Security researchers from SquareX have discovered what they describe as critical flaws in the attachment scanning process of major email service providers, including Apple, Google, Microsoft, and Yahoo. These issues create significant shortcomings in detecting malicious intent, which could potentially put millions of users worldwide at risk, the researchers say.

Significant Lapse In Email Security Discovered By Researchers

Security researchers at web browser security startup SquareX have exclusively shared the results of their latest research with me, research that examined the scanning of emails for malicious attachments by the leading email services. By collating 100 malicious document samples categorized into four broad groups, the researchers were able to confirm that email services such as Google Gmail, Microsoft Outlook, Apple iCloud, Yahoo! Mail, and AOL are all lacking in one aspect of security protection for users: the scanning of email attachments, which proved to be inadequate, to say the least.

The four malicious document categories consisted of:

• Original malicious documents from Malware Bazaar.
• Slightly altered malicious documents from Malware Bazaar, such as changes in metadata and file formats.
• Malicious documents modified using attack tools that have existed for many years.
• Basic macro-enabled documents that execute programs on user devices.

ForbesGmail Is Blocking Some Microsoft Outlook Email-Here’s The FixBy

The researchers explained to me how these document samples were attached to emails sent through a third-party email provider, Proton Mail, to accounts with Apple iCloud Mail, Google Gmail, Microsoft Outlook, Yahoo! Mail and AOL which is also part of the Yahoo! group. If those emails were delivered successfully to the user then they could potentially be susceptible to whatever threat was contained in the attachments.

Critical Email Issues Reported By SquareX

The researchers showed how Apple iCloud, Yahoo Mail and AOL all failed to block a malicious file sample that was posing as a PowerPoint presentation. This is despite the fact that a total of 40 virus scanners detected it during testing.

Yahoo! Mail and AOL both failed to block another malicious file claiming to be a Microsoft Excel document, this time one that had failed to fool 35 virus scanners. In this case, a relatively simple tweaking of the file metadata resulted in Apple iCloud Mail, Google Gmail and Microsoft Outlook all also letting the file through.

Just when you think things couldn’t have gotten much worse, the researchers discovered that all the email providers delivered a Microsoft Excel document with a macro containing well-known malware code. In fairness, at least Gmail presented users with a warning whereas none of the others did. However, renaming the code fragment to a PDF that warning vanished.

ForbesNew Gmail & M365 Warning As 2FA Security Bypass Hack ConfirmedBy

The table below displays the results of the research, indicating whether the emails were delivered or undelivered. If an email was undelivered, it means that the email server detected malware while processing the email. On the other hand, if an email was delivered, it means that the user was able to interact with the malicious document, leaving them vulnerable to attack.

Vivek Ramachandran, founder and CEO of SquareX, told me that while billions of internet users blindly trust public webmail providers to scan document attachments for security risks, “we recommend that webmail providers transparently publish details of their scanning technology’s limitations and explicitly warn users about these caveats.” Doing this, Ramachandran says, would ensure “users understand the risks and the need to use additional security products.”

Security Experts Have Their Say On Email Attachment Risk

I spoke to Jake Moore, the global cybersecurity advisor at ESET, who told me that he thought it was worrying that such well-known technology giants have allowed malicious files to pass security tests, especially when millions of users rely on these checks to remain protected. “Purporting to be a PDF sounds like an attack vector used by a cybercriminal of the 1990s,” Moore says, “so it is rather shocking that this is being found in modern-day threats. Metadata changes are simple to conduct but should not then pass virus checks as this could very easily be abused by threat actors.”

Ian Thornton-Trump, CISO with threat intelligence experts Cyjax, says that he thinks there is an opportunity to do better when it comes to consumers using free webmail services such as these. He warns, however, that “this is akin to asking the free Wi-Fi at a Starbucks why are they not blocking more or all cyber attacks.” It’s tough balancing free and secure in the same sentence, Thornton-Trump told me, adding that anyone making an “assumption that security comes without cost is dangerous for any consumer.” From the commercial realities point of view, Thornton-Trump argues that so-called ‘advanced’ email security “can be deeply problematic with false positives which may involve the use of technical support resources to help or fix – that expense across millions of users on a free platform may be commercially untenable.” And that’s before you take the processing power required for any more advanced malware detection capabilities into account.

The Email Vendor Response

I asked SquareX if it had approached the email vendors with its findings during the research process. “One of the major challenges with almost all these email providers is the lack of an easy way to reach their technical support,” a SquareX spokesperson told me. “We were unable to get a proper response via their online channels, which are primarily feedback forms that largely go unresponded to.”

SquareX has assured me that it would be sending another support request to all the vendors 24 hours before my report published today. “To ensure that people can understand and validate our findings,” the SquareX spokesperson said, “the report includes all details of the files we used and video recordings of sending these files to the different mail providers showcasing how they tackle these malicious documents.”

I contacted Microsoft which did not want to provide a statement, but it did point me to a support document regarding email protection in Microsoft 365 which users can refer to. I am led to understand that Microsoft has no record of the SquareX report having been submitted to its response teams.

I also reached out to Apple, Google, and Yahoo! but had not heard back from any of them ahead of publication.

ForbesSubdoMailing Threat To New Gmail Security RulesBy

Free SquareX Browser Extension Updated To Help Mitigate Email Attachments Threat

Concerned that the vulnerabilities found during the research amounted to a cybersecurity loophole posing a threat to millions of email users, SquareX has updated its browser extension in a bid to help mitigate the malicious attachment risk. This update adds an “advanced in-browser malicious document scanning feature” which is currently in Beta and can be added to both Chrome and Edge browsers here, a web app version is also available here.

“SquareX’s browser-native security product hooks events like file download triggers,” a SquareX spokesperson says and can analyze malicious office documents in memory. “This also makes it privacy-safe,” the spokesperson concluded, “as the data never leaves the user’s device.”