Gmail, Outlook Warning—Yes, You Need A New App – Forbes

Email has had its timeA new warning for anyone using email on their phones this week, as the extent to which this is a broken format in dire need of a rethink becomes ever more obvious. For attackers, email remain wide open to attack. And while the efforts of Google, Microsoft and others to plug the threat dam are laudable, they will ultimately fail.As I commented earlier this month, email is “a horribly archaic technology that has not really changed in a decade,” that’s why “spam and phishing remain a ridiculous problem, despite Google blocking ‘more than 99.9%’ of it.” And we’re still at the early stages of an AI threat evolution that will make everything unimaginably worse.There remain old school detractors that want to believe this problem can be fixed with one bandaid after another, but it’s hard to find any serious analysis that suggests email can’t be recut for 2025, moving past a look and feel that hasn’t really changed for more than twenty years. All the new security innovations we now see are designed and deployed to reduce rather than resolve email’s fundamental challenges.And so it is with the new warning from Zimperium, that cybercriminals have worked out that while you can often spot a threat on your PC or tablet, you have much less chance on your phone. And so their crafty new attacks send out links that direct to legitimate websites from a PC but to dangerous websites from a phone.The new attacks take advantage of the use of our own phones at work, logging into email and corporate platforms, often without any device security. But more critically, emails reformatted for small screens hide many telltale threat signs, and we are more likely to mindlessly tap a phone link than click a desktop email link.“Attackers use device fingerprinting to deliver tailor attack paths for mobile users,” Zimperium warns. “If the phishing link is accessed via a desktop, then the attack is abandoned. On desktops or laptops, users were redirected to legitimate Google sites, for example, ‘support.google.com’, ‘mail.google.com’, ‘drive.google.com’, etc.”Phishing redirection But on mobile devices it’s different. “Additional redirections were leveraged to identify the platform. If the link was accessed via a mobile device, a cloned Google sign-in page designed to steal credentials was presented to the mobile user.”Google and Microsoft dominate the enterprise landscape with their platforms, and the good news is this is shifting the much more risky on-prem platforms to fully managed cloud-based services. This makes a rethink much more possible.This isn’t just an email problem, it applies to other systems as well. Zimperium has warned about spear phishing attacks masquerading as DocuSign links by way of example, which is another app that reformats materially for mobile screens, removing many of the telltale signs we would likely spot elsewhere.Zimperium says that “approximately 3% of analyzed phishing sites implement different redirection paths based on the user’s device type,” adding that “our analysis of verified phishing sites reveals a sophisticated pattern of desktop redirection to legitimate services as an evasion technique.”Google and Facebook are “the primary destinations” for this “evasion tactic” that “allows attackers to maintain prolonged campaign effectiveness by appearing benign to security tools while still targeting mobile users with malicious content.”It’s hard to believe that email will be the only platform to retain its past form forever. Whether driven by a disruptive force such as Elon Musk’s teased Xmail or by Gmail and Microsoft crafting messaging/email alloys that better serves today’s immediacy remains to be seen. But any argument that new apps are not required now fails.

Source: https://www.forbes.com/sites/zakdoffman/2025/02/23/gmail-outlook-warning-yes-you-need-a-new-app/