A recent post on a /hacking subreddit group pointed out how the Microsoft365 Exchange Defender filters failed a company by allowing phishing emails through. The OP was concerned that the phishing pages associated with the malicious emails were exact replicas of the company's branding, so it was tough for users to spot as rogue. The conversation pointed to EvilGinX2, a phishing framework that bypasses MFA (multi-factor authentication) and takes users to a genuine Microsoft 365 login page via a phishing site, resulting in login credential theft.
Cybercriminals are innovators. They are adept at creating increasingly clever ways to circumvent capture and detection; conventional methods are becoming less effective. However, with phishing on the rise, you must protect your M365 environment; TitanHQ looks at this popular platform and how protection of M365 applications is possible using an integrated and layered approach to email security.
Why is Phishing Used to Target M365?
Cybercriminals want quick results, and targeting popular brands is a strategy that works. Microsoft 365 is very popular: M365 has 31% of the productivity app market, with around 3.6 million customers worldwide and 345 million paid seats. There are many employees to target with phishing, and it offers a massive potential to steal login credentials to access the actual M365 suite and all the opportunities for ransomware infection, Business Email Compromise, and data theft that phishing affords. The net result of this popularity is that M365 is one of the most targeted brands by cybercriminal phishing groups.
Did You Know?
cyber attacks begin with phishing
to seamlessly install PhishTitan
estimated global cybercrime cost
to stop & spot a phishing attack
What Happens when M365 Cyber-Targeting Succeeds?
Cybercriminals who target M365 aim to open doors into an enterprise network. Once inside, the hackers can steal data, install malware, such as ransomware, and commit scams, such as Business Email Compromise and vendor email compromise.
Opening the network door is best done by getting someone to open the door for you rather than kicking the door down; this is why phishing is the most common initial attack vector used to compromise M365. In H1 2023, Microsoft (along with Meta) were the most spoofed brands.
Cybercriminals often target the holy grail of accounts, the C-level email account. If a phisher can take over a C-Level or other executive account, they can use it to trick employees into doing their bidding more easily. Business Email Compromise (BEC) is another attack type that phishing plays a role in executing; BEC is an increasing threat against businesses worldwide. Microsoft Threat Intelligence detected and investigated 35 million BEC attempts, averaging around 156,000 daily attempts between April 2022 and April 2023.
Malware infection, including ransomware, is another severe outcome of successful M365 phishing attacks. Any compromised account can be a way through the door, using vulnerabilities in other services and apps to escalate the privileges of the compromised account to allow the installation of malware. Phishing emails are often the cause of ransomware infection. While M365 offers some in-built anti-ransomware features, the fact is that M365, being a popular system that stores and shares sensitive and valuable data, is an ideal target for ransomware attackers. Microsoft's Digital Crimes Unit estimates that between October 2022 and November 2023, there has been a 200% in ransomware attempts.
In H1 2023, Microsoft (along with Meta) were the most spoofed brands.
Is the Built-In Protection in M365 Enough?
At the start of this article, an M365 client complained about phishing emails evading detection by the built-in security in M365. Studies have shown that almost 20% of phishing emails circumvent Microsoft 365 Exchange Defender and Microsoft Exchange Online Protection (EOP). One of the main reasons for this is the innovative nature of cybercrime. The evolving cyber-threat landscape needs evolved cyber-threat detection. AI-enabled, Zero-hour, and zero-minute phishing protection are necessary for modern phishing threats. M365's built-in protection for phishing and ransomware should be seen as a baseline, not the entire solution. Conventional protection against threats that morph and that are built to circumvent traditional email security gateways is needed. Augmentation technologies integrating with Microsoft365 Exchange Defender and Microsoft Exchange Online Protection (EOP) provide the next generation of protective measures beyond email gateway capability.
Studies have shown that almost 20% of phishing emails circumvent Microsoft 365 Exchange Defender and Microsoft Exchange Online Protection (EOP).
What Do the Next Generation of M365 Protective Measures Offer?
A defense-in-depth approach applies layers of security to capture even the cleverest and most emergent phishing-based cyber-attacks. In 2021, industry analyst Gartner coined ICES (Integrated Cloud Email Security) to describe the new capabilities to detect and prevent advanced phishing threats. Gartner recommended that companies "Supplement the native capabilities of your existing cloud email solutions with third-party security solutions, to provide phishing protection for collaboration tools and to address both mobile and BEC-type phishing scenarios.”
ICES solutions are intelligent and built to work alongside in-built security offerings, such as Microsoft 365 Exchange Defender. These solutions are advanced, taking advantage of new technologies such as AI, behavior analysis, and natural language processing. Applied to phishing detection, they provide fine-grained detection capability to spot emerging threats that exploit zero-minute vulnerabilities. ICES solutions effectively close any gaps in Microsoft 365's built-in security. Phishing threats that are difficult to detect, such as cleverly composed spear-phishing emails and BEC scams, are more likely to be detected and stopped before causing damage.
AI-driven Threat Intelligence for M365 Protection
PhishTitan is an ICES solution based on AI-driven phishing protection that integrates with M365 and uses a layered approach to preventing phishing email attacks. Features of PhishTitan include the following:
- AI-Driven Threat Intelligence: Anti-phishing analysis based on AI and LLM data. AI training data comes from a vast threat corpus, allowing the AI to spot emerging threats. PhishTitan automatically sends alerts if dangerous URLs and web pages are detected, preventing employees from clicking links or navigating to malicious websites.
- Native Integration with Office 365 Email: Direct API-enabled integration with existing productivity suites, like M365 and Google, makes business email security simple and removes human error.
- Time of Click Protection: Zero-minute phishing messages are designed to change URLs if they recognize detection. PhishTitan prevents polymorphic evasion tactics used in modern phishing attacks by replacing email links and sending the link to an inspection site to check the validity of the website associated with the link. If the website is a phishing site, the user will not be able to navigate to the site.
- Real-Time Threat Analysis: Real-time detection is essential to capture advanced zero-minute phishing attempts.
- Link Lock Service: A specialist anti-phishing service ensures the business remains protected even if an employee clicks a URL in a malicious email.
- Smart Mail Protection: Compares incoming mail with a list of known threats. Data from multiple sources across the global threat landscape ensures that the most current threats are always on this list.
- Data Loss Prevention (DLP): Prevents sensitive data from leaving the corporate network. Protects intellectual property, customer data, and other sensitive information.
Gartner predicts that by 2025, 20% of anti-phishing solutions will be integrated via API with the email platform. This is an increase from 5% today. This increase reflects the need to advance phishing protection to account for phishing innovation. PhishTitan is part of this advancement in M365 environment protection, working symbiotically with M365's built-in protection.
Susan Morrow
- DATA PROTECTION
- EMAIL PHISING
- EMAIL SECURITY