Attackers finding new ways to exploit and bypass Office 365 defenses
Over the six-month period from March to August 2020, over 925,000 malicious emails managed to bypass Office 365 defenses and well-known secure email gateways (SEGs), an Area 1 Security study reveals.
How criminals bypass Office 365 defenses
Attackers increasingly use highly sophisticated, targeted campaigns like business email compromise to evade traditional email defenses, which are based on already-known threats.
Attackers also often use Microsoft’s own tools and branding to bypass legacy defenses and email authentication (DMARC, SPF, DKIM).
- In one example where a customer layered Office 365 with an SEG, more than 300,000 malicious messages were still missed
- There was a steady increase in targeted BEC attacks — including Type 3 (account takeover-based) BECs and Type 4 BEC (supply chain phishing), which would have amounted to several billion dollars in potential losses, and
- Spoofed senders and newly registered domains accounted for 71.7 percent of the missed email threats
- The summer months saw a sharp increase in phishing, as attackers took advantage of coronavirus-related misinformation and remote workforce transitions.
Since Microsoft unveiled its cloud-based Office 365 platform in October 2010, its user base has continued to grow, now surpassing 258 million paid Office 365 business seats.
While Microsoft continues to make Office 365 security improvements and can even exceed the best anti-spam and antivirus providers, cyber threat actors have evolved accordingly. For example, Area 1 has intercepted a number of credential harvesting phish exploiting cloud tools like Microsoft SharePoint and Microsoft Planner.
Attackers adopting cloud suites to launch phishing campaigns
As noted in the Gartner 2020 Market Guide for Email Security, “As organizations move to cloud email, it’s easier for attackers to target users with phishing attacks posing as log-in screens in order to harvest credentials. They then use those credentials to launch further account-takeover-based attacks that can include other collaboration tools. Organizations need to ensure that both internal and external email is secured as well as collaboration tools that are being used.”
“Millions of organizations have achieved immeasurable productivity and efficiency thanks to the cloud. However, it’s evident that attackers have also adopted cloud suites to launch productive, efficient phishing campaigns,” said Patrick Sweeney, CEO and president of Area 1 Security.
“It’s critical to proactively stay ahead of evolving cyberattacks with techniques that identify phishing threats as they’re being built — before they’ve been launched.”
Recommendations for effectively defending against cloud email threats
- Zero-trust email: Adhere to a zero-trust-email approach, which should serve as a baseline for an email security strategy. All email, especially ongoing interactions with external partners and suppliers, should be considered areas of compromise.
- Comprehensive email security techniques: These should include AI and machine learning (ML) models, computer vision, natural language understanding (NLU) and intent analysis, among other advances.
- Creating an automated social/partner graph for your organization: Identify your partner organizations and perform universal message classification to understand the natural interactions the organization has with the rest of the world.
- Combining preemptive threat data, message sentiment analysis and conversational context analysis: This provides a high level of accuracy into the malicious detections, especially in cases where a partner has been compromised and becomes the source of targeted phishing attacks.