A quarter of phishing emails bypass Office 365 security

Email phishing is one of the most often used – and most successfully used – attack vectors that lead to cybersecurity incidents and breaches.

phishing Office 365

Microsoft is the most impersonated brand

“Cloud based email, with all of its benefits, has ushered in a new era of phishing attacks. The nature of the cloud provides even more vectors of which hackers take advantage, and even broader access to critical data when a phishing attack is successful,” says cloud security company Avanan.

And, unfortunately, too many phishing emails evade the default security protection implemented by the cloud providers.

According to their recent Global Phish Report, which presents insights from 55.5 million emails that passed the default security and were then scanned by their security solution, 30.3% of phishing emails sent to organizations using Office 365 Exchange Online Protection (EOP) were delivered to the inbox.

Of the 561,947 phishing emails they detected and analyzed:

  • 50.7 percent contained links pointing to malware or delivers the malware as an attachment
  • 40 percent were after credentials (of email accounts, online banking, etc.)
  • 8 percent were extortion attempts
  • (A mere) 0.4 percent were spearphishing emails.

“Although spearphishing is far less common than the other three vectors, it often has the largest impact. Spearphishing attacks target high level employees who have access to either company finances or other sensitive information,” the company explains.

“These phishing attacks can also be the most difficult to detect, given the lack of attachments or links that can be flagged by anti-phishing tools.”

Though, in general, the signs of a phishing attack can be subtle, inconsistent and hard to detect: both legitimate and phishing emails can contain Google Drive or shortened links, or be from a known brand.

But, interestingly enough, an email holding a link to a WordPress site is likely to be a phishing email, and an email that contains a cryptowallet address is almost sure to be a phishing email:

phishing Office 365

Since Microsoft Office 365 is, by far, the most popular enterprise app, it’s no wonder that 43% of the branded phishing emails impersonate the company.

“During the holiday season, however, Amazon surpasses Microsoft,” Avanan warns.

Risk mitigation tips

According to the 2019 Data Security Incident Response Report by American law firm BakerHostetler’s Privacy and Data Protection team, 37% of the 750+ incidents they worked on in 2018 started with phishing, and the most common phishing scenario they saw was a message designed to trick a user into providing Office 365 account credentials.

And, after phishing occurred, more than 30% of the time a takeover of an Office 365 account happened, they noted.

“2018 saw a continuation of companies moving toward cloud-based email systems. Phishing incidents targeting those systems followed suit,” the company says.

“Attackers are becoming more sophisticated in their techniques. Phishing emails often arrive from legitimate business contacts who themselves have been compromised. The email messages better mimic legitimate business requests and involve spoofed sites that look familiar to the employee, such as Dropbox or Google Docs. Attackers continue to rely on mailbox rules to ensure that replies to the imposter emails are forwarded to the attacker and deleted from the mailbox, thereby concealing the communications from the real user.”

For that reason, they advise organizations to enable all available logging in Microsoft or their email host provider application, but also to:

  • Establish strong password requirements
  • Enable multi-factor authentication and email alerts for suspicious activity
  • Separate administrative accounts from user accounts
  • Enable a lockout policy after a specific number of failed logon attempts
  • Disable unnecessary email tools and protocols that allow actors to hide their actions or download the entire contents of a mailbox
  • Establish email retention policies
  • Make sure that the legitimacy of every email containing changes to account information used for wire transfers and direct deposit is verified verbally.