ICES Closing the Gaps in M365 Native Security

Protection against cyber-attacks has always been complex. But today, detecting and preventing attacks against businesses is more complicated than ever. The volume and sophistication of cyber threats are unparalleled. If you use Microsoft 365, you should be aware of potential gaps in the native security within the productivity suite. Studies have shown that these gaps have resulted in almost 20% of phishing emails circumventing Microsoft 365 Exchange Defender and Microsoft Exchange Online Protection (EOP).

This article explores the security gaps in M365 and how ICES solutions provide a more comprehensive, defense-in-depth approach to phishing prevention.

Phishing Volume and Sophistication Overload

The Anti-Phishing Working Group (AWPG) research for Q1 2023 identified 1,624,144 phishing attacks, describing the situation as "This is a record high -- the worst quarter for phishing that APWG has ever observed.” Notably, APWG data for Q3 was slightly lower but still described as the “third-highest quarterly total that the APWG has ever recorded.”

Volume is one thing, but sophistication is another challenge altogether. If a secure email solution could catch threats, it would do so effectively, even with high volumes. However, the new era of phishing has changed the metrics. Phishing is no longer the clumsily put-together spoof email that even the most straightforward email gateways can detect. Phishing is now polymorphic, evasive, and often multi-stage; cybercriminals may also use compromised email accounts to carry out these attacks, making detection challenging.

What is Defense-in-Depth, and Why Use it?

Sophisticated tactics to evade detection need an intelligent mechanism to detect any cloaked attempt to hide in plain sight; this is where the defense-in-depth strategy comes in. What do security professionals mean when they talk about "defense-in-depth"? The U.S. National Security Agency (NSA) originally coined the phrase to describe a military strategy. However, used in cybersecurity, defense-in-depth is an approach that uses multiple layers of protective mechanisms to ensure that evasive tactics, commonly used by cybercriminals, are identified, and malicious actions and objects (such as phishing emails) are stopped. This approach protects endpoints, servers, and data and prevents human-centered attacks. More recently, a defense-in-depth approach can utilize intelligent technologies, adding even stronger techniques to identify obfuscated and evasive phishing.

In terms of email security, a defense-in-depth approach has become critical as cybercriminals have evolved their techniques and tactics to evade native email security gateways, such as Microsoft Exchange Online Protection (EOP) and Defender used to protect M365.

Research for Q1 2023 identified 1,624,144 phishing attacks, describing the situation as "This is a record high -- the worst quarter for phishing that APWG has ever observed.”

Anti-Phishing Working Group

Where are the Security Gaps in M365 Native Security?

According to a report, 90% of companies have security gaps in their M365 environment. These gaps in the native security offered in M365 are being exploited by cybercriminals using evasive and exploitative tactics. Some examples will give you an insight into how these gaps have come about:

MFA Bypassed: Cybercriminals now have techniques to bypass the multifactor authentication built into Microsoft 365. Adversary-in-the-middle (AiTM) is a phishing technique where attackers compromise an email account and add a new rogue authenticator. This allows them to evade detection more efficiently and to persist in the system, allowing them to carry out longitudinal attacks. Poor security follow-ups and alerts compound the security gap. Unfortunately, in this example of the MFA bypass, the rogue authenticator was set up without a warning being sent to the legitimate account holder.

Configuration Errors: Email security in native M365 security is defined using policies. If these policies are not configured correctly, or a new threat emerges that is not reflected in a policy, a security gap occurs, and phishing emails can slip through the net.

Send Errors: M365 cannot detect if an incorrect recipient is added to an email. This allows sensitive content to be sent out of the organization, causing embarrassment and non-compliance with regulations. Similarly, M365 cannot detect if the wrong document is attached to an email.

Multi-Stage Email Attacks: M365 native security is good at detecting generic phishing emails. However, many modern phishing campaigns are not one-off phishing campaigns. Instead, current scams often use multiple stages and compromise legitimate email accounts to enter the network. Phishing emails are likely highly targeted, focusing on administrator or accounts payable roles. As Business Email Compromise is called the $43 billion scam by the FBI, it uses complex tactics to steal large sums of money. M365 native security does not utilize behavioral analytics or natural language processing and cannot connect across multiple stages to detect nefarious events. 

One of the issues that M365 native security has is that cybercriminals are developing Phishing-as-a-Service kits that specifically bypass this security. A recent highly sophisticated example is the W3LL phishing kit. This kit was designed to make Business Email Compromise (BEC) scams daccessible to even novice scammers. The kit allows cybercriminals to bypass Microsoft’s MFA and includes obfuscation methods for email headers and body text to evade detection.

ICES Closes the Email Security Gaps

Integrated Cloud Email Security (ICES) is a technological vanguard in email security that closes the security gaps found in M365. ICES solutions are designed to detect and prevent advanced phishing threats using behavioral analytics, AI, and natural language processing. ICES solutions can make contextual decisions informed by intelligent pattern detection. This contextual analysis is critical in identifying multi-stage attacks such as Business Email Compromise (BEC), where email conversations could look legitimate until the context and history of the exchange are analyzed.

ICES solutions are cloud-native SaaS solutions that offer all the inherent capabilities of cloud solutions, including scalability, ease of deployment, and centralized maintenance and management. ICES closes the gaps in Microsoft 365 native security to provide a complete defense-in-depth approach.

Features of PhishTitan, an ICES Solution

PhishTitan is an ICES solution that uses a defense-in-depth approach to email security. The intelligent, protective layers used to capture even the most deceptive and evasive phishing-related attacks include the following features:

• AI-Driven Threat Intelligence: URL and web page anti-phishing analysis based on AI trained using data from a vast threat corpus. The system learns over time and can identify patterns, adjusting tactics to capture emerging threats. 
• Real-Time Threat Analysis: PhishTitan's AI-driven anti-phishing service follows malicious links in an email to check the website. The email will be released to the user’s inbox if the website is legitimate.
• Time of Click Protection: PhishTitan rewrites URLs and checks the website associated with the link. If the website is a phishing site, the user will be prevented from entering the website.
• URL Rewriting and Analysis: URL analysis validates the security of the URL against multiple curated anti-phishing feeds. This system works with the ‘time of click’ protection to prevent successful phishing attacks. 
• Link Lock Service: A service that ensures the company remains protected even if a recipient clicks a URL in a malicious email.
• Smart Mail Protection: Compares incoming mail with a list of known threats. Curated data from multiple sources across the global threat landscape ensures that the most current threats are always part of this list.
• Data Loss Prevention (DLP): Prevents sensitive data from leaving the corporate network, whether by accident or maliciously.
• Native Integration with Office 365 Email: PhishTitan works symbiotically with the native security in M365 to offer inline advanced phishing protection seamlessly.

Chat with a TitanHQ ICES expert to see how PhishTitan can close the security gaps in M365.