Email and Mail Services Sites

E
Written By Threat NG Staff

Email and Mail Services sites are digital platforms that enable users to send, receive, and store electronic correspondence. In the context of cybersecurity, they represent the single most critical point of vulnerability for any organization or individual. Their primary risk stems from being the gateway for most cyberattacks, including phishing, malware distribution, and business email compromise (BEC). Furthermore, the immense amount of personal and organizational data they store makes them high-value targets for credential theft and espionage.

Mail Providers

Mail Providers host email accounts and infrastructure, serving as users' primary digital identities. The examples provided, which are permutations of Mail.ru, Gmail, Yandex.ru, and social platforms like VK and OK, highlight the risk associated with major, high-traffic providers.

  • Cybersecurity Context:

    • Primary Phishing Vector: Email is the most common channel for cyberattacks. Phishing campaigns targeting users of these providers aim to steal login credentials, often by impersonating the mail provider itself or another trusted service.

    • Account Takeover (ATO) and BEC: Gaining access to a corporate-associated email address hosted on one of these services is the ultimate goal of many attackers. Once an attacker compromises an account, they can use it for Business Email Compromise (BEC), sending fraudulent invoices or wire transfer requests, or for lateral movement across other accounts using password reset functions.

    • Credential Re-use Risk: Many users reuse the same password across their social media accounts (VK, OK) as they do for their email (Yandex.ru, Gmail). A breach of one service can immediately lead to an account takeover on the email service, which is often the master key for the user's entire digital life.

    • Espionage and Data Theft: Email accounts store vast amounts of sensitive communication, trade secrets, and PII. State-sponsored and criminal groups target these services for intelligence gathering and data exfiltration.

    • Examples: A user receives a convincing, time-sensitive email impersonating My.Mail.ru that claims their account is full and directs them to a fake login page to "increase storage." Upon entering credentials, the attacker gains complete control of the account. In another case, an attacker compromises a Gmail account, searches for terms like "invoice" or "wire transfer," and then impersonates the account owner to divert a large corporate payment.

ThreatNG is a critical tool for managing the extreme cybersecurity risks posed by Email and Mail Services sites, as these services are the primary targets for attackers seeking initial access, credentials, and sensitive data. ThreatNG focuses on external evidence of compromise, data leakage, and phishing campaigns originating from or targeting these mail services.

External Discovery and Continuous Monitoring

ThreatNG's External Discovery and Continuous Monitoring provide the surveillance necessary to detect when employee data or organizational secrets are exposed via a compromised email service.

  • Dark Web Presence: This is the most vital component. ThreatNG constantly scrapes the Dark Web and high-risk forums for mentions of the organization's domain and any associated Compromised Credentials—breaches of major providers like My.Mail.ru@gmail.com or massive credential dumps. ThreatNG checks whether any employee's corporate email address (or an affiliated personal email used for corporate accounts) appears in these dumps.

  • Archived Web Pages: Although less common for direct email content, ThreatNG searches for file types and directories that may have been temporarily posted or linked from an email. It searches for Emails, Document Files, and User Names within archived pages. For instance, if a user accidentally posted a customer service email thread containing PII on an external forum, ThreatNG would find the archived email content, revealing the data leak.

  • Technology Stack: ThreatNG confirms the organization's use of various email and related services, including identifying the specific Email provider being used by the company. This helps prioritize alerts, especially if an internal server or service is connected to a high-risk provider.

External Assessment for Mail Service Risks

ThreatNG's External Assessment scores are directly tied to the primary threats involving email and mail services: phishing and data leakage.

  • BEC & Phishing Susceptibility: This score measures the organization’s vulnerability to email-based attacks.

    • Example 1 (Phishing): ThreatNG detects a mass typosquatting campaign in which malicious domains (e.g., Gmail.com) send emails that appear to originate from legitimate providers (e.g., My.Mail.ru@gmail.com). ThreatNG flags the fake domains and any associated malicious links, directly increasing the organization's phishing susceptibility score.

    • Example 2 (Email Misconfiguration): ThreatNG assesses the organization's email configuration (SPF, DKIM, DMARC records). Weak or absent configuration makes it easy for attackers to spoof the company's domain, leading to BEC attacks targeting the company's customers who use providers such as My.Mail.ru@yandex.ru. This misconfiguration raises the BEC susceptibility score.

  • Data Leak Susceptibility: This score is severely impacted by email credential leaks. The discovery of Associated Compromised Credentials linked to any email domain (@list.ru, @ya.ru) directly correlates with a higher data-leak score, indicating a high probability of an impending account-takeover attack.

Investigation Modules and Username Exposure

The Investigation Modules allow security teams to quickly pivot from a leaked credential to identifying the scope of the risk across other platforms.

Social Media Investigation Module - Username Exposure

This module is critical because many of the listed email providers are closely tied to social platforms (My.Mail.ru@OK, My.Mail.ru@VK), which increases the risk of credential reuse.

  • Passive Reconnaissance: The module conducts broad checks for usernames associated with the organization across various social and high-risk forums. When an employee uses their mail service username (often their email prefix) or a derivative on a high-risk platform, the module finds it.

  • Example: ThreatNG discovers that an employee's common username, derived from their My.Mail.ru@bk.ru email address, is exposed in a data breach related to My.Mail.ru@VK. The Username Exposure module confirms the re-use of this identity across multiple platforms. This finding triggers an investigation to ensure the employee is not using the same password for their corporate email or other sensitive internal systems, thereby mitigating a high-priority account takeover risk.

Intelligence Repositories and Reporting

ThreatNG's Intelligence Repositories provide the immediate, actionable intelligence needed to combat account takeover and malware delivered via email.

  • DarCache Dark Web and DarCache Rupture (Compromised Credentials): These are the core intelligence sources. A data dump containing millions of user credentials from a provider like My.Mail.ru@mail.ru is ingested. DarCache Rupture filters this data to flag only the email addresses associated with the client organization, classifying them as Associated Compromised Credentials and triggering an instant alert.

  • DarCache Vulnerability (KEV, EPSS, PoC Exploits): This tracks threats embedded in emails. If a new, highly effective malvertising campaign is discovered that uses a specific PDF exploit and is distributed via email through a high-risk provider, ThreatNG's repository flags the exploit as a Known Exploited Vulnerability (KEV), allowing security teams to implement immediate preventive measures before the email reaches the target.

Reporting condenses these critical external findings—from the credential on the Dark Web to the phishing domain—into prioritized reports. The MITRE ATT&CK Mapping correlates findings (e.g., leaked email credentials) with the "Initial Access" or "Persistence" stages of the attack framework.

ThreatNG with Complementary Solutions

ThreatNG's external threat data can be used to enhance the defenses of internal and perimeter security tools.

  • Integration with an Email Security Gateway (ESG) Complementary Solution: ThreatNG's BEC & Phishing Susceptibility module identifies several newly registered, malicious lookalike domains impersonating the organization and using a mail provider like My.Mail.ru@yandex.ru to launch a spear-phishing campaign. This intelligence is instantly shared with an ESG-complementary solution (such as Proofpoint or Mimecast). The ESG solution can then preemptively block all incoming emails from those specific malicious domains, regardless of their content, neutralizing the threat before it reaches the end user's mailbox.

  • Integration with an Identity and Access Management (IAM) Complementary Solution: ThreatNG's DarCache Rupture identifies a list of employee email addresses and their compromised passwords from a recent breach of My.Mail.ru@list.ru. This list is automatically pushed to the organization’s IAM complementary solution (like Okta or Microsoft Entra ID). The IAM solution requires a password reset for all affected internal accounts immediately. It temporarily increases MFA requirements for those users, preventing attackers from using stolen credentials to carry out an account takeover.

Threat NG Staff
Previous

Finance and Business Sites
Next

Development and Tech Sites