5 investors discuss the future of RPA after UiPath’s IPO

Robotic process automation (RPA) has certainly been getting a lot of attention in the last year, with startups, acquisitions and IPOs all coming together in a flurry of market activity. It all seemed to culminate with UiPath’s IPO last month. The company that appeared to come out of nowhere in 2017 eventually had a final private valuation of $35 billion. It then had the audacity to match that at its IPO. A few weeks later, it still has a market cap of over $38 billion in spite of the stock price fluctuating at points.

Was this some kind of peak for the technology or a flash in the pan? Probably not. While it all seemed to come together in the last year with a big increase in attention to automation in general during the pandemic, it’s a market category that has been around for some time.

RPA allows companies to automate a group of highly mundane tasks and have a machine do the work instead of a human. Think of finding an invoice amount in an email, placing the figure in a spreadsheet and sending a Slack message to Accounts Payable. You could have humans do that, or you could do it more quickly and efficiently with a machine. We’re talking mind-numbing work that is well suited to automation.

In 2019, Gartner found RPA was the fastest-growing category in enterprise software. In spite of that, the market is still surprisingly small, with IDC estimates finding it will reach just $2 billion in 2021. That’s pretty tiny for the enterprise, but it shows that there’s plenty of room for this space to grow.

We spoke to five investors to find out more about RPA, and the general consensus was that we are just getting started. While we will continue to see the players at the top of the market — like UiPath, Automation Anywhere and Blue Prism — jockeying for position with the big enterprise vendors and startups, the size and scope of the market has a lot of potential and is likely to keep growing for some time to come.

To learn about all of this, we queried the following investors:

  • Mallun Yen, founder and partner, Operator Collective
  • Jai Das, partner and president, Sapphire Ventures
  • Soma Somasegar, managing director, Madrona Venture Group
  • Laela Sturdy, general partner, CapitalG
  • Ed Sim, founder and managing partner, Boldstart Ventures

We have seen a range of RPA startups emerge in recent years, with companies like UiPath, Blue Prism and Automation Anywhere leading the way. As the space matures, where do the biggest opportunities remain?

Mallun Yen: One of the fastest-growing categories of software, RPA has been growing at over 60% in recent years, versus 13% for enterprise software generally. But we’ve barely scratched the surface. The COVID-19 pandemic forced companies to shift how they run their business, how they hire and allocate staff.

Given that the workforce will remain at least partially permanently remote, companies recognize that this shift is also permanent, and so they need to make fundamental changes to how they run their businesses. It’s simply suboptimal to hire, train and deploy remote employees to run routine processes, which are prone to, among other things, human error and boredom.

Jai Das: All the companies that you have listed are focused on automating simple repetitive tasks that are performed by humans. These are mostly data entry and data validation jobs. Most of these tasks will be automated in the next couple of years. The new opportunity lies in automating business processes that involve multiple humans and machines within complicated workflow using AI/ML.

Sometimes this is also called process mining. There have been BPM companies in the past that have tried to automate these business processes, but they required a lot of services to implement and maintain these automated processes. AI/ML is providing a way for software to replace all these services.

Soma Somasegar: For all the progress that we have seen in RPA, I think it is still early days. The global demand for RPA market size in terms of revenue was more than $2 billion this past year and is expected to cross $20 billion in the coming decade, growing at a CAGR of more than 30% over the next seven to eight years, according to analysts such as Gartner.

That’s an astounding growth rate in the coming years and is a reflection of how early we are in the RPA journey and how much more is ahead of us. A recent study by Deloitte indicates that up to 50% of the tasks in businesses performed by employees are considered mundane, administrative and labor-intensive. That is just a recipe for a ton of process automation.

There are a lot of opportunities that I see here, including process discovery and mining; process analytics; application of AI to drive effective, more complex workflow automation; and using low code/no code as a way to enable a broader set of people to be able to automate tasks, processes and workflows, to name a few.

Laela Sturdy: We’re a long way from needing to think about the space maturing. In fact, RPA adoption is still in its early infancy when you consider its immense potential. Most companies are only now just beginning to explore the numerous use cases that exist across industries. The more enterprises dip their toes into RPA, the more use cases they envision.

I expect to see market leaders like UiPath continue to innovate rapidly while expanding the breadth and depth of their end-to-end automation platforms. As the technology continues to evolve, we should expect RPA to penetrate even more deeply into the enterprise and to automate increasingly more — and more critical — business processes.

Ed Sim: Most large-scale automation projects require a significant amount of professional services to deliver on the promises, and two areas where I still see opportunity include startups that can bring more intelligence and faster time to value. Examples include process discovery, which can help companies quickly and accurately understand how their business processes work and prioritize what to automate versus just rearchitecting an existing workflow.

Investment Scammer John Davies Reinvents Himself?

John Bernard, a pseudonym used by a convicted thief and con artist named John Clifton Davies who’s fleeced dozens of technology startups out of an estimated $30 million, appears to have reinvented himself again after being exposed in a recent investigative series published here. Sources tell KrebsOnSecurity that Davies/Bernard is now posing as John Cavendish and head of a new “private office” called Hempton Business Management LLP.

John Davies is a U.K. man who absconded from justice before being convicted on multiple counts of fraud in 2015. Prior to his conviction, Davies served 16 months in jail before being cleared of murdering his wife on their honeymoon in India.

Davies’ fraud convictions stemmed from a series of U.K. companies he set up supposedly to help troubled companies reorganize their debt and turn things around. Davies ended up looting what little money his clients had left and spending it on lavish cars, home furnishings, vacations and luxury watches.

In a three-part series published last year, KrebsOnSecurity exposed how Davies — wanted by authorities in the U.K. — had fled the country, taken on the surname Bernard, remarried, and moved to his new (and fourth) wife’s hometown in Ukraine.

The scam artist John Bernard (left) in a recent Zoom call, and a photo of John Clifton Davies from 2015.

After eluding justice in the U.K., Davies reinvented himself as The Private Office of John Bernard, pretending to be a billionaire Swiss investor who made his fortunes in the dot-com boom 20 years ago and who was seeking private equity investment opportunities.

In case after case, Bernard would promise to invest millions in hi-tech startups, only to insist that companies pay tens of thousands of dollars worth of due diligence fees up front. However, the due diligence company he insisted on using — another Swiss firm called Inside Knowledge — also was secretly owned by Bernard, who would invariably pull out of the deal after receiving the due diligence money.

Bernard found a constant stream of new marks by offering extraordinarily generous finders fees to investment brokers who could introduce him to companies seeking an infusion of cash. Inside Knowledge and The Private Office both closed up shop not long after their exploits were detailed here late last year.

But it appears Davies has just assumed a new name. KrebsOnSecurity recently heard from an investment broker who previously represented multiple clients that got fleeced by Mr. Bernard/Davies over the years. That broker said he was blown away to hear Davies’ unique British accent on a recent call with a client that had been in investment talks with a Northern Ireland firm called Hempton Business Management.

This time, the source said, Davies was introduced by handlers on the call as John Cavendish.

“I just sat in on a call and John’s voice is unmistakable,” said the broker, who asked to remain anonymous. “He stumbled on the beginning of the call trying to remember which last name he was supposed to use. Immediately they go back to the standard script about the types of deals they are looking for. They want to be minority investors in private transactions and they are industry agnostic.  Their deal sizes are investments in the $5-20 million range, they prefer to not use big 4 firms for due diligence, and they have some smaller firms they use which are better suited for smaller investment deals.”

The source forwarded me some correspondence from Hempton Business Management, and I noticed it was sent from a Mariya Kulykova. This is interesting because Mr. Bernard’s personal assistant in Ukraine was a Mariya Kulikova (Ms. Kulikova deleted Bernard’s former companies from her LinkedIn profile shortly after last year’s series).

The company’s website says Hempton has been around since 2017, but the domain name was only registered in late November 2020. There is no information about who runs or owns the company on its site.

Hemptonllp[.]com was registered via Gandi, the same French registrar John Bernard/Davies has used over the years with his dozens of phantom companies.

Hempton Business Management’s only presence on LinkedIn appears to be a help wanted ad from a few weeks ago, for a marketing position at an office in Kyiv, Ukraine.

In response to an emailed request for comment on the apparent connections, Mr. Cavendish forwarded the message to a James Donohoe, who replied that he was the owner of Hempton. Donohoe said the domain was new because the company recently re-branded, although he declined to discuss the matter further.

“This sounds like an accusation of a big fraud?,” Donohoe wrote. “I have never had any dealings with a John Clifton Davies or John Bernard. You really are a cheeky little bugger aren’t you!”

Mr. Donohoe did not respond to further requests for comment.

Hempton appears to be part of a network of corporate facades designed to lead any investigators into a labyrinth of entities that exist only on paper. Hempton is what’s known as a “shelf corporation,” an aged or seasoned company that was formed but never used as a business. Shelf corporations are registered solely for the purposes of being resold to others at a later date. Simply put, their resale allows new enterprises to appear older, more established, and trusted.

“Perhaps the leading reason for acquiring an aged entity in general is credibility,” explains TBA & Associates, a company co-registered in the UK and New Zealand that has created hundreds of shelf companies for sale (PDF), including Hempton Business Management LLP in 2017.

“Business relationships are frequently influenced by the length of time a company has been in existence,” TBA continues. “This is often true when establishing financial and client/vendor relationships.”

Some of the shelf companies created and sold by TBA & Associates.

Documents from the UK business record index Companies House show two entities as officers in Hempton: ABA Group & Associates LTD, and Harper & Partners Ltd. Both of these are shelf companies in Hong Kong that are listed for sale in the same TBA PDF advertisement linked for Hempton.

Searching Companies House for information on ABA Group and Harper & Partners leads to a dizzying number of other shelf companies in Hong Kong, Belize and the U.K. — all of which also were recently listed for sale by TBA.

The only person’s name attached to each of these companies is a Joaquim Magro de Almeida, a rather mysterious 72 year-old Portuguese business consultant. OpenCorporates says this same guy is an officer in 313 active companies. The U.K.’s Companies House lists Mr. Almeida as one of three officers in Euro Forex Investments Ltd., which Reuters says was a sprawling pyramid scheme that stole $1 billion from at least 3,700 victims in China, the United States and elsewhere.

This 2017 story from New Zealand financial news site interest.co.nz follows a trail of various other investment scams leading back to TBA shell companies, and to Mr. Almeida, too.

In my first report on John Davies, I noted that before becoming John Bernard he previously used the pseudonym “Jonathan Bibi” with an address in the offshore company haven of Seychelles. That identity was tied to a number of fraudulent cryptocurrency and binary options investment schemes.

Fraudsters are drawn to complexity, and they typically incorporate their shell or shelf companies in countries with little to no oversight or background checks tied to the creation and maintenance of corporate entities. As we’ve seen here, the U.K. is a favorite of fraudsters and money launderers worldwide. In a scathing 2017 report titled Hiding in Plain Sight (PDF), Transparency International found some 766 UK corporate vehicles were alleged to have been used in 52 large-scale corruption and money laundering cases approaching £80 billion.

Shift Technology raises $220M at a $1B+ valuation to fight insurance fraud with AI

While incumbent insurance providers continue to get disrupted by startups like Lemonade, Alan, Clearcover, Pie and many others applying tech to rethink how to build a business around helping people and companies mitigate against risks with some financial security, one issue that has not disappeared is fraud. Today, a startup out of France is announcing some funding for AI technology that it has built for all insurance providers, old and new, to help them detect and prevent it.

Shift Technology, which provides a set of AI-based SaaS tools to insurance companies to scan and automatically flag fraud scenarios across a range of use cases — they include claims fraud, claims automation, underwriting, subrogation detection and financial crime detection — has raised $220 million, money that it will be using both to expand in the property and casualty insurance market, the area where it is already strong, as well as to expand into health, and to double down on growing its business in the U.S. It also provides fraud detection for the travel insurance sector.

This Series D is being led by Advent International, via Advent Tech, with participation from Avenir and others. Accel, Bessemer Venture Partners, General Catalyst and Iris Capital — who were all part of Shift’s Series C led by Bessemer in 2019 — also participated. With this round, Paris-and-Boston-based Shift Technology has now raised some $320 million and has confirmed that it is now valued at over $1 billion.

The company currently has around 100 customers across 25 different countries — with the list including Generali France and Mitsui Sumitomo, to give you an idea of where it’s pitching its business — and says that it has already analyzed nearly two billion claims, data that’s feeding its machine learning algorithms to improve how they work.

The challenge (or I suppose, opportunity) that Shift is tackling, however, is much bigger. The Coalition Against Insurance Fraud, a nonprofit in the U.S., estimates that at least $80 billion of fraudulent claims are made annually in the U.S. alone, but the figure is likely significantly higher. One problem has, ironically, been the move to more virtualized processes, which open the door to malicious actors exploiting loopholes in claims filing and fudging information. Another is the fact that insurance has grown as a market, but so too has the amount of people who are in financial straights, leading to more desperate and illegal acts to gain an edge.

Shift is also not alone in tackling this issue: the market for insurance fraud detection technology globally was estimated to be worth $2.5 billion in 2019 and projected to be worth as much as $8 billion by 2024.

In addition to others in claims management tech such as Brightcore and Guidewire, many of the wave of insurtech startups are building in their own in-house AI-based fraud protection, and it’s very likely that we’ll see a rise of other fraud protection services, built out of adjacent areas like fintech to guard against financial crime, making their way to insurance. As many a fintech entrepreneur has said to me in the past, the mechanics of how the two verticals work and the compliance issues both face are very closely aligned.

“The entire Shift team has worked tirelessly to build this company and provide insurers with the technology solutions they need to empower employees to best be there for their policyholders. We are thrilled to partner with Advent International, given their considerable sector expertise and global reach and are taking another giant step forward with this latest investment,” stated Jeremy Jawish, CEO and co-founder, Shift Technology, in a statement. “We have only just scratched the surface of what is possible when AI-based decision automation and optimization is applied to the critical processes that drive the insurance policy lifecycle.”

For its backers, one key point with Shift is that it’s helping older providers bring on more tools and services that can help them improve their margins as well as better compete against the technology built by newer players.

“Since its founding in 2014, Shift has made a name for itself in the complex world of insurance,” said Thomas Weisman, an Advent director, in a statement. “Shift’s advanced suite of SaaS products is helping insurers to reshape manual and often time-consuming claims processes in a safer and more automated way. We are proud to be part of this exciting company’s next wave of growth.”

Cymulate nabs $45M to test and improve cybersecurity defenses via attack simulations

With cybercrime on course to be a $6 trillion problem this year, organizations are throwing ever more resources at the issue to avoid being a target. Now, a startup that’s built a platform to help them stress-test the investments that they have made into their security IT is announcing some funding on the back of strong demand from the market for its tools.

Cymulate, which lets organizations and their partners run machine-based attack simulations on their networks to determine vulnerabilities and then automatically receive guidance around how to fix what is not working well enough, has picked up $45 million, funding that the startup — co-headquartered in Israel and New York — will be using to continue investing in its platform and to ramp up its operations after doubling its revenues last year on the back of a customer list that now numbers 300 large enterprises and mid-market companies, including the Euronext stock exchange network as well as service providers such as NTT and Telit.

London-based One Peak Partners is leading this Series C, with previous investors Susquehanna Growth Equity (SGE), Vertex Ventures Israel, Vertex Growth and Dell Technologies Capital also participating.

According to Eyal Wachsman, the CEO and co-founder, Cymulate’s technology has been built not just to improve an organization’s security, but an automated, machine learning-based system to better understand how to get the most out of the security investments that have already been made.

“Our vision is to be the largest cybersecurity ‘consulting firm’ without consultants,” he joked.

The valuation is not being disclosed, but as some measure of what is going on, David Klein, managing partner at One Peak, said in an interview that he expects Cymulate to hit a $1 billion valuation within two years at the rate it’s growing and bringing in revenue right now. The startup has now raised $71 million, so it’s likely the valuation is in the mid-hundreds of millions. (We’ll continue trying to get a better number to have a more specific data point here.)

Cymulate — pronounced “sigh-mulate”, like the “cy” in “cyber” and a pun of “simulate”) is cloud-based but works across both cloud and on-premises environments and the idea is that it complements work done by (human) security teams both inside and outside of an organization, as well as the security IT investments (in terms of software or hardware) that they have already made.

“We do not replace — we bring back the power of the expert by validating security controls and checking whether everything is working correctly to optimize a company’s security posture,” Wachsman said. “Most of the time, we find our customers are using only 20% of the capabilities that they have. The main idea is that we have become a standard.”

The company’s tools are based in part on the MITRE ATT&CK framework, a knowledge base of threats, tactics and techniques used by a number of other cybersecurity services, including a number of others building continuous validation services that compete with Cymulate. These include the likes of FireEye, Palo Alto Networks, Randori, Khosla-backed AttackIQ and many more.

Although Cymulate is optimized to help customers better use the security tools they already have, it is not meant to replace other security apps, Wachsman noted, even if the by-product might become buying fewer of those apps in the future.

“I believe my message every day when talking with security experts is to stop buying more security products,” he said in an interview. “They won’t help defend you from the next attack. You can use what you’ve already purchased as long as you configure it well.”

In his words, Cymulate acts as a “black box” on the network, where it integrates with security and other software (it can also work without integrating, but integrations allow for a deeper analysis). After running its simulations, it produces a map of the network and its threat profile, an executive summary of the situation that can be presented to management and a more technical rundown, which includes recommendations for mitigations and remediations.

Alongside validating and optimising existing security apps and identifying vulnerabilities in the network, Cymulate also has built special tools to fit different kinds of use cases that are particularly relevant to how businesses operate today. They include evaluating remote working deployments, the state of a network following an M&A process, the security landscape of an organization that links up with third parties in supply chain arrangements, how well an organization’s security architecture is meeting (or potentially conflicting) with privacy and other kinds of regulatory compliance requirements, and it has built a “purple team” deployment, where in cases where security teams do not have the resources for running separate “red teams” to stress test something, blue teams at the organization can use Cymulate to build a machine learning-based “team” to do this.

The fact that Cymulate has built the infrastructure to run all of these processes speaks to a lot of potential of what more it could build, especially as our threat landscape and how we do business both continue to evolve. Even as it is, though, the opportunity today is a massive one, with Gartner estimating that some $170 billion will be spent on information security by enterprises in 2022. That’s one reason why investors are here, too.

“The increasing pace of global cyber security attacks has resulted in a crisis of trust in the security posture of enterprises and a realization that security testing needs to be continuous as opposed to periodic, particularly in the context of an ever-changing IT infrastructure and rapidly evolving threats. Companies understand that implementing security solutions is not enough to guarantee protection against cyber threats and need to regain control,” said Klein, in a statement. “We expect Cymulate to grow very fast,” he told me more directly.

Timescale grabs $40M Series B as it goes all in on cloud version of time series database

Timescale, makers of the open-source TimescaleDB time series database, announced a $40 million Series B financing round today. The investment comes just over two years after it got a $15 million Series A.

Redpoint Ventures led today’s round, with help from existing investors Benchmark, New Enterprise Associates, Icon Ventures and Two Sigma Ventures. The company reports it has now raised approximately $70 million.

TimescaleDB lets users measure data across a time dimension, so anything that would change over time. “What we found is we need a purpose-built database for it to handle scalability, reliability and performance, and we like to think of ourselves as the category-defining relational database for time series,” CEO and co-founder Ajay Kulkarni explained.

He says that the choice to build their database on top of Postgres when it launched four years ago was a key decision. “There are a few different databases that are designed for time series, but we’re the only one where developers get the purpose-built time series database plus a complete Postgres database all in one,” he said.

While the company has an open-source version, last year it decided rather than selling an enterprise version (as it had been), it was going to include all of that functionality in the free version of the product and place a bet entirely on the cloud for revenue.

“We decided that we’re going to make a bold bet on the cloud. We think cloud is where the future of database adoption is, and so in the last year […] we made all of our enterprise features free. If you want to test it yourself, you get the whole thing, but if you want a managed service, then we’re available to run it for you,” he said.

The community approach is working to attract users, with over 2 million monthly active databases, some of which the company is betting will convert to the cloud service over time. Timescale is based in New York City, but it’s a truly remote organization, with 60 employees spread across 20 countries and every continent except Antarctica.

He says that as a global company, it creates new dimensions of diversity and different ways of thinking about it. “I think one thing that is actually kind of an interesting challenge for us is what does D&I mean in a totally global org. A lot of people focus on diversity and inclusion within the U.S., but we think we’re doing better than most tech companies in terms of racial diversity, gender diversity,” he said.

And being remote-first isn’t going to change even when we get past the pandemic. “I think it may not work for every business, but I think being remote first has been a really good thing for us,” he said.

 

Emerging open cloud security framework has backing of Microsoft, Google and IBM

Each of the big cloud platforms has its own methodology for passing on security information to logging and security platforms, leaving it to the vendors to find proprietary ways to translate that into a format that works for their tool. The Cloud Security Notification Framework (CSNF), a new working group that includes Microsoft, Google and IBM is trying to create a new open and standard way of delivering this information.

Nick Lippis, who is co-founder and co-chairman of ONUG, an open enterprise cloud community, which is the primary driver of CSNF, says that what they’ve created is part standard and part open source. “What we’ve been really focusing on is how do we automate governance on the cloud. And so security was the place that was ripe for that where we can actually provide some value right away for the community,” he said.

While they’ve pulled in some of the big cloud vendors, they’ve also got large companies who consume cloud services like FedEx, Pfizer and Goldman Sachs. Conspicuously missing from the group is AWS, the biggest player in the cloud infrastructure market by far. But Lippis says that he hopes, as the project matures, other companies including AWS will join.

“There’s lots of security programs and industry programs that get out there and that people are asking them to join, and so some companies want to wait to see how well this pans out [before making a commitment to it],” Lippis said. His hope is, that over time, Amazon will come around and join the group, but in the meantime they are working to get to the point where everyone in the community will feel good about what they’re doing.

The idea is to start with security alerts and find a way to build a common format to give companies the same kind of system they have in the data center to track security alerts in the cloud. The way they hope to do that is with this open dialogue between the cloud vendors and the companies involved with the group.

“So the structure of that is that there’s a steering committee that is chaired by CISOs from these large cloud consumer brands, and also the cloud providers, and they provide voting and direction. And then there’s the working group where all the work is done. The beauty of what we do is that we have now consumers and also providers working together and collaborating,” he said.

Don Duet, a member of ONUG, who is CEO and co-founder of Concourse Labs, has been involved in the formation of the CSNF. He says to keep the project focused they are looking at this as a data management problem and they are establishing a common vocabulary for everyone to work within the group.

“How do you build a consensus on what are the types of terms that everybody can agree on and then you build the underlying basis so that the experts in your resource providers in this case, Cloud Service Providers, can bless how their data [connects] to those common standards,” Duet explained.

He says that particular problem is more of an organizational problem than a technical one, getting the various stakeholders together and just building consensus around this. At this point, they have that process in place and the next step is proving it by having the various companies involved in this test it out in the coming months.

After they get past the testing phase, in October they plan to actually demonstrate what this looks like in a before and after scenario, with the new framework and without it. As the group works toward these goals, the hope is that eventually the framework will become more established and other companies and vendors will come on board and make this a more standard way of sharing security alerts. If all goes well, they hope to build in other security information into this framework over time.

Malicious Office 365 Apps Are the Ultimate Insiders

Phishers targeting Microsoft Office 365 users increasingly are turning to specialized links that take users to their organization’s own email login page. After a user logs in, the link prompts them to install a malicious but innocuously-named app that gives the attacker persistent, password-free access to any of the user’s emails and files, both of which are then plundered to launch malware and phishing scams against others.

These attacks begin with an emailed link that when clicked loads not a phishing site but the user’s actual Office 365 login page — whether that be at microsoft.com or their employer’s domain. After logging in, the user might see a prompt that looks something like this:

These malicious apps allow attackers to bypass multi-factor authentication, because they are approved by the user after that user has already logged in. Also, the apps will persist in a user’s Office 365 account indefinitely until removed, and will survive even after an account password reset.

This week, messaging security vendor Proofpoint published some new data on the rise of these malicious Office 365 apps, noting that a high percentage of Office users will fall for this scheme [full disclosure: Proofpoint is an advertiser on this website].

Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy, said 55 percent of the company’s customers have faced these malicious app attacks at one point or another.

“Of those who got attacked, about 22 percent — or one in five — were successfully compromised,” Kalember said.

Kalember said Microsoft last year sought to limit the spread of these malicious Office apps by creating an app publisher verification system, which requires the publisher to be a valid Microsoft Partner Network member.

That approval process is cumbersome for attackers, so they’ve devised a simple work around. “Now, they’re compromising accounts in credible tenants first,” Proofpoint explains. “Then, they’re creating, hosting and spreading cloud malware from within.”

The attackers responsible for deploying these malicious Office apps aren’t after passwords, and in this scenario they can’t even see them. Rather, they’re hoping that after logging in users will click yes to a approve the installation of a malicious but innocuously-named app into their Office365 account.

Kalember said the crooks behind these malicious apps typically use any compromised email accounts to conduct “business email compromise” or BEC fraud, which involves spoofing an email from someone in authority at an organization and requesting the payment of a fictitious invoice. Other uses have included the sending of malware-laced emails from the victim’s email account.

Last year, Proofpoint wrote about a service in the cybercriminal underground where customers could access various Office 365 accounts without a username or password. The service also advertised the ability to extract and filter emails and files based on selected keywords, as well as attach malicious macros to all documents in a user’s Microsoft OneDrive.

A cybercriminal service advertising the sale of access to hacked Office365 accounts. Image: Proofpoint.

“You don’t need a botnet if you have Office 365, and you don’t need malware if you have these [malicious] apps,” Kalember said. “It’s just easier, and it’s a good way to bypass multi-factor authentication.”

KrebsOnSecurity first warned about this trend in January 2020. That story cited Microsoft saying that while organizations running Office 365 could enable a setting to restrict users from installing apps, doing so was a “drastic step” that “severely impairs your users’ ability to be productive with third-party applications.”

Since then, Microsoft added a policy that allows Office 365 administrators to block users from consenting to an application from a non-verified publisher. Also, applications published after November 8, 2020, are coupled with a consent screen warning in case the publisher is not verified, and the tenant policy allows the consent.

Microsoft’s instructions for detecting and removing illicit consent grants in Office 365 are here.

Proofpoint says O365 administrators should limit or block which non-administrators can create applications, and enable Microsoft’s verified publisher policy — as a majority of cloud malware is still coming from Office 365 tenants that are not part of Microsoft’s partner network. Experts say it’s also important to ensure you have security logging turned on so that alerts are generated when employees are introducing new software into your infrastructure.

Starboard Value puts Box on notice that it’s looking to take over board

Activist investor Starboard Value is clearly fed up with Box and it let the cloud content management know it in no uncertain terms in a letter published yesterday. The firm, which bought a 7.7% stake in Box two years ago, claims the company is underperforming, executing poorly and making bad business decisions — and it wants to inject the board of directors with new blood.

While they couched the letter in mostly polite language, it’s quite clear Starboard is exasperated with Box. “While we appreciate the dialogue we have had with Box’s management team and Board of Directors (the “Board”) over the past two years, we have grown increasingly frustrated with continued poor results, questionable capital allocation decisions, and subpar shareholder returns,” Starboard wrote in its letter.

Box, as you can imagine, did not take kindly to the shot across its bow and responded in a press release that it has bent over backwards to accommodate Starboard, including refreshing the board last year when they added several members, whom they point out were approved by Starboard.

“Box has a diverse and independent Board with directors who bring extensive technology experience across enterprise and consumer markets, enterprise IT, and global go-to-market strategy, as well as deep financial acumen and proven track records of helping public companies drive disciplined growth, profitability, and stockholder value. Furthermore, seven of the ten directors on the Box Board will have joined the Board within the last three years,” the company wrote in a statement. In other words, Box is saying it already has injected the new blood that Starboard claims it wants.

Box recently got a $500 million cash injection from KKR, widely believed to be an attempt to bulk up cash reserves with the goal of generating growth via acquisition. Starboard was particularly taken aback by this move, however. “The only viable explanation for this financing is a shameless and utterly transparent attempt to “buy the vote” and shows complete disregard for proper corporate governance and fiscal discipline,” Starboard wrote.

Alan Pelz-Sharpe, founder and principal analyst at Deep Analysis, a firm that closely tracks the content management market, says the two sides clearly aren’t aligned, and that’s not likely to change. “Starboard targeted and gained a seat on the board at Box at a difficult time for the firm, that’s the modus operandi for activist investors. Since that time there has clearly been a lot of improvements in terms of Box’s financial goals. However, there is and will remain a misalignment between Starboard’s goals, and Box led by Levie as a whole. Though both would like to see the share price rise, Starboard’s end goal is most likely to see Box acquired, sooner rather than later, and that is not Box’s goal,” he said.

Starboard believes the only way to resolve this situation is to inject the board with still more new blood, taking a swipe at the Box leadership team while it was at it. “There is no good reason that Box should be unable to deliver improved growth and profitability, at least in-line with better performing software companies, which, in turn, would create significant shareholder value,” Starboard wrote.

As such the firm indicated it would be putting up its own slate of board candidates at the company’s next board meeting. In the tit for tat that has been this exchange, Box indicated it would be doing the same.

Meanwhile Box vigorously defended its results. “In the past year, under the oversight of the Operating Committee, the company has made substantial progress across all facets of the business — strategic, operational and financial — as demonstrated by the strong results reported for the full year of fiscal 2021,” the company wrote, pointing to its revenue growth last fiscal year as proof of the progress, with revenue of $771 million up 11% year over year.

It’s unclear how this standoff will play out, but clearly Starboard wants to take over the Board and have its way with Box, believing that it can perform better if it were in charge. That could result ultimately, as Pelz-Sharpe suggested, in Box being acquired.

We would appear to heading for a showdown, and when it’s over, Box could be a very different company, or the current leadership could assert control once and for all and we could proceed with Box’s current growth strategy still in place. Time will tell which is the case.

SAP CEO Christian Klein looks back on his first year

SAP CEO Christian Klein was appointed co-CEO with Jennifer Morgan last April just as the pandemic was hitting full force across the world. Within six months, Morgan was gone and he was sole CEO, put in charge of a storied company at 38 years old. By October, its stock price was down and revenue projections for the coming years were flat.

That is definitely not the way any CEO wants to start their tenure, but the pandemic forced Klein to make some decisions to move his customers to the cloud faster. That, in turn, had an impact on revenue until the transition was completed. While it makes sense to make this move now, investors weren’t happy with the news.

There was also the decision to spin out Qualtrics, the company his predecessor acquired for $8 billion in 2018. As he looked back on the one-year mark, Klein sat down with me to discuss all that has happened and the unique set of challenges he faced.

Just a pandemic, no biggie

Starting in the same month that a worldwide pandemic blows up presents unique challenges for a new leader. For starters, Klein couldn’t visit anyone in person and get to know the team. Instead, he went straight to Zoom and needed to make sure everything was still running.

The CEO says that the company kept chugging along in spite of the disruption. “When I took over this new role, I of course had some concerns about how to support 400,000 customers. After one year, I’ve been astonished. Our support centers are running without disruption and we are proud of that and continue to deliver value,” he said.

Taking over when he couldn’t meet in person with employees or customers has worked out better than he thought. “It was much better than I expected, and of course personally for me, it’s different. I’m the CEO, but I wasn’t able to travel and so I didn’t have the opportunity to go to the U.S., and this is something that I’m looking forward to now, meeting people and talking to them live,” he said.

That’s something he simply wasn’t able to do for his first year because of travel restrictions, so he says communication has been key, something a lot of executives have discussed during COVID. “I’m in regular contact with the employees, and we do it virtually. Still, it’s not the same as when you do it live, but it helps a lot these days. I would say you cannot over-communicate in such times,” he said.

Evening Fund debuts with $2M micro fund focused on investments between $50K and $100K

We tend to think of venture capital in tens or hundreds of millions, even billions of dollars, so it’s refreshing to find Evening Fund, a new $2 million micro fund that focuses on small investments between $50,000 and $100,000 as it seeks to help young startups with early funding.

The new fund was launched by Kat Orekhova and Rapha Danilo. Orekhova, who started her career as a math professor, is a former Facebook data scientist who has been dabbling in angel investing and working with young startups for awhile now. They call it Evening Fund because they work as founders by day and investors by night.

She says that she wanted to create something more formal to help early-stage startups get off the ground and has help from limited partners that include Sarah Smith at Bain Capital, Lee Linden, general partner at Quiet Capital and a long list of tech industry luminaries.

Orekhova says she and her partner invest small sums of money in B2B SaaS companies, which are pre-seed, seed and occasionally A rounds. They will invest in consumer here and there as well. She says one of their key value propositions is that they can help with more than just the money. “One way in which I think Rapha and I can really help our founders is that we give very specific, practical advice, not just kind of super high level,” she told me.

That could be something like how to hire your first designer where the founders may not even know what a designer does. “You’re figuring out ‘how do I hire my first designer?’ and ‘what does the designer even do?’ because most founders have never hired a designer before. So we give them extremely practical hands-on stuff like ‘here are the competencies’ or ‘what’s the difference between a graphic designer, a visual designer, a UX designer and a researcher,’ ” she said. They go so far as to give them a list of candidates to help them get going.

She says that she realized while she was at Facebook that she wanted to eventually start a company, so she began volunteering her time to work with companies going through Y Combinator. “I think a lot of people don’t know where to start, but in my case I looked at the YC list, found a company that I thought I could be helpful to. I reached out cold and said ‘Hey, I don’t want money. I don’t want equity. I just want to try to be helpful to you and see where that goes,’ ” she said.

That lead to scouting for startups for some larger venture capital firms and eventually dabbling in financing some of these startups that she was helping. Today’s announcement is the culmination of these years of work and the groundwork she laid to make herself familiar with how the startup ecosystem works.

The new firm already has its first investment under its belt, Dala, an AI-powered internal search tool that helps connect users to workplace knowledge that’s often locked in applications like Google Suite, Slack and Notion.

As though Evening isn’t enough to keep her and Danilo busy, they are also each working on their own startups. Orekhova wasn’t ready to share much on that just yet as her company remains in stealth.