Author: Adrien Gendre, Chief Solution Architect, Vade Secure
Office 365 is one of the most popular productivity suites on the market. Businesses using Office 365 benefit from its all-in-one platform that combines collaboration, messaging, and office productivity tools.
Using a single login credential, a user has access to every aspect of their employer’s business—and that’s why Office 365 is so popular with cybercriminals.
Office 365 email attacks are on the rise
With more than 155 million users, Office 365 has made Microsoft a top target. In a recent report by Vade Secure, Microsoft was named the number one phished brand in the world for the third straight quarter, topping popular targets like PayPal and Netflix. From SharePoint to OneDrive, Office 365 applications house a treasure of data, and cybercriminals are getting more creative about how to get in the door.
According to IDC, 80 percent of cyberattacks start with an email. While malware was once the biggest email threat to businesses, it has been usurped by equally dangerous, although harder to detect phishing and spear phishing attacks. Moreover, these threats are increasing in both volume and sophistication. The method of attack in each case differs slightly, but what phishing and spear phishing have in common is that they are designed to trick vulnerable employees into disclosing information or completing a desired action.
When phishing and spear phishing are combined, it’s known as a multiphase attack, a methodical approach beginning with a phishing email designed to gain access to Office 365 credentials, followed by spear phishing attacks conducted from inside Office 365 using compromised accounts. “When you find a way to break through Microsoft,” says Adrien Gendre, chief solution architect at Vade Secure, “you break through 155 million corporate users.”
For one American company, a multiphase attack cost more than $45 million. Over the course of several emails, one employee was manipulated into sending wire transfers to a hacker posing as an executive. “Once you have access to a compromised account,” Gendre says, “you can launch small attacks from the inside and stay under the radar.”
How email attacks slip past Microsoft security
Common entryways into Office 365, phishing and spear phishing emails are bypassing Microsoft’s email security filters and landing in user inboxes. Once delivered, there is little—to nothing—IT admins can do to prevent employees from taking the bait. Exchange Online Protection (EOP), Microsoft’s built-in email filtering service, is efficient at stopping spam and known threats based on previously identified bad senders or malicious content.
In “Email Security: Maintaining a High Bar When Moving to Office 365,” IDC analyst Konstantin Rychkov says unknown threats like dynamic phishing and spear phishing easily bypass EOP. Traditional filters like EOP, which use fingerprinting and reputation-based methods to detect threats, are not built to identify the unknown.
Unlike previous high-volume phishing attacks, the latest threats are low volume and highly dynamic, featuring content randomization and different senders, IPs, and URLs in each email. Additionally, polymorphic malware is constantly changing, so it has no signature to detect.
Secure Email Gateways (SEG) are equally ineffective at protecting Office 365 environments from dynamic threats. The rise in cloud adoption, says Rychkov, presents challenges for the SEG model, resulting in inefficient controls or an abundance of false positives. SEGs also require MX (mail exchange) record changes, which present additional challenges. By simply looking up the MX record, hackers have visibility into the SEG a business uses and can then adjust their methods to bypass the product. SEG also introduces integration challenges, cannot scan internal emails to protect against insider attacks, and does not layer effectively with Office 365.
“You have to rethink your architecture to make sure you can stack up the layers,” says Gendre. “When you set up a cloud solution or an SEG in front of Office 365, you are just removing the protection Office 365 is providing. You are not stacking up the layers; you are replacing one layer with another.”
Augmenting Office 365 security with a new approach to threat detection
Launched at lower volumes and with greater precision, phishing and spear phishing attacks are increasingly difficult to identify. Combatting highly dynamic, targeted email threats requires augmenting Office 365 security with a predictive approach that expands beyond traditional fingerprint and reputation-based methods.
Behavioral-based methods are now available that can analyze emails based on the content and context of the email. In AI-based threat detection, machine learning models analyze emails based on behavioral patterns identified in previous threats, such as phishing attacks. Supervised machine learning algorithms can identify these patterns by analyzing URLs, landing page forms, and common obfuscation techniques used in phishing emails, such as use of redirections and link shorteners. “Instead of trying to identify the malicious content,” Gendre says, “which is a waste of time because it changes constantly, we use machine learning to identify malicious behaviors.”
Spear phishing emails are designed to trick users into completing an action, such as changing an account number, scheduling a wire transfer, or purchasing gift cards. If the content and the sender were not previously flagged, the emails will not be blocked by a traditional email filter. In natural language processing, a subset of AI, algorithms scan the email and analyze the content and context of the message to identify those calls to action.
Machine learning can also detect other tactics that bypass traditional email security filters. For example, in email spoofing, a cybercriminal creates an email address that mimics but is not identical to an email address of another employee in the organization. Unsupervised anomaly detection can compare the sender’s email address the organization’s entity model—known email addresses within the organization—to detect email spoofing, cousin domains, and other tactics. A traditional email filter will not recognize this anomaly because the email address is not from a known bad sender.
In both examples above, the behavioral analysis happens in real-time. This is in contrast to traditional sandboxing techniques that quarantine emails while they undergo analysis, significantly slowing email delivery—and slowing business in the process.
Taking action when threats occur
A limitation of many email security solutions, according to Rychkov, is remediation. No security solution, whether for email, applications, or any technology, can block 100 percent of cybersecurity threats.
For threats that bypass security filters and land in user inboxes, IT admins need the ability to remove the threat from the inbox. For false positives that have been flagged by a filter, IT admins should be able to return non-threatening emails to user inboxes—all this should occur without affecting the Office 365 user experience.
Finally, while remediation must occur at the IT level, it should also occur at the human level. Humans, after all, are the target of email threats. Cybercriminals rely on them to make mistakes—and they do. Users should be immediately alerted and trained when they have clicked on a phishing link or responded to a spear phishing email.
On-the-fly training reinforces the importance of continual security awareness and refreshes users’ sense of alertness—which is often lost when months have passed between security awareness training sessions. Users should also be trained to report email threats when they receive them, creating a feedback loop that continually improves machine learning models. “I believe instead of being the weakest link,” Gendre says, “users are actually the last line of defense.”
To learn more about augmenting Office 365 email security, read the IDC Analyst Connection report, “Email Security: Maintaining a High Bar When Moving to Office 365.”
Adrien Gendre, Chief Solution Architect, Vade Secure.
As Vade Secure’s chief solution architect, Adrien Gendre is responsible for formulating the company’s product strategy and road map, overseeing integration with security vendors and managing the global solutions architect, training, documentation and customer support teams.
1.-Other Vade Secure Articles:
- Don’t Be Phooled: Ten Phishing Techniques to Look Out For
- Microsoft remains the most usurped brand, as phishing attacks grow more targeted
2.-Vade Secure on the Observatory:
3.-Company profile on @CSOFinder