified in the email attachment scanning process, major email service providers such as Microsoft, Apple, Google, and Yahoo! have not yet responded to the research findings. SquareX is taking proactive steps to address the security gaps and protect users from potential threats, urging consumers to be vigilant and consider additional security measures when using free webmail services.(Icons: 3,631)
