Security "Bits"

First-gen CASB goes phishing again

By Nat Kausik | July 29, 2019 at 4:37 PM



It is common knowledge that the Hippocratic oath of medicine taken by all healthcare professionals includes a form of the statement "foremost, do no harm."   Or, in latin, "primum non nocere."It is just too bad that cyber security professionals do not adhere to such an oath.  

A large enterprise specializing in petroleum products migrated to Office365 recently.  As part of that migration, they decided to deploy a CASB.  So they tested a first-gen CASB and went ahead and deployed the solution.   As it turns out, the cure is worse than the disease, leaving the enterprise in a state of explosive and chronic phishing risk.  Phishing this enterprise is as easy as shooting fish in a barrel. Here is why.

When you go to Office365 and attempt to login as a user at that enterprise, the CASB proxies the ADFS SSO page and hosts it on a random domain.  This eviscerates the security of Single-Sign-On, which is predicated on the user entering his credentials only into a trusted identity provider domain. When users are required to enter their corporate credentials into weird proxy sites that are unrelated to the sphere of trust,  users stop caring.  Users will definitely not enter their personal bank credentials into weird domains, but are happy to enter their work credentials if their employer requires they do so.  As a result, a phishing email sent to any user at the enterprise with a link to a replica of the login page, will cause the user to promptly cough up their corporate credentials.   Furthermore, once users are trained not to care where they enter their corporate credentials, it is very hard to untrain them.  Suddenly, we have every user vulnerable to phishing for years to come, leading to explosive and chronic risk.

ps: other enterprises have fallen for exactly this vulnerability from the same first-gen CASB vendor.

Responsible Disclosure Update: The Bitglass Threat Research Team has attempted to contact the affected organization confidentially since June 12, 2017 with no response.  Upon publication of this blog post, affected organization is in touch with our team.



see all