Why Phishing Requires Additional Security

Why Phishing Requires Additional Security

While Microsoft Office 365 does come with some security right out of the box, it isn’t enough to stop phishing attacks. Here are a few recent examples of Office 365 being unable to stop phishing emails:

  • In early August, a massive phishing campaign called PhishPoint targeted 10% of Office 365 users. Cybercriminals used another Microsoft tool, SharePoint, to collect user credentials and were, therefore, able to bypass Microsoft’s Advanced Threat Protection.
  • Earlier this year, another method of phishing was discovered that could bypass Microsoft’s natural language processing by including random characters in the text and hiding those characters by changing their font size to 0px. This has been referred to as ZeroFont.
  • In February of this year, there was a large phishing scam designed to steal victim’s Office 365 credentials by providing Office files disguised as important tax documents that required immediate attention.

Given how widely used Office 365 is, this creates an incredible problem. But why is one of the (if not the) biggest software platforms in the world so susceptible to attack?

Here are a few reasons why Office 365 is so vulnerable:

  • Many phishing attacks that strike at Office 365 are zero-day attacks. In other words, they are using vulnerabilities that have just been discovered. Employees are often not savvy to these attacks and will respond to phishing emails or click on phishing links. As these attacks have never been seen before, some malware detection programs may not be able to identify and block them.
  • When attacks are detected, it takes time for Microsoft to issue a fix. Office 365 is a large, complicated platform and it integrates with many other apps (both 3rd party and other Microsoft products). As a result, Microsoft has to be cautious with any fixes they issue or risk creating new vulnerabilities or introducing new problems like false positives.
  • Phishing emails tend to come from senders that are thought to be reputable, such as vendors or clients that the company does business with. Some emails may even appear to come from the C-suite or other executives. Many programs are set up to err on the side of letting emails through rather than blocking them, as many businesses feel that it is better to let a few potentially harmful emails through rather than not receive some important, legitimate emails that may be necessary for business interactions.
  • While Office 365 is the most widely used SaaS application, only about 20% of businesses that utilize the platform use multi-factor authentication.
  • Cloud-based email is more vulnerable than conventional email platforms. On-premises solutions can keep their data isolated to an internal network and tend to be hidden behind other security controls like firewalls and network segmentation, and therefore, are better protected. Cloud-based solutions have a broader attack surface, and they can be accessed from anywhere in the world. Also, data is constantly being transmitted to and from devices to the cloud-based platform. Office 365 is available on both on-premises and cloud-based platforms, and securing each of them begins with understanding the platform that is being used.
  • While Office 365’s built-in security will look at emails coming from outside an organization, internal emails are not examined. In other words, if a cybercriminal is able to get the Microsoft credentials of one employee, they can log in to their account and send additional phishing emails to the rest of the organization without risk of being blocked, all while appearing quite legitimate to the recipient.
  • At their core, phishing attacks are built around the idea of human vulnerability. Even the best software solution can occasionally be defeated if an employee overrides its security settings.
  • Office 365 is designed, first and foremost, to be an excellent productivity suite. While security is a priority for Microsoft, it isn’t a cybersecurity company. Cybersecurity is best handled by a dedicated security solution, one that encompasses the entirety of the network and its software products. With the right software security solution, a business will be able to protect itself at all levels rather than just through the Office 365 platform alone.

How to Stop Phishing Attacks That Target Office 365

Phishing attack prevention is incredibly hard, as well-designed phishing emails have very few obvious indicators. They are generally social engineering attempts —  utilizing emails that look very legitimate and prompt the user themselves to take some form of action, such as clicking on a link. As this link can be virtually anything, finding a phishing URL can be difficult.

To stop phishing attacks, two things need to happen:

  1. Users must identify a phishing attempt. Not only is this difficult (it requires a lot of training), but there will always be a situation in which an employee makes a mistake and clicks on an email too hastily, or downloads and launches a file that they aren’t supposed to launch. Busy employees and new employees, in particular, are at high risk of making these types of mistakes, and there’s no way to avoid this risk entirely.
  2. Companies should utilize advanced email security platforms. These platforms use a combination of behavioral and static analysis to identify both known and unknown attacks. In other words, these solutions are able to scan emails for any potential indicators. This includes looking at headers, subjects, body text, links, attachments, and the content that is linked to from within the email.

Though users should be able to identify phishing attempts, it cannot be relied upon. It only takes the mistake of a single employee to compromise the entirety of the network. Phishing attempts can be extremely legitimate looking, sometimes even coming from a point-of-contact at another business, or using LinkedIn or email spoofing to appear genuine.

To truly stop phishing emails that target Office 365 users, businesses need a dedicated email monitoring solution from a dedicated security vendor. The solution must be able to both detect potential phishing attacks and escalate them as needed, so security teams can address problems as they arise and before the damage is done while users can continue to work uninterrupted.

 

Swarup Selvaraman

Swarup Selvaraman

Swarup is the Senior Director of Product Management Cloud at Lastline. He is a security industry veteran having worked at leading security companies, including FireEye and SonicWALL. He has expertise in multiple security categories, spanning cloud security, network security, email security and security platforms for the SOC. He brings a broad security experience and know-how to solve problems as organizations migrate their infrastructure to the cloud.
Swarup Selvaraman