Must Read - How Phishing Emails Bypass Microsoft 365 Default Security

Email remains one of the most common vectors of attack due to how easily it can be abused. Attackers take advantage of it by creating persistent threats that are massive in number.

The inherent vulnerability of email is evidenced in a report from last year that found that roughly 20% of all phishing emails found were marked as clean by the Microsoft 365 Exchange Online Protection (EOP) and reached the users' inboxes. This article will discuss the limitations of Microsoft 365 that have led to vulnerabilities, schemes that attackers will use to bypass security filters, and how you can protect your email from phishing attempts.

Microsoft 365 Limitations

19% of phishing emails bypassed Microsoft Exchange Online Protection (EOP) and Defender, since 2020, Defender's missed phishing rates have increased by 74%, on average, Defender sends only 7% of phishing messages to the Junk folder. Limitations in EOP create vulnerabilities that businesses can no longer afford. These limitations include:

Protection is Subpar

EOP is static, single-layered, takes a retrospective approach to identify phishing attacks and stop malware attacks that do not safeguard against human error and fails to anticipate emerging zero-day attacks, malicious URLs, and attachments that are not included in its static lists.

Lack of Customization for Businesses’ Unique Needs

EOP is not customizable, resulting in a limited ability to identify suspicious emails and social engineering attacks, leaving businesses vulnerable to account takeovers and targeted spear phishing attacks that often result in credential theft.

Attackers Have an Easier Time Bypassing Defenses Because of Homogeneous Architecture

The homogeneity of the Microsoft 365 security system enables cyber thieves to open any account, test their methods until they are able to bypass default filters, and reuse these methods in attacks targeting thousands of different accounts.

Difficult to Configure & Manage Securely 

Setting up and configuring requires expert IT which many SMBs lack. At the same time, Microsoft also fails to assist with setup and ongoing system monitoring, maintenance, and support to prevent misconfiguration vulnerabilities and keep customers secure. Microsoft 365 also lacks support for hybrid work environments, so these businesses often find it difficult to understand how to effectively layer and combine the different Microsoft security solutions available.

Common Phishing Methods Used in Attacks

A recent study found that brand impersonation, a display name deception tactic, was widely used by cybercriminals to get a victim to click on a malicious link or compromise account credentials on a fraudulent login page. The report said that there is probably at least one phishing email in every 25 branded emails. 

The same study found that obfuscation methods manipulated pre-existing vulnerabilities in Microsoft 365 security layers as well as were also observed in phishing attacks. For example, cybercriminals can obfuscate a URL to make it unrecognizable to Microsoft 365 security, rendering its capability to block malicious content useless.

Abusing a rarely used file format can also be used to evade detection. Threat actors behind spam campaigns have abused rarely used file types to hide malware attachments. When this technique is used, the structure of file types can be compromised to evade detection methods or to bypass an outdated security filter.

Protecting Against Phishing Attacks

Education and awareness are critical when it comes to phishing protection, especially concerning deepfake phishing which is that much more difficult to detect. Some simple practices that you should implement to avoid taking the bait in a phishing attack include:

• Check for spelling and grammatical errors which can indicate that an email is fraudulent or malicious.
• Keep an eye out for suspicious subject lines and signatures.
• Don’t trust the display name. Just because an email says it’s from a known and trusted sender doesn’t necessarily mean it really is. Even if the email address is legitimate, the message could be coming from a compromised account.
• Be cautious of nonspecific language. Phishers typically use vague language in their campaigns to evade spam filters.
• If an email appears strange in any way, make a phone call to the sender to confirm the legitimacy of the email.
• If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than just hitting reply.
• Beware of urgency. Phishing emails often try to convince recipients to act quickly, without thinking things through.
• Scan all attachments for viruses or dangerous code.

To bolster built-in email protection and reap the benefits of Microsoft 365 without sacrificing security, businesses should implement a proactive, multi-layered supplementary email security solution that is specifically designed to fill the critical voids in built-in Microsoft 365 email protection.

Universities Targeted in Email Phishing Attacks

In September of 2022, Duke University was the victim of the largest email phishing attack it has seen since 2020. The fraudulent messages notified students of a “Warning” or “Urgent Warning” related to their Duke account or offered them false UNICEF jobs or remote work.

The attack was carried out in two phases; in the first phase, attackers sent false alerts from unaffiliated email addresses that warned students that they were about to lose access to their Duke accounts who then followed a link and input their passwords and codes. In the second phase, attackers used the stolen passwords to send out waves of fraudulent messages from Duke email addresses. These messages also claimed to offer employment, and were designed to steal financial information, and involve them in other, larger scams. 

Unfortunately, several other prominent U.S. colleges have also been targeted by cybercrime. In April 2021, six different universities had their data leaked to the dark web, much of which included private and sensitive information. The victims were: Stanford University, the University of Maryland Baltimore, the University of Miami, the University of California Merced, the University of Colorado Boulder, and Yeshiva University, a prominent private research university based in New York City.

The data stolen from a number of these schools was posted online and made publicly visible. In some cases, that included student or employee names, social security numbers, phone numbers and addresses, and even a transcript.

Keep Learning

Businesses face great risk in Microsoft 365 without the implementation of effective supplementary email security defenses and the accompanying expert ongoing system management and support necessary to ensure they remain effective in protecting against the latest, most sophisticated threats.

• Learn more about effectively protecting your business from ransomware.
• Improve your email security posture to protect against attacks by following best practices.
• Keeping the integrity of your email safe requires securing the cloud with spam filtering and enterprise-grade anti-spam services.
• Get the latest updates on how to stay safe online.