Security awareness vulnerability

Malicious Email Campaign Exploits New Vulnerability in Microsoft Exchange

Nimblr have registered multiple malicious emails linked to new vulnerabilities in Microsoft Exchange. The weaknesses were first revealed in a blog by Vietnamese cybersecurity company GTSC, and are now refered to as CVE-2022-41040 and CVE-2022-41082.

The new vulnerabilities can be used by attackers to access and extract email conversations between the affected organization’s employees and external parties. Nimblr have registered extensive use of stolen correspondence in malicious emails, linked to organizations where the exploits have been verified. The malicious emails contains the conversation from a real email exchange between two or more parties, including an additional comment and a malicious URL in the top of the email. The sender name is taken from the original email, but are sent from random email adresses using correct SPF and DKIM configuration.

In the example above, the attacker extracted sender and recipient addresses, targeting one of them with the new a malicious email that contains information from a previous conversation.

In addition to the use of stolen correspondence in malicious emails, Nimblr expects an increase in the volume of password phishing from attackers looking to exploit the new vulnerabilities as authenticated access to the Exchange Server is necessary to successfully exploit the weaknesses.

-Using the stolen content in malicious email campaigns makes it easier to trick the recipients, and you should probably inform your end users about this type of attacks, but I’d probably be even more worried about the data breach in itself. Confidential email content from a number of big organisations have been extracted by criminals over the last couple of days, says Rikard Zetterberg, CTO of Nimblr.

The new vulnerabilities impact on-premise Microsoft Exchange Server 2013, 2016, and 2019. Microsoft has not yet declared when patches would become available but are working on a fix “on an accelerated timeline”. More details and suggested mitigation can be found here:

Nimblr, offering Security Awareness Training, is publishing a new Zero-Day-Class “Stolen correspondence” to warn and educate its customers´ end-users on the current Malicious email campaign.

Security awareness

New phishing campaign targeting OAuth tokens

Nimblr has noticed an increase in phishing attacks that steal users’ OAuth authentication tokens, giving them full access to the victim’s email, calendar, and contacts.

 OAuth is a authentication method that uses tokens to access online service such as Microsoft 365, Google Workspace and other services. The new phishing attacks trick users into accepting malicious apps’ access to rights and settings in various systems.

Unlike traditional phishing, the user does not have toenter their password, it is often enough to just click “accept” for the attack to succeed. Both Microsoft and other service providers have recently warned of the increasing amount of “consent phishing”. The attackers try to create a sense of urgency, and instruct the recipient to approve access to various systems, e.g. Email, Facebook, Microsoft or Gmail.

New threats and attacks are spread rapidly on the Internet. What was happening yesterday is old news today. Nimblr Security Awareness is therefore continually updated with new Zero-Day training sessions and associated simulations based on current attacks and threats.

Learn more at

Security awareness

What do your users know about GDPR?

What to do if you suspect that personal data has fallen into the wrong hands? What is classified as personal data? What’s the consequences of violating the GDPR? Nimblr introduces a new course, in microtraining format, that gives your users a basic understanding of GDPR and personal data.

In today’s information society, it’s difficult not to handle personal data in one way or another. Nimblr’s new course’s aimed at all employees and easily raises the minimum level and helps employees to understand and apply the GDPR in their day to day work.

The course is part of Nimblr’s automated Security Awareness program. The content is developed in collaboration with IT security experts, lawyers and psychologists to be relevant and easy to absorb.

Nimblr’s Micro Training can be performed directly on the mobile phone or in the computer’s browser. No login details are required by the user, instead each user is identified through the unique link in the email invitation. The system also sends reminders to users who have not completed courses within a given time frame and continuously reports the completion rate to the administrator.

News Security awareness Tech

Security Awareness for Google Workspace

In addition to the Nimblr Azure integration, organizations using Google Workspace may now easily integrate with Nimblr’s online training platform designed to strengthen end-user security awareness and minimize the risk of completed attacks. Nimblr combines interactive IT security awareness training with simulated attacks, hands-on exercises, and daily fresh content on the latest threats in a continuous education program. Read more about Nimblr Security Awareness here.

With Nimblr’s new Google Cloud Directory Integration, organizations can synchronize users in Google Cloud Directory with the Nimblr service, giving a fully automated Security Awareness Program. New Google Directory users are automatically deployed and introduced to the Security Awareness training program, while disabled users are automatically removed.

Last quarter, Google Cloud reported an increase of 46% year-over-year for it’s Cloud services including Google Workspace. Organizations, using Google for user management and cloud based directory services, who’s looking for a fully automated Security Awareness training program should definitely check out Nimblr.

News Tech

Find the insidious rules that eavesdrop users emails

Nimblr have been getting more and more reports of organizations who are affected by fraud where payment information sent by e-mail from trusted senders has been modified. The approach is not new, but remains an effective method of stealing both money and goods. Most attacks occur in an Office365 environment, but similar attacks have been noticed in Google Workspace.

The attack is initiated by the attacker gaining access to a users email account, often through a fake login page where the user enters their password in good faith. The attacker uses the password to log in to the victim’s webmail. There, the attacker creates e-mail rules that forward or copy the e-mail communication to an external e-mail address.

In some cases, the rules are based on specific criteria, such as to forward only emails that contain the word “invoice” or “payment”. In some of the attacks that Nimblr has studied, the e-mail does not reach the intended recipient until after the attacker has had the opportunity to modify the content.

Once the insidious email rule is in place, it’s just for the attacker to wait for the right opportunity. By invisibly examining the victim’s communication, the attack can last for a long time, and so when e.g. a delivery address or a payment information is mentioned, the attacker strikes and modifies the details about bank account numbers or the like. Often the attack is not detected until the supplier asks where the payment for a particular order has gone, or when the customer asks for his goods.

As an administrator, it’s a good idea to review the rules that are configured in users email clients. The easiest way is to run a powershell script in an Exchange server or Office 365 instance. The script below lists all users who have forwarding enabled:

$Mailboxes = Get-Mailbox -ResultSize Unlimited
ForEach ($Mailbox in $Mailboxes)
$MailboxWithRule = Get-InboxRule -Mailbox $Mailbox.Alias |
where {
($_.RedirectTo -ne $null) -or ($_.ForwardTo -ne $null) -or ($_.ForwardAsAttachmentTo -ne $null)
if ($MailboxWithRule -ne $Null)
Write-Host ”The following users have forwarding rules $($Mailbox.PrimarySmtpAddress)” $MailboxWithRule |
fl Name, Identity, RedirectTo, ForwardTo, ForwardAsAttachmentTo

As an end user, you may keep an eye on the rules in the e-mail client by, in Outlook, clicking on File and select Manage Rules & Alerts to display active rules.

Phishing Security awareness Tech

Easier to simulate phishing in Office 365

Soon it will be both easier and more secure to allow Phishing tests from Nimblr in Office 365 environment. Microsoft has been listening to its customers and will in June implement a new and better method to allow phishing simulations from Nimblr and other third-party vendors.

This new way of handling phishing simulations from third-party providers and for Security operations mailboxes are cleaner and offer greater predictability for security teams. It makes it easier for security and email admins to rest assured that their ETR rules cannot impact the protection of their users, and prevents them from having to manually inspect all of their ETR rules.

The new feature is refered to with Roadmap ID 72207 and is described in the Microsofts documentation.

Nimblr will offer a guide to the new configuration as soon as Microsoft rolls out the feature. The roll-out is planned for June 2021.

Find out more about Nimblr Phishing Simulations.