You can now replace your background with an image in Google Meet. You can either use Google’s hand-picked images, which include office spaces, landscapes, and abstract backgrounds, or upload your own image.
Why you’d use it
Custom backgrounds can help you show more of your personality, as well as help hide your surroundings.
Virtual backgrounds work directly within your browser and do not require an extension or any additional software. At launch, they’ll work on ChromeOS and on the Chrome browser on Windows and Mac desktop devices. Support on Meet mobile apps will be coming soon; we’ll announce on the Google Workspace Updates blog when they become available.
Admins: At launch, there will be no admin control for this feature. Admin controls to select which organizational units can use custom and preset backgrounds for meetings they organize will be introduced later this year. We’ll announce on the Google Workspace Updates blog when they’re available.
Rapid Release domains: Gradual rollout to eligible devices (up to 7 days for feature visibility) starting on October 30, 2020
Scheduled Release domains: Gradual rollout to eligible devices (up to 7 days for feature visibility) starting on November 6, 2020
Available to Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Enterprise for Education, and Nonprofits customers and users with personal Google accounts.
Selecting your own picture is not available to participants of meetings organized by Education customers.
The outbreak of COVID-19 has put cyberattacks on healthcare providers into hyperdrive. Factors contributing to such attacks include, but aren’t limited to:
Decentralized business operations
Emergency COVID-19 facilities set up without planned security of IT infrastructure
A significant rise in the amount of patient health data stored by healthcare organizations
Telehealth, and remote workers flung around the world almost overnight, opening up security gaps
Ryuk ransomware, in particular, has seen a resurgence recently. Sophos recently identified a new spam campaign linked to the Ryuk actors, and our Managed Threat Response team assisted an organization in mitigating a Ryuk attack, providing insight into how the Ryuk actors’ tools, techniques, and practices have evolved.
The investigation showed an evolution of the tools used to compromise targeted networks and deploy the ransomware. But what was more notable was how quickly the attacks can move from initial compromise to ransomware deployment. Within three and a half hours of a target opening a phishing email attachment, attackers were already conducting network reconnaissance. Within a day, they had gained access to a domain controller and were in the early stages of an attempt to deploy ransomware.
The evasion techniques of ransomware are rapidly changing. In recent years, ransomware attacks have trended away from brute-force, large-scale attacks to focused, planned, and manually executed attacks that are much harder to detect and block. Humans are handcrafting artisanal malware.
The criminals have hybridized their attacks, combining automation to find victims with gaps in their defenses. Exposed servers with Remote Desktop Protocol (RDP) enabled, administrators without multi-factor authentication for remote access, unpatched web servers, or even these same issues at a trusted partner or service provider are enough to put your network, systems, and resources under ransom.
Here are the five things healthcare providers can do to protect against ransomware attacks:
Maintain IT hygiene. Make sure you’re practicing basic IT hygiene, which includes installing all the latest patches, shutting down RDP entirely (or putting it behind a VPN), and making regular back-ups and keeping them offsite where attackers can’t find them. It also includes applying multifactor authentication to services hosting the most sensitive data in your organization. These are just some of the fundamental steps you can take to protect yourself and your network today.
Educate your users. Teach them about the importance of strong passwords and roll out two-factor authentication wherever you can. Educate them on phishing, which is one of the main delivery mechanisms for ransomware.
Minimize the risk of lateral movement within your network. Segment LANs into smaller, isolated zones or VLANs that are secured and connected by the firewall. Be sure to apply suitable IPS policies to rules governing the traffic traversing these LAN segments in order to prevent exploits, worms, and bots from spreading between LAN segments. And if an infection hits, automatically isolate infected systems until they can be cleaned up.
Use endpoint detection and response (EDR) tools with your endpoint protection. Targeted ransomware today isn’t just about stopping one piece of malware; it’s about stopping an active adversary and disrupting the attack chain that puts them in a position to run the malware. Ensure every endpoint is protected and up to date. A device not functioning correctly may not be protected and could be vulnerable to a ransomware attack. Use tools like EDR, which allow you to ask detailed questions so that you can hunt for active adversaries and identify advanced threats in your network. Once you do, EDR also helps you take appropriate actions quickly to stop such threats.
Close the gap with human intervention. Computers, automation, and tools are amazing but human intellect, pattern recognition, and our ability to apply context provide an even more formidable defense. Managed detection and response (MDR) services are critical here. Pairing your internal IT and security teams with an external team of elite threat hunters and response experts helps provide actionable advice for addressing the root causes of recurring incidents.
Sophos Intercept X Advanced with EDR
Sophos Intercept X Advanced with EDR includes all the features you need to help protect your organization from ransomware attacks like Ryuk, Sodinokibi, Maze, and Ragnar Locker.
Intercept X includes anti-ransomware technology that detects malicious encryption processes and shuts them down before they can spread across your network. Anti-exploit technology stops the delivery and installation of ransomware, deep learning blocks ransomware before it can run, and CryptoGuard prevents the malicious encryption of files, rolling them back to their safe states.
Furthermore, Sophos EDR helps keep your threat hunting and IT operations hygiene running smoothly across your entire estate. Sophos EDR empowers your team to ask detailed questions to identify advanced threats, active adversaries, and potential IT vulnerabilities, and then quickly take appropriate action to stop them. It enables you to detect adversaries lurking in your network and waiting to deploy ransomware that may have gone unnoticed.
Sophos Managed Threat Response (MTR)
The Sophos MTR service adds human expertise to your layered security strategy. An elite team of threat hunters proactively looks for and validates potential threats on your behalf. If authorized, they take action to disrupt, contain, and neutralize threats, and provide actionable advice to address the root causes of recurring incidents.
Sophos Rapid Response
If your organization is under attack and needs immediate incident response assistance, Sophos can help.
Delivered by an expert team of incident responders, Sophos Rapid Response provides lightning-fast assistance with identification and neutralization of active threats against organizations. On-boarding starts within hours, and most customers are triaged within 48 hours. The service is available for both existing Sophos customers as well as non-Sophos customers.
The Sophos Rapid Response team of remote incident responders quickly takes action to triage, contain, and neutralize active threats. Adversaries are ejected from your estate to prevent further damage to your assets.
In the last two parts of the Think Twice series we discussed email spam, those uninvited guests who wreak havoc at your email party, as well as types of email spam and tips to prevent it. Now that you know all about the trouble spam brings, you might be curious to know what reputable email service providers (ESPs) are doing to help protect users from spam of all types.
One of the challenges ESP’s face is correctly identifying whether an email is spam or legitimate. Zoho Mail does this by studying community data—how and which users mark an email as spam or not spam. With the help of community data and pre-defined conditions, our servers can automatically identify half a million spam emails per hour on average with an admirable success rate. The use of community data in spam processing extends further.
Say a user is sending an email from a third-party email server to a Zoho Mail user. For that email to get delivered to the recipient’s inbox, the sender’s IP should hold a positive reputation. The reputation score of an IP is dependent on the number of spam and non-spam emails generated from that IP. When a source with low reputation places an email transfer request to the Zoho Mail server, we will either reject the email or deliver it to the recipient mailbox’s spam folder, depending on the user settings.
Let spam stand in the bay:
If the nuances of classifying the right emails as spam is a challenge, determining the right approach for bulk emails is a bigger challenge. Though our filters can recognize and sift out emails with spam fingerprints—attachments masked with malware, phishing links, malicious executable macros, non-RFC compliant emails, unsolicited bulk emails, and more—the approach we need to take for each of them differs. While we filter out phishing emails more vigorously, reducing the false positives, we take a more user-specific approach concerning bulk emails, given that a bulk email can be spam to one user and of interest to another.
With the help of user-centric and organization-wide spam control settings, administrators can customize and choose what kind of emails they want Zoho Mail to deliver to their inbox. Starting from choosing which parts of an email you want us to analyze using our filters, administrators can choose to show sender-based alerts, process spam based on specific languages, and quarantine or reject emails based on authentication framework (SPF, DKIM, DMARC, and DNSBL) verification. The administrator can also add specific emails, domains, and IP addresses to their lists like Allowed list, or Blocked list to receive or not receive emails from certain senders. Apart from the administrator maintaining an organization-wide list, each user can customize their own anti-spam lists to block or allow users of their choice.
Combat phishing with added accuracy:
In our previous post, we discussed the technique spammers use to phish for personal data: copying the user interface and experience of a legitimate organization, including the domain address. For example, say you maintain your finances at a bank named Woods, and “woods.com” is their domain address. Now a spammer might phish using a domain—”vvoods.com” or “w00ds.com”—that looks like the legitimate address by changing a few letters to deceive recipients.
While our spam filters are capable of spotting such emails, you can also take additional spoof control measures for the domains that are significant to your organization by verifying all cousin domains of that respective domain. And it doesn’t stop there. You can protect your organization members from spoofed emails and prevent this fraud from happening with the help of Zoho Mail’s Display Name Spoofing feature.
Spam processing is not without its flaws because as ESPs improve their filtering mechanisms and block spam emails with higher accuracy, spammers also become more advanced in their masking techniques by using reputed services. Some spammers have started following RFC rules, SPF and DKIM authentication protocols, among others to escape spam processing. This new, evolved spam can sometimes slip through the filters and end up the recipient’s inbox.
This is why we’re constantly updating the Zoho Mail server to learn new fingerprints even with a small sample size. And don’t worry: even if one or two spam emails escape our wall of filters, our post-delivery spam check can identify and mark those emails as spam automatically.
Given all the challenges in identifying and processing spam, we at Zoho Mail place our users’ safety and security before every other priority. We have already added a ton of new spam control features to our all-new admin console. As we move forward, we’ll continue refining our techniques even further to improve your experience.
We hope the Think Twice blog series has helped you learn more about email spam and ways to prevent it! Give Zoho Mail’s anti-spam features a try and let us know what you think.
Yamine Durai, a part of Zoho Mail’s marketing team, is a tech enthusiast.
But if you spot her away from office hours, you will probably find her reading a history book while honing her oratory skills.
Onboarding is one of the first opportunities you have to communicate your company culture to new employees. Having a straightforward onboarding system speaks volumes about your organization and gives hew hires a sense of direction. If the process is riddled with inefficiencies, employees will be more likely to leave your organization, and the money spent on recruiting and training these individuals goes waste. This is why onboarding should be automated. It provides a clear, simple experience to your employees.
Here are some of the benefits of automating onboarding:
Streamlines mundane administrative tasks and reduces errors
Supports candidate onboarding, which helps motivate candidates even before they join your organization
Digitizes the paperwork associated with onboarding, consolidating it all to a single application
Ensures compliance by documenting all the onboarding paperwork in a centralized system
Provides employees all the information they need about your organization
Generates reports, which makes it easy for you to track the progress of your new hires
Read more about how onboarding benefits your organization in our HR Knowledge Hive.
Expert Diaries from Zoho Campaigns connects avid email marketers to the experts in this space to help them learn some best practices and tips. Our aim is to connect email geeks and form a community that learns email marketing from one another.
We recently sat down with Sridhar Chandran, an anti-spam and email-deliverability expert with over 13 years of experience who currently works as Solution Architect at Validity, Inc. There, he helps high-volume senders optimize their email marketing for better email deliverability (inbox placement).
In our 40-minute chat, we discussed with Sridhar the specifics of email deliverability for Gmail and asked him many sought-after questions.
For those of you who prefer reading, here’s the rundown of the conversation.
ISP – Inbox Service Providers, aka mailbox providers (for example, Gmail)
ESP – Email Service Providers (for example, Zoho Campaigns)
SPF – Sender Policy Validation
DKIM – DomainKeys Identified Mail
DMARC – Domain-based Message Authentication, Reporting, and Conformance
IPV6 – Internet Protocol Version 6
Google Postmaster – A tool by Gmail which helps you analyze your email performance
Sunset Policy – A plan or action for managing inactive contacts after a certain point of time
BIMI – Brand Indicators for Message Identification
VMC certificate – Verified Mark Certificates (A digital certificate authenticating the logo of a sender’s domain)
We know that filtering systems differ from one ISP to another, but how different is Gmail’s as opposed to the likes of Yahoo, Outlook, and more? More than often, 40% of a mailing list comprises Gmail recipients. In Asia, the number only goes up. So it’d be great if you could explain the specifics of Gmail’s spam filters.
To understand this, we’ve to trace how Gmail has evolved over the years. If you guys remember, Gmail offered 1TB storage while starting off in 2004. This was their USP. At that time, ISPs like AOL, Yahoo, and Hotmail offered limited storage. From a mail-filtering perspective, Gmail relied on IP reputation a lot. (90% of emails the ISPs receive per day is spam. So a lot of emails had to be blocked.)
They went one step ahead and created a separate folder called spam, while giving the users the option to move emails between spam and inbox. If a user moved an email from spam to inbox ascertaining it’s genuine, the spam filters took cues and expanded the data points used for decision-making. This was a major differentiator.
Then came IPV6, authentication method (like DKIM), and more signals. After a point, they started relying more on email-sending domain’s reputation than the IP reputation. (Both were used.) A domain’s reputation was decided based on different engagement signals: opens, clicks, getting added to the address book, emails moved from spam to inbox, and more. The other ISPs also emphasize engagement signals, but Gmail implemented this much earlier. Gmail also had the advantage of basing filtering decisions around Google’s data points.
For example: If you’re a brand-new sender, other ISPs have to gauge you based on the volume of emails you send. This is because they’re seeing you for the first time. When it comes to Gmail, they can use certain data points from Google: your website’s ranking, its shelf life, and more.
Gmail doesn’t have a traditional feedback loop like Yahoo or Hotmail—so how does a sender troubleshoot their (deliverability) issues with Gmail?
Yes, you’re right. Gmail doesn’t have a traditional feedback loop like other mailbox providers. But there are some signals you can take a look at. Again, this might not be unique to Gmail. (Some other mailbox providers might also have them.) The first one is bounces—hard bounces and soft bounces. This is something I feel that most users are not utilizing.
When most of your emails have traces of spam, the defence mechanism for most mailbox providers is rejecting the emails, right? So as a sender, you have to take a look at the delivery rates. The second one is unsubscribes. The other major thing at Google is Postmaster Tools. I highly recommend that everyone utilizes it. The best part is this: The domain owner can directly register for it by visiting the site. (You don’t have to depend on your ESP for the configuration.)
In summary, you have to keep a close eye on your engagement metrics. For example: When you get only 10% opens from a delivery rate of 98%, there’s definitely some issue. You can also monitor your deliverability using certain third-party tools: Return Path, 250ok, and more.
What are the various data points a sender should look at in Google Postmaster (to narrow down email-deliverability-based problems)? What are the thresholds one should check?
Gmail provides the traditional engagement metrics. If you’re looking at spam complaints, it’s available in Google Postmaster. You can also check your domain and IP reputation there. (Which is a valuable data point.) There’s also authentication results, which are important to know the stability of mechanisms like SPF, DKIM, and DMARC.
To answer the second question, there are no set or predefined thresholds. However, there are some industry standards for spam complaint rates. Less than 0.2% is a good place to be in. Having your bounce rates below 0.4% is a good benchmark. That said, your reputation is divided into four bands in Google Postmaster: high, medium, low, and bad.
If your reputation is high, you’ll have higher thresholds. If it’s poor, you don’t even want to hit 0.1% complaints. Threshold levels are dynamic. (It varies based on the reputation band.) So know which band you’re in and play around with the numbers.
Gmail has several tabs—social, updates, primary, and, particularly, promotions. So I wanted to ask this: Is the promotions tab really bad? Even if it’s not bad, what determines the placement of an email there?
This is one of the commonly asked questions. It’s a little frustrating too. We have to understand that the promotions tab is inbox; it’s not a spam folder. That said, I can understand the mindset of the senders: primary tab placement means better engagement rates.
Over time, filters have evolved to place the marketing emails in promotions. As a sender, we have to understand this: If a user enables tabs for their mailbox, it means they don’t want to see marketing emails in their primary tab. Earlier, I used to manually create several folders based on from addresses and more. The data fed to the filters is so much that they’re able to decide the placement of marketing emails. They’re making lives easier for the users. So we should try to leverage the promotions tab instead of fighting it. Remember, the users have the option to move your emails to the primary tab as well.
Coming to your next question, Gmail has a Natural Language Processing engine, specifically looking at the content of your email. Of course, they have machine learning capabilities to classify content based on data signals. (We don’t have to worry about this.) A study by 250ok found that one in four users didn’t configure tabs in their mailbox at all. Apple Mail and Outlook don’t have a tabbed structure for inboxes, right? I’d always look at leveraging the promotions tab.
Why not try Gmail’s email annotations if your email contains offers and deals? Use JSON script. It helps in bringing your emails to the top of the promotions tab in a very action-provoking manner.
I have a follow-up question, Sridhar. I’m seeing a lot of people discussing the usage of URLs in emails. They feel that using three or more URLs leads to the placement in the promotions tab. How far is it true?
First, I’d like to bust the myth here: it’s not true. Of course, there are no magic numbers in terms of the quantity of URLs. I’d prioritize the quality of the URLs over quality. When I say quality, I mean the destination of the URLs. You have to check whether it’s pointing to the website(s) you’re managing; you don’t want to use third-party URLs. I’ll not worry about the number of URLs. In Gmail, we know for a fact that the email gets clipped when its size exceeds a certain limit. This is something I’d look at rather than the number of URLs. You should also answer a couple of questions before sending an email: Is the HTML correct? Are the URLs specified out? You can also include a text version along with the HTML version (images) as most of the clients disable images by default.
Most emails received per day go to the spam folder. Gmail has a specifically different way of spam foldering. Usually they don’t mark many emails as spam. How should the email marketers see to it that they are not marked as spammers?
Also, can you please tell us how can the email marketer understand which subscriber is inactive and which subscriber is not?
There are no particular magic numbers for this so I will speak anecdotally.
Firstly, the destination of your email or where it’s going to land is decided even before you hit the send button. Factors like single opt-in, double opt-in, purchased lists, and so on are taken into account. The quality of your list is the first important thing you have to keep in mind. There are lot of ways by which you can go ahead and validate your list to ensure that typos and all those kinds of things can be taken care of.
Secondly, it’s about your audience, their engagement factor, active users and so on.
Industry best practice or threshold we have seen is somewhere around 90 days. It is supposed to be a good number within an active audience.
Create segments for 30 days, 60 days, 90 days active users and call them reputation superheroes. If you are getting a lot of spam complaints, suppress the older addresses and send mails to the 30 days active audiences to uplift your reputation. Gmail specifically takes a look at the engagement factor to ensure that you are sending emails to only those audiences who are consistently interactive.
Among segments, there will always be one such segment that contains the data of audiences with whom you have not interacted for a considerable period. Times like these call for you to look into your sunset policy and undertake re-engagement campaigns. Ask your audiences if they organically want to be a part of your lists or opt out. Repeat this periodically rather than once in two years when your emails are marked as spam.
Again, there are many ways to let your emails engage with your audience. Create journeys as simple as welcome journeys. This is underutilized by many senders and so they stay bereft of their benefits.
Also try to engage audiences with cart abandonment journeys. Keep a close tab on the engagement pattern and make amends in the creatives to fetch more engagement with the most appropriate content.
With automation, we are achieving time- and response-based user engagement. What are your views on automation?
I will speak about this from a deliverability perspective. Gmail does look at the engagement and how frequently your users have engaged with your emails. Employing these journeys lets the filters know that you are sending to engaged audiences for improved reputation. It also allows the benefit of having a great reputation.
As I said, Gmail annotations are useful, but they alone cannot ensure a better position in the Promotions tab. To utilize this, you have to be at the top of your reputation game. Email journeys is a big help in achieving that.
What should be in the checklist of an email marketer with a great sending reputation while moving over from one email marketing platform to another? Which best practices will ensure a smooth transition?
If you already have an established reputation at a particular ESP and are moving to another one, you have to warm up (Domain and IP). This is because you are shifting to a new infrastructure.
You might traditionally send from one IP and one domain combination and then suddenly move on to another one. Gmail will consider that as a new signal so you have to warm up. Initially start sending out emails in slow volume instead of putting your foot on the accelerator.
Before starting, make sure that your infrastructure has everything in place. Complete all the authentication processes (SPF, DKIM, DMARC) and let Gmail consider your emails as authenticated traffic. Upon completion of the previous process, send emails to your most-engaged audiences. Take 10 percent from among the 30 days active users and shift them so that you can retain brand affinity even when emails are sent out from a different infrastructure.
Apart from this, there’s another thing that you need to monitor—the Google postmaster tools. Once you have done the transition from one ESP to another, looking at the signals in Google Postmaster tools will help. You can check whether your authentication is alright, if the domain reputation is dropping, and so on. Keep in mind that the data we see in Google postmaster tools is not real-time—there can be a delay of 48-72 hours. Pace out campaigns in such a way that you give enough time to those monitoring tools to update the data.
Apart from this, I would say that a traditional switchover can at least take two to four weeks. It again depends on the volume of subscribers you have. Check the time frame you need to give for a switchover from one ESP to another and also allow proper warm up to happen.
Now DMARC and BIMI are hot topics. How important are they for my inbox placement?
DMARC actually has three policies:
– p = None
– p = Quarantine
– p = Reject
P = quarantine and p = reject are the only enforcement policies, whereas P = none is actually a monitoring mode. The latter does not actually help the inbox providers as they are not making any decisions based on that DMARC policy. As an email marketer, you can begin with p = None. You wouldn’t lose anything with this, only that you have to go ahead and evaluate all your email traffic based on this DMARC policy.
The enforcement mode enables an advantage to senders for taking care of any spoofing and brand-related theft. You actually inform mailbox providers if the authentication is not in place so they can go ahead and spam folder or reject your emails. Just having authentication or DMARC in place is not going to ensure inbox placement. All the other signals we have been speaking for the previous hour are applicable.
BIMI right now is being utilized only at Yahoo. In Gmail you need to have an additional VMC certificate to utilize BIMI as there it is still in the beta stage. In Yahoo you don’t need that to utilize BIMI. I would say as a sender you need to first concentrate on getting into a DMARC enforcement policy as BIMI can still wait.
We say that some emails when opened have the option to either mark them as spam or hit unsubscribe. How does Gmail decide to show this and why doesn’t it show for all the senders?
The primary reason behind this is the domain reputation, and thus Gmail doesn’t decide to show this for all the senders. A mailbox provider wants to provide less information to a bad sender and as much information available to a good sender.
The second thing is including a list unsubscribe header, which is currently being prescribed by a lot of mailbox providers. Mail clients such as Apple Mail and Gmail clients pick the unsubscribe from list unsubscribe header and surface it to the subscriber or the user.
Elaborating a bit on list unsubscribe—the ‘unsubscribe‘ option in particular—it’s good to have the ‘unsubscribe’ in the footers, which is a requisite in some markets, but it’s also good to have it in the headers. The absence of that option might force your users to mark your mail as spam. It’s rather good to have it in both the places.
When I open the emails I see the ‘alert’ banners. We see banners like ’emails from this particular domain are marked as spam’ and ‘this mail is dangerous’ or ‘this link is dangerous’. How can a sender resolve this issue quickly and what is the use of it?
A lot of this is dependent on domain reputation. Rightly as those banners say, there are a lot of different rules that decide why a mail is placed in the spam folder apart from domain reputation being poor.
The other thing that makes your email look dangerous is a phishing signal. You might have a URL or something in the email that has phishing characteristics. In that case you might want to look at the content of your email, check all the URLs, and remove any URLs that are not hosted by you. I have seen people who break down the content of the email and send in different parts to troubleshoot where exactly the problem lies. There’s some effort involved if it’s a phishing-related issue.
The bigger picture is, ‘hey, my mails are going to spam folder, how do I get it back to inbox?’ So, reiterating what was mentioned previously, you need to have a good mailing list in place, looking at your audience, sending to an engaged audience, looking at your content, making sure that it’s structured in such a way that ensures your audiences are engaged and are going ahead and clicking the CTAs.
If you are already having a lot of spam complaints, then add an additional ‘unsubscribe’ at the top of your email instead at the bottom of your emails. It will give your users an easy opt-out rather than marking the email as spam. If you are getting spam foldered, I would suggest you do not look like a spammer, follow the best practices, ensure your sending emails to people who really want your email.
How long would it take to fix my domain reputation if I am following all the best practices?
It depends on the band of reputation in Google Postmaster tools. If you are somewhere amidst a very poor reputation, it would take around 4-6 weeks while following all the best practices. It takes time as it depends on the number of positive signals given by you to Gmail for returning to the inbox. Look at a long timeframe—if you are doing everything right, you will see the benefit.
Experiencing an active cyberattack and defending against a potential breach can be an incredibly stressful time for an organization. However, many internal IT security teams lack the experience necessary to successfully respond to potential breaches, and getting immediate help from an outside resource can be next to impossible… until today.
We’re thrilled to announce the availability of Sophos Rapid Response, a new service which provides lightning-fast assistance with active threats, delivered by an expert team of incident responders.
The service, which has already helped dozens of organizations while in pilot mode, is available to both existing Sophos customers as well as non-Sophos customers.
When under attack, time is of the essence. That’s why the Rapid Response service is built to be fast. How fast? Onboarding starts within hours, and most customers are triaged in 48 hours.
“I’ve seen firsthand how the Sophos Rapid Response team is able to cut through all of the noise to quickly remediate security incidents within hours, and the feedback from customers has been nothing but exceptional,” said Jeremy Weiss, cybersecurity practice lead at CDW.
The Rapid Response team are experts at quickly stopping advanced attacks, minimizing damage and costs, and reducing recovery time. Regardless of whether it’s a ransomware infection, network compromise, or unauthorized access attempting to circumvent security controls, they’ve seen it all and stopped it all.
A new type of incident response service
Rapid Response is an industry first, offering a fixed-fee remote incident response service that responds to active cybersecurity attacks throughout its entire 45-day term of engagement.
There are no hidden fees or escalating costs, and customers are protected for the full 45-day subscription term. Should the threat return or a related threat emerge, Rapid Response will respond at no additional cost.
Unlike traditional incident response (IR) services, which are priced hourly, you and the Rapid Response team have the same goal: to get your organization out of the danger as quickly as possible. And since the service is delivered remotely, response actions can be initiated on day one.
“A charitable organization providing housing and support services to thousands of vulnerable adults was hit by ransomware, taking down operations at all of its more than 40 facilities. The organization called us for help, and we immediately deployed Sophos Rapid Response. Working together with Sophos Rapid Response, we were able to get them back up and running quickly so they could continue serving those in need,” said Steve Weeks, president at Netcetera.“
More information about Rapid Response can be found on our website.
Interested in ongoing managed detection and response? Sophos Managed Threat Response (MTR) provides ongoing 24/7 threat hunting, detection, and response capabilities delivered by an expert team as a fully-managed service.
During our investigation of a Ryuk attack in September 2020, we found the Ryuk actors had used a relatively new method for gaining initial access: a malware dropper called Buer. The September attack was part of a low-volume spear phishing attack tracked by Sophos. Over the next month, it evolved into a much larger spam campaign, carrying Buer as well as a number of other types of “loader” malware, as the Ryuk operators sought to ramp up their attacks.
First introduced in August of 2019, Buer is a malware-as-a-service offering that is used to deliver whatever package the service customer desires, providing initial compromise of targets’ Windows PCs and allowing them to establish a digital beachhead for further malicious activity. Buer has previously been tied to banking trojan attacks and other malware deployments—and now, apparently, has been embraced by ransomware operators. In many ways, Buer is positioned as an alternative to Emotet and Trickbot’s emerging Bazar loader (which both use similar behaviors to deploy).
Buer was first advertised in a forum post on August 20, 2019 under the title “Modular Buer Loader”, described by its developers as “a new modular bot…written in pure C” with command and control (C&C) server code written in .NET Core MVC (which can be run on Linux servers). For $350 (plus whatever fee a third-party guarantor takes), a cybercriminal can buy a custom loader and access to the C&C panel from a single IP address—with a $25 charge to change that address. Buer’s developers limit users to two addresses per account.
The bot code, compiled for each user specific to a download, has an advertised size between 22 and 26 kilobytes—though the sample we looked at was about 40 kilobytes after being unpacked from its dropper. The bot can be configured for execution either as a 32-bit Windows executable or as a DLL.
The C&C can be used to track the number of successful downloads in a campaign, and to assign tasks to bots by filters such as the country they’re in, the “bitness of the operating system” (32 or 64 bit), the number of processors on the infected machine and the level of permissions obtained by the bot. Bots detected to be operating within the Commonwealth of Independent States will be shut down—which is a common behavior of malware developed in the ex-USSR region, as an attempt to avoid attention from local authorities.
Tasks can be scheduled to run for a specific amount of time, or suspended upon command, with telemetry for the task sent back to the panel. The panel can also be used to deploy updates to bots, including (at least based on the advertisement) deployment of modules, with prebuilt modules to be added “over time” as part of the service. And of course, setup consulting and technical support are provided.
Prize inside every doc
Sophos’ Rapid Response team discovered a sample of Buer at the root cause of a September Ryuk attack. The loader was delivered by a malicious document stored on Google Docs, which required the victim to enable scripted content to activate—a behavior similar to Emotet and other loader attacks via malicious spam emails but leveraging cloud storage to make forensic analysis more difficult.
We collected other messages from the same campaign in Sophos’ spam traps during the same period. The messages all used Google Docs files, and were sent using a popular commercial email distribution service—further obscuring the source and the link associated with the malicious document.
The payload of that malicious document was named print_document.exe. Like other Buer dropper samples we’ve analyzed, it was a digitally signed binary, using a stolen and now-revoked certificate issued by DigiCert to “NEEDCODE SP Z O O,” a Polish software developer, issued on September 17, 2020. The dropper was built using modified code from a Microsoft sample application for image capture, AcquireTest, using the code’s function for “file enumeration” to delete and drop code.
The dropper does a number of things to ensure proper delivery. It first checks for the presence of a debugger to evade forensic analysis, and then checks language and localization settings to determine the geographic region of the system being attacked. If the settings match a CIS country, it will exit without depositing the malware. Otherwise, the dropper then dumps the Buer bot in memory and executes it.
Intriguingly, the Buer Loader and Ryuk ransomware uses same shellcode loader to execute the unpacked malware code in memory:
This may not be an indication of shared authorship; the developers may have simply used the same sample code as their source.
Upon launch, the Buer bot does a number of things to set up shop. The bot executes two sets of PowerShell commands—one to bypass execution policies to allow PowerShell commands executed by the bot to go through without warnings (Set-ExecutionPolicy Bypass), and another (add-mppreference -exclusionpath) to make changes to Windows Defender’s exclusion list—concealing files it downloads from Windows’ built-in malware protection.
Buer queries the Windows Registry for the value of MicrosoftCryptographyMachineGuid to get the unique identifier for the infected machine. And the bot calls home, interacting with the command and control server (in this case, 104[.]248.83.13) through a series of secure HTTP “POST” and “GET” messages.
Then there’s the “loader” part of what Buer does. The files packaged to be dropped by Buer are retrieved from a designated source and dropped in a folder created in the C:ProgramData directory—the directory name is created programmatically and varies with deployments. In the September attack, Buer was used to deploy a Cobalt Strike beacon to the infected computer, which was then in turn used to exploit the network and launch a Ryuk attack.
Mixing it up
The malicious spam campaign that resulted in the Buer loader and Ryuk ransomware infections evolved at the end of September, as we observed the actors behind it shift the same tactics away from low volume on SendGrid to mail sent through Internet hosting providers—predominantly through a single Russian ISP. Then in October, the volume of spam rose dramatically—shifting away from Google Docs (as Google shut down the old files for terms of service violations) to another commercial email and file delivery service.
In the last two phases, while the tactics remained similar and other hallmarks suggested the spam actor was the same, multiple types of “dropper” malware were deployed as attachments. In addition to Buer, samples of Bazar and ZLoader were also found, with delivery payloads varying. For one Bazar loader payload, the attackers used a password-protected Excel spreadsheet. During the same timeframe, Bazar and ZLoader were also known to be involved in Ryuk attacks.
It’s clear that Ryuk is back, and that the actors behind it are evolving their methods for initial compromise, using multiple loader bots to achieve initial access. It’s not clear if the same actor is behind all of these attacks, using multiple malware-as-a-service platforms to deliver Ryuk, or if there are multiple Ryuk actors. But the similarity in techniques across these campaigns suggests that there is at least coordination between them: they use targeted emails with cloud-based malicious documents and a lure to spur immediate action (often related to wages or taxes).
The best mitigation for these attacks is to reinforce training on phishing attacks. While these malicious emails are targeted, they are usually awkwardly worded and use the target’s name in odd ways. Careful reading of the email will tip off most educated users. But these attacks are growing in sophistication, and even well-trained users may eventually click on the wrong link in an email if spam detection doesn’t catch them first.
Sophos detects and blocks Buer both with custom detections (Troj/BeurLd-A) and machine learning, and detects the spear phishing messages as spam.
Sophos would like to acknowledge the contributions of Peter Mackenzie, Elida Leite, Syed Shahram and Bill Kearny of the Sophos Rapid Response team, and Anand Ajjan, Brett Cove and Gabor Szappanos of SophosLabs for their contributions to this report
XG Firewall v18 includes several performance gains that will breathe new life into your network, enabling you to handle more traffic and better secure it.
If you haven’t upgraded to XG Firewall v18 already, you’re going to want to do so as soon as possible to take advantage of the substantial performance benefits waiting for you.
What are the gains and where do they come from?
Consider these potential performance boosts available by upgrading to XG Firewall v18:
Those are some impressive performance improvements!
One of the most exciting enhancements to XG Firewall in v18 was the introduction of the new Xstream Architecture, with its all-new streaming DPI engine, advanced TLS 1.3 inspection solution, and Network Flow FastPath.
Let’s look at how the Xstream Architecture upgrades your performance:
Trusted traffic FastPath acceleration
The new Xstream Network Flow FastPath is all about performance. It directs trusted traffic that doesn’t require security scanning into a fast lane through the system. This not only minimizes latency and accelerates application traffic through the firewall, it also has the added benefit of not engaging the DPI engine for deep-packet inspection of trusted traffic.
The impact of fast-pathing is up to a 5x improvement in firewall traffic throughput! Of course, with a blend of real-world traffic mixes, not all applications qualify for trusted traffic FastPath acceleration, but if a substantial portion of your traffic can be accelerated on the FastPath, you could increase your firewall’s security scanning capacity while allowing more trusted traffic. That’s a win-win.
Be sure to see how to make the most of the Network Flow FastPath on your network to learn how this works and how to set it up optimally.
TLS inspection speed
The new Xstream TLS inspection solution also brings a tremendous boost in decrypting and inspecting encrypted traffic flows, with up to a 2x improvement in performance. And when you combine the added performance with the very granular and easy to manage TLS inspection policies, you can be sure you’re only inspecting traffic that really needs it – and now do it faster than ever.
See how to make the most of Xstream TLS Inspection on your XG Firewall.
IMIX traffic performance
Internet Mix or IMIX is an often used reference in measuring typical real-world internet network traffic performance, making it a good metric to consider when looking at performance.
The new Xstream architecture in XG Firewall v18 brings a substantial boost in performance to this important metric. On our mid-range firewall models, the gains are over 100%, with the average across the XG Series line being a 57% improvement in performance.
This is all thanks to optimizations in the packet processing flow, DPI engine, and Network Flow FastPath. It’s an incredible real-world improvement in traffic processing performance.
Other common traffic performance measurements also benefit from the Xstream architecture in v18, including raw firewall performance, IPS, AV, application control, and malware protection.
Get the latest XG Firewall brochure to see the latest performance metrics and how your XG Series model stacks up.
SSL VPN capacity
Further optimizations to our SSL engine in XG Firewall v18 MR3 bring some dramatic improvements to remote access SSL VPN capacity, with up to 6x the number of connections possible on our higher-end appliances.
Increases are more modest at the entry-level, but on a typical mid-range device like the XG 310, the capacity has tripled! This is great news for everyone managing a remote workforce these days.
Check out the other great enhancements with remote-access VPN.
If you haven’t already, upgrade to XG Firewall v18 today. It’s a free performance boost, and you get a ton of great new protection and networking features.
Be sure to take advantage of all the resources available, including the recent “Making the Most of XG Firewall v18” article series that covers all the great new capabilities in XG Firewall v18:
As we all know, the holiday season of 2020 is going to be unlike any other because of our “new normal.” This is why you’ll need to consider learning, unlearning, and relearning new strategies for email marketing during this unprecedented time.
The Zoho Campaigns team recently conducted a Twitter chat and webinar with a couple of email marketing experts on this, and we’d love for you to take a glimpse at what we discussed. Some of these tips are applicable for any year, but many of them here are to help you adjust to the changing needs in 2020. Let’s get started!
Excerpts from Twitter chat #ZCampaignsChat
We had tweeted out seven different questions related to holiday season email marketing, and here’s what our experts had to tell us.
Q1. Given our “new normal” related to COVID-19, what twists and turns do you expect to encounter during the upcoming holiday season?
A1: Brands will need to control their urge to flood inboxes with generalized broadcast #emailmarketing holiday promos and instead segment intelligently with different offers to different customer groups and personas #Zcampaignschat
Bottom Line: More than in any recent time, there will be a rise in online shopping. So be careful to send emails that are relevant to the right people. This can be achieved with the help of list segmentation. Hold off on typical marketing or promotional emails and instead focus on targeted offers and promotions.
Q2. What are some of the best practices/experiments email marketers can try in these uncertain times?
A2: Implement or increase use of #emailmarketing automations, journeys and sequences to have more of a dialog with subscribers. Also gather or expand messaging/service/product preferences #Zcampaignschat
Bottom Line: Build trust and relationships with your contacts and start sending personalized email campaigns. Make use of automation in order to have meaningful targeted conversations with your contacts. This helps make them realize that you value them.
Q3. When do you recommend sending the first holiday email and how often should emails be sent?
Bottom Line: You will have to start warming up people by sending them email campaigns at least a week ahead and leaving sufficient time for them to prepare for the holidays. Strategic timing for your emails matter the most for engaging with them.
Q4. What are some basic questions that need to be addressed before sending holiday emails?
A4. Make sure a customer’s online customer experience is frictionless. Is it easy to find items and checkout? For emails- map the touchpoints before, during and after each promotion. Don’t forget to segment your audience and personalize each email. #ZCampaignsChat
Bottom Line: Holidays differ based on regions, so you ought to know your contacts based on each region. Find particular holidays in each region and plan your email campaigns one step ahead by segmenting your lists based on demographics. Then make sure to personalize each email with offers and promotions that are region-specific and relevant.
Q5. How do you deal with inactive contacts during the holiday season?
A5: We create unengaged segments and sync those to Facebook/Instagram. We have our paid social team try to get those folks to come back to the website. We either a) get them to reoptin or b) we look at people who ended up visiting the site and we target them.
Bottom Line: Start sending them reactivation campaigns like special offers, preference updating options, and more. This will help you find people who’re somewhat interested in your brand/services. Once you identify the opened contacts, you can continue to engage with them to bring them back on board.
Q6. Holiday emails are also about visual content. What are some trends and interesting usage of visuals you like?
A6: Holiday is the time to increase use of animation, video and dynamic elements (timers, location-specific content, etc.) – especially for retailers. Plus it provides more image real estate in email to feature more products and ideas. #zcampaignschat
Bottom Line: Apart from including photographs of your products, make sure to give importance to GIFs, illustrations, and more. Combining an attractive flow of content with a relevant message will increase the chances of engagement, thus improving customer relationships and sales. Try using pre-built email templates or get creative to ensure your content is a visual treat for your contacts.
Q7. What are some tried and tested abandoned cart recovery email strategies that will result in revenue?
Bottom Line: Always remember that most customers abandon their carts unknowingly. So, consider your abandoned cart email as a reminder to help pull your customers back. When would your contacts like to receive these emails? You’ll have to test this and find out. We suggest you send the email within 24 hours of the cart abandonment. Also, make sure to add some urgency to the emails to start recovering sales.
Those are some insights from our Twitter discussion, but that’s not all the tips and tricks we have for you today.
Excerpts from our webinar with Liz Willits
Let’s now look at what email marketing strategist Liz Willits had to say in our recent webinar, How to adjust your 2020 holiday email marketing game to changing needs.
Here are 12 tips Liz discussed:
As marketers, being sensitive to your audience is always very important, but it’s especially important when your audience is going through a lot. There are a few ways to work this right:
Choose your words carefully Keep an eye on current events so you don’t end up sending emails that arrive at an inappropriate time.
Don’t make light of serious situations It’s better not to make jokes about things like COVID-19—it’s really hard to strike the right note on a joke or while making light of something serious.
Consider giving an extra offer If your audiences are being affected economically by COVID-19 and you think your product would be helpful to them, go the extra mile and help them with what you can. These are the times you might want to send them love by giving extra sales or offers.
Be aware of the different holidays Take into account all the holidays your audience celebrates to make sure you’re sending them relevant holiday campaigns. For example, don’t send a Thanksgiving promotion to the part of your audience that lives in India, where Thanksgiving isn’t celebrated.
Many holidays like Black Friday, Hanukkah, and Christmas are going to come really soon, so have your content plan ready.
Start planning out your design elements now if you use heavily designed templates with different imagery. Start working with your design team well ahead since everyone will be busy with their personal lives on top of work. Get things ready by October or early November.
Don’t send your emails right on the holiday. For example, if it’s Black Friday, send your sale campaigns a week in advance. Do pre-holiday sale and post-holiday follow-up campaigns.
Don’t send too many emails
Avoid overwhelming your audience with too many emails—especially in 2020—because they have a lot going on in their lives already.
The best way you can do this is by providing an opt-out option for the sale campaign. This will let them opt out of that specific sale campaign and from your entire email list. Give them the right to choose what they want.
This is the time to be empathetic. Keep in mind the experience that they are having and try to show empathy in your tone rather than being salesy.
Use dynamic content to update your sales emails
Use dynamic content to update your holiday emails even after they’ve hit the inbox. For example, if you’ve sent a campaign on a flash sale and someone opens the campaign after the sale is over, they should read a banner that says, “Sorry, this sale is over, but you can still shop this week’s deals.” Dynamic content helps you stay relevant.
Write subject lines that stand out
Your audiences’ inboxes are flooded with emails during the holiday season, and your email will just remain unopened if you use ordinary subject lines. For example, do not just use “Merry Christmas” and talk about your newly launched product in your content. Use subject lines that are creative and that make you stand out, especially during the holiday season.
Make your copy easy to read
Don’t make your email content confusing, complicated, or heavy to read. Here are a couple of ways to create a readable and scannable copy:
Use short sentences and paragraphs, bullet points, and headlines to break up sections and paragraphs.
Use “you” instead of “we” or “I.” In other words, your angle should be about how your message benefits them. For example, don’t say “We just launched a new product.” Instead say, “You can get a 40% off on this new product.”
Keep your subscribers aware of important dates
It’s important to keep your subscribers informed of important dates like the last day of a sale or the last day to get a product shipped before Christmas. Highlight them in your subject lines with the time the sale ends.
Create gift guides
This is the best thing ecommerce businesses can do during the holiday season. Not just ecommerce—even B2Bs can do it. While ecommerce businesses can create gift guides for different gift categories such as Gifts for him, Gifts for her, and Gifts for friends, B2Bs can create gift guides like a guide for email marketers that includes their blog posts, tips, and tricks.
Clear is better than clever
Don’t try to be clever or cute in your content. People can’t waste their time on clever content. Rather, focus on what key idea needs to be delivered. This doesn’t mean your content needs to be to the point, but make sure you create curiosity in your audience’s mind to read your content.
Use alt text
Some people have turned off images in their inbox, or sometimes things can simply go wrong, so always place clear alternative text behind your image. That way recipients will still get your key messages and understand the context even if they can’t see the image.
It’s fun season, so remember to excite your audience with your emails. Get festive! A great way to do this is through your email design. Go with a holiday game or holiday party theme, run giveaways, and find other ways to make your audience happy. Have fun with these little things in your emails during the holiday season.
Show off your product
This is very important for ecommerce businesses—it might seem straightforward, but it’s important to show your products to your audience. The best way to do this is by showing specific products that will excite your audience in the holiday email. This will get them to click the ones they’re interested in. This is a great way to take your recipients to your website and get them to purchase your products.
We hope these insights help you warm up your holiday email marketing strategy. Have fun creating content that resonates with your audience. Wishing you all a happy holiday season 🙂
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.