URL Protection – stop phishing and malicious weblinks

Malicious URLs can silently infiltrate and compromise your Salesforce environment. From phishing to malware and credential theft, these covert risks can disrupt your daily business operations and damage your trusted brand. This deep-dive exposes the intricacies of malicious URLs, their methods of distribution via Salesforce, and the evolving tactics of cybercriminals. Delve into real-life incidents, current threat landscapes, and discover how WithSecure's URL Protection feature fortifies your Salesforce defense system, offering real-time protection and robust threat analysis.

Phishing is one of the most common and successful cyber-attack vectors. Malicious URLs form the backbone of these phishing schemes, designed to masquerade as legitimate links. These URLs typically redirect unsuspecting users to fraudulent websites, where they are duped into revealing sensitive information. As they become more sophisticated, distinguishing these URLs from safe ones becomes increasingly challenging, making them a potent threat within Salesforce environments.

URLs are used in credential harvesting, where attackers construct websites that mirror legitimate business services to steal login information. Once an unsuspecting Salesforce user enters their credentials, the attackers gain access to private systems and data, leading to potential identity theft and unauthorized system access.

URLs can serve as trojan horses for malware dissemination. Clicking on a seemingly benign link can trigger the download and installation of harmful software. Malware spread via URLs may range from spyware, recording every keystroke, to ransomware, which can lock an organization out of its own data. This underscores the critical need for vigilance against URL-borne threats within Salesforce, as every file or link interaction could be a potential vector for infection.

Some cyber threats do not even require user interaction, such as drive-by downloads. Merely visiting a website with malicious intent can cause malware to download and install automatically. These URLs exploit vulnerabilities within the browser or its extensions, carrying out actions without the user's knowledge or consent. This silent havoc often goes unnoticed until significant damage has occurred.

Salesforce's expansive platform is full of potential entry points for attackers. From custom fields to community posts, any area where a URL can be entered poses a risk. These open text fields, especially when accessible by external users, increase the vulnerability of the environment to malicious URLs.

Attackers adeptly leverage these entry points, exploiting Salesforce's features to inject harmful URLs. For instance, email-to-case or web-to-case functionalities, which are meant to streamline customer service processes, can be subverted to introduce phishing links or malicious URLs, directly targeting customer service representatives who may unwittingly click on them.

The safety of a URL is not a constant; it can change from safe to dangerous in moments. Malicious actors can hijack legitimate sites or dynamically generate harmful URLs, making time-of-click protection a necessity. Such security measures evaluate the URL as it's accessed, not just when it's received, accounting for real-time threat emergence.

The convenience of shortened URLs in space-constrained communications is undeniable. However, these shortened links also provide a perfect cover for obfuscating malicious destinations, allowing attackers to hide their true intentions behind a veil of legitimacy. This tactic is particularly concerning in environments like Salesforce, where such links could be distributed widely with a single click.

Salesforce has highlighted phishing as the paramount concern for IT leaders. Data supports this concern: 41% of cyber attacks deploy phishing techniques, leveraging the familiarity and trust of public-facing applications. More alarmingly, IBM reports that 26% of these phishing campaigns specifically target such applications, with a further 16% of attacks successfully abusing legitimate user accounts to bypass security defenses.

This quantifiable data emphasizes the need for comprehensive security against URL-based threats – and within Salesforce environments, where phishing attempts can blend seamlessly with regular operations. The presence of phishing links in Salesforce – detectable in approximately 1% of the millions of URLs scanned from large enterprises and critical public entities globally – showcases the persistent nature of this threat. Such statistics are a clarion call for robust anti-phishing measures.

Let's break down a real cyber attack that happened via Salesforce, as observed by our incident response consultant, showing how the attack unfolded and what was done to fix it.

• Initial compromise: A phishing email, which looked normal but contained a dangerous link, got through the email security and ended up in the company’s Salesforce system.
• The lure: Inside Salesforce, employees found the document from the phishing email. Clicking on the link in the document led them to a fake webpage set up by the hackers.
• Credential capture: The fake webpage tricked employees into entering their login details, including their extra security codes (tokens), which the attackers then stole.
• Unauthorized access: The attackers used these stolen details to get into the company's Microsoft systems without permission. This was noticed because of unusual sign-ins from other countries.
• Detection: The company took a closer look at one employee’s laptop after noticing these strange sign-ins. They found that the laptop had visited some suspicious websites, pointing to an outside attack.
• Full exposure: Further investigation connected these signs back to the phishing email in Salesforce. This showed that the company's normal security wasn't enough to stop such clever attacks.
• Counteraction: Once the company knew about the breach, they stopped the stolen login details from being used and strengthened their security to prevent this kind of attack in the future.

This attack shows that cyber threats can sneak in through Salesforce and that usual security systems might not catch them. Companies need to have strong, up-to-date defenses that look for threats in real time and can check everything thoroughly if there's an attack. It's a reminder that being ready for all types of attacks is important for keeping Salesforce and other systems safe.

URL Protection is a key security function in WithSecure Cloud Protection for Salesforce. The functionality proactively prevents Salesforce users from accessing malicious or unwanted content across your custom objects and fields and the following Salesforce standard objects in real-time: 

•               Chatter posts and comments

•               Inbound and outbound email messages

•               Case comments and descriptions

•               Web-to-lead descriptions

•               Task comments

WithSecure Cloud Protection for Salesforce actively combats phishing threats. As users interact with Salesforce, they might upload URLs without knowing their safety. The URL Protection feature immediately checks these links, both at the time of upload and when clicked. This ensures users are not exposed to harmful content, keeping your Salesforce environment safe and trusted.

You can configure Click-Time URL Protection separately. 

Not just visible links, but URLs within files are a concern too. WithSecure’s File Protection automatically scans and removes malicious URLs hidden in files uploaded to Salesforce. If it finds a threat, it shows up in the File Events report.

WithSecure Security Cloud doesn’t just skim the surface. It conducts a detailed, multi-layered content analysis. Suspicious URLs that pass initial reputation checks are escalated for a more in-depth review. This approach ensures comprehensive protection, catching threats that might slip past simpler screening methods.

Shortened URLs, while convenient, can hide risks. WithSecure Cloud Protection for Salesforce actively detects and blocks these hidden threats, ensuring links are safe. This crucial safeguard is part of the automatic URL Protection feature.

When harmful content is identified, it’s automatically blocked or removed. Administrators and security teams receive alerts, and users are informed about the action taken. This proactive approach means threats are stopped before causing harm, and teams can respond swiftly to potential breaches.

URL Classification allows you to prevent access to sites that may not be work-related or could pose a security risk. It’s a means of preemptively reducing the chance of user interaction with harmful content, enforcing a safer digital workspace. 

You can enforce usage rules in 28 different categories: Abortion, Ad services, Adult, Alcohol and tobacco, Anonymizers, Auctions, Banking, Blogs, Chat, Dating, Drugs, Entertainment, Gambling, Games, Hacking, Hate, Job search, Payment service, Scam, Shopping, Social networking, Software download.

Monitoring and responding to threats is made straightforward with WithSecure’s detailed reporting and analytics. These tools give a clear view of the URL protection status, offering insights and audit trails. It’s about not just detecting threats but understanding them to prevent future risks.

The following attributes are available in URL Protection reports:

URL Scan: ID, URL Scan: Name, Action, Categories, Date/ Time, Direction, IP Address, Location, Reason, Reputation, Reputation Description, URL, User, Verdict, Owner Name, Owner Alias, Owner Role, Created By, Created Alias, Created Date, Last Modified By, Last Modified Alias, Last Modified Date.

Key takeaways

• Malicious URLs within Salesforce pose serious risks, enabling phishing, malware spread, and credential harvesting
• Salesforce’s vast platform offers multiple entry points for attackers, with both standard and custom fields vulnerable to malicious URL injections
• The dynamic nature of URLs necessitates time-of-click protection, with even short links posing significant security challenges
• WithSecure’s URL Protection feature offers comprehensive real-time safeguarding against phishing and malicious URLs in Salesforce environments
• Advanced Threat Analysis through WithSecure Security Cloud provides a multi-stage content review process for thorough threat detection
• URL Classification and detailed reports and analytics empower administrators to monitor and control access, enhancing Salesforce security