Webmail services are under a barrage of XSS attacks. What SMBs need to know

XSS attacks are a prevalent threat but can be stopped at multiple stages, and businesses need only simple tools to do it.

Due to their flexibility and affordability, webmail services are a popular alternative to traditional on-prem email applications. However, the way they operate creates opportunities for cybercriminals to inject malicious code into visited websites to steal valuable business data. 

This is a well-known fact, and the recent ESET research blog on cybercriminal group Sednit’s campaign to target multiple webmail services confirms that it remains a popular way to compromise businesses.

Facing well-organized groups that abuse known vulnerabilities or are willing to put extra effort into finding new ones means businesses need to realize that webmail services are not simple set-and-forget solutions, but software that requires critical maintenance and advanced cybersecurity protection. 

Webmail application popularity

Despite software companies massively investing in the development of various collaboration platforms, email remains an extremely popular way for businesses to carry out their day-by-day communication. In 2023, the number of global email users amounted to 4.37 billion, with approximately 347 billion emails sent and received every day worldwide. This number is set to grow to 4.89 billion users and 408 billion daily emails by 2027.

Among the diversity of email platforms, users often prefer webmail services instead of desktop email clients. Litmus’ telemetry from 2022 shows that after Apple Mail Privacy Protection (52.2%), webmail was the most popular reading environment at 36%.

Small and medium-sized businesses (SMBs) typically opt for webmail due to lower expenses, easy integration, and high flexibility as webmail services can be accessed from any device with an internet connection without the need to install any software. On top of that, market leaders keep their mail services protected with multiple cybersecurity features.

All these benefits may create a false sense of a cheap, easy-to-maintain, and well-protected service that doesn’t require much administration. Who wouldn’t want reliable, easy-to-use, and well-protected software that costs next to nothing? But that’s not the whole story.

XSS attacks

Sednit is a Russia-aligned group that carried out an espionage operation targeting high-value webmail servers using cross-site scripting (XSS) attacks.

These attacks exploit vulnerabilities in the code of webmail services, allowing cybercriminals to inject their own malicious script into a compromised webmail site.

Such a compromise typically allows attackers to steal victims’ email messages and other sensitive information. This access can also be further abused to develop multi-staged cyberattacks such as business email compromise (BEC) or spearphishing.

XSS attacks are quite popular among cybercriminals, who constantly manage to find new and newer vulnerabilities, while businesses using webmail servers often fail to patch even those that are already known.

According to a 2024 Forrester report, 22% of security decision-makers who reported breaches via external attacks identified web application exploits as the entry point. These include common security flaws such as cross-site scripting (XSS) and SQL Injection (SQLi).

Operation RoundPress

In 2023, prior to the start of Sednit’s current operation RoundPress, it began operation Roundcube. Over the course of the following year, the campaign expanded to other popular webmail software including Horde, MDaemon, and Zimbra.

Most victims have been governmental entities and defense companies in Eastern Europe, but governments in Africa, Europe, and South America were targeted as well.

In general, observed attacks started with spearphishing emails sharing news about notable events usually related to Ukraine.

The malicious code that triggered the XSS vulnerabilities was inside the HTML code of the email message’s body and was not directly visible to the user. To inject malicious JavaScript codes into the victims’ webmail pages, users just needed to open the emails. Nothing more.

Attackers mostly exploited known vulnerabilities discovered in 2023 and 2024. In the case of MDaemon, Sednit utilized a previously unknown zero-day vulnerability.

Depending on the webmail service and the abused vulnerability, Operation RoundPress is capable of some of the following malicious actions:

• Credential stealing

• Exfiltration of contacts, settings, and login history

• Exfiltration of email messages

• Exfiltration of the two-factor authentication (2FA) secret

• Creation of an app password, which enables attackers to access the mailbox from a mail application and send and receive messages, without having to enter the 2FA code, even if 2FA is activated

It starts with an email

After reading about attackers being capable of accessing sensitive business emails, the next proclamation may sound surprising — but there are several pieces of good news stemming from this campaign:

First, while vulnerabilities in webmail services are a problem, once they are discovered, developers can usually patch them quickly. For example, the patch for the MDaemon zero-day vulnerability was released in two weeks, following ESET notifying MDaemon.

The second good news is quite obvious: Businesses can avoid many of these attacks just by keeping their webmail servers up to date. When your webmail service releases a patch, apply it as soon as possible.

Third, to launch an attack, targeted users had to be convinced to open specific emails in the vulnerable webmail portal. With RoundPress, emails used convincing news-related headlines.

Thorough cybersecurity training should educate employees on recognizing and avoiding phishing emails. After all, why should employees read news appearing at random in their work email?

Fourth, where businesses fail to adopt all these prevention measures, they can still find protection via a reliable cybersecurity solution. In fact, ESET protected its clients against the RoundPress operation at multiple stages. For example, ESET firewall blocks the exfiltration, and ESET endpoint protection blocks the malicious JavaScript scripts. 

Prevention with ESET

Understanding how these webmail attacks work, it’s clear that prevention is the best option for businesses to avoid breaches and any related disruptions. This is not always easy, especially for small and medium-sized businesses lacking financial and professional resources to keep every security measure tight.  

That’s why ESET has prepared a comprehensive solution, ESET PROTECT, based on its multi-layered protections and prevention-first approach. It provides formidable protection against malware and different kinds of cyberthreats including those seen in XSS attacks — phishing emails, zero-days, and malicious scripts.  

What is more, ESET PROTECT is easily scalable and operable from our unified cybersecurity platform ESET PROTECT Platform. This helps businesses adjust and manage ESET cybersecurity features according to their size and needs without draining IT admins.

Further focusing on prevention, ESET has also developed Cybersecurity Awareness Training for employees to increase their awareness against common human-related cyber threats including spearphishing.

Open your email without worries

The hard reality is that sooner or later everyone comes across spam or malicious email. Despite native webmail protection offering some degree of security, cybercriminals will always try to find holes in their programming to steal data or deliver malware. Sometimes those threats are simple; sometimes they are carefully crafted by notorious cybercriminal groups with an infamous history of notable breaches.

However, there should be no need to worry about every email notification an employee receives. With the right awareness training, updated software, and cybersecurity solutions favoring prevention before intervention, business can deal with their daily tasks and communication with peace of mind.