Email Security Blog

Don't Forget This Office 365 Tool

The Problem with Microsoft Attack Simulator and Phishing

Microsoft recommends Office 365 admins buy an add-on subscription and run a program called Attack Simulator as a safeguard against phishing email attacks.  The company says Attack Simulator will run your employees through realistic scenarios that scammers use to steal credentials through email phishing schemes.

It is an attempt to train users to identify phishing emails that slip through Microsoft’s Office 365 secure email anti-phishing filters.

There is a big problem with this approach.  While training doesn’t hurt, it’s rarely completely effective. Relying on employees to keep your company safe is prone to human error.

More than 90 percent of all email scams start with a phishing email.  The single most effective way to protect your organization is to stop phishing emails from getting through.  Microsoft relies heavily on listings of known bad actors which it compares to incoming emails.  That means threats that haven’t yet been identified, new URLs, and some malicious code hidden in common attachments won’t be identified by Office 365 tools.

There is a better way. Using a third-party anti-phishing solution like INKY ensures threats are detected and dealt with before landing in your team’s email inbox.

Phishing Attacks Are Increasingly Sophisticated

We’ve all seen examples of email phishing attacks that are easy to spot.  Often full of misspellings and poorly worded, they have lulled many employees into thinking the user can detect them all.  However, phishing attacks are becoming increasingly sophisticated.  The emails look like real emails from Amazon, your bank and others. In addition, scammers are using techniques that take advantage of HTML code to obscure the URL for links.  Numbers and special characters are inserted into the raw HTML between letters of a word or URL.  Browsers see these characters as unreadable and a link might appear as a standard URL when, in fact, it redirects to a malicious site.

One scheme that surfaced recently is using legitimate-looking emails to get people to click on attachments or links to other Microsoft products.  The email itself gets through filters because there is no malicious or spoofed email. However, when users go to a Share Point site, for example, clicking on a document asks them to provide their login credentials.  

Unfortunately for users, the credential request is a spoofed site that opens the door for scammers to steal usernames and passwords.  Since the original email looks legitimate, Office 365 secure email lets the email go though.

There is a significant risk for organizations when hackers steal login credentials for Office 365.  Most users have linked accounts for other Microsoft services, including One Drive and Share Point.  This can potentially expose sensitive company documents that use the Microsoft ecosystem.

Phishing Training Proves Unreliable

Training employees on what to look for in phishing emails is a good idea, but it has proven to be ineffective by itself.  If an email can get through your security, there’s always the chance someone will click on it.  Most data breaches are the results of human error.

A study by Vanderbilt, Dartmouth, and MITRE researchers tested people by giving them extensive training on how to detect phishing emails.  This includes specific examples to avoid.  Three months later, they retested participants.  There was very little noticeable change in behavior.  Participants still fell victim to phishing email attacks, including some of the specific examples they had previously seen. The study also revealed that even when users know an email looks suspicious, they will sometimes still click on them out of curiosity.

Most companies now experience regular turnover.  That means the training cycle never ends.  New employees need training. Current employees need regular refreshers.  It’s hard to know when you have solved the problem.

Dealing with The Unknown

Training also falls short when dealing with unknown attacks.  Office 365 security tools have similar issues. It may block access to URLs or malicious links from known phishing sites, but it doesn’t always detect unknown threats, such as zero-day exploits.  These occur when a bug or flaw is found in software and hackers take advantage of the flaw before it has been patched.

Going Beyond Office 365 Security Tools

More than 1.5 million new phishing sites are created every month.  URL blacklists take time to catch up. Hackers strike in the time before they get blacklisted and then create new sites to strike again.  Unlike most anti-phishing tools, INKY Phish Fence® for Office 365 is an anti-phishing solution does not rely on simply examining URLs and email address to detect malicious emails.  

Inky’s state-of-the-art phishing attack protection sees phishing emails the way a human can’t.  It can detect even the most minute flaws in what appears to be a legitimate company logo or email address. Inky’s machine learning process creates behavior profile and social graphs which can identify suspicious behavior or identities.  If an incoming email doesn’t match a profile, it can trigger an impersonation warning.

Inky scans for malicious links, infected PDFs, and embedded code including scripts.  It can stop sophisticated email phishing attempts that other anti-phishing providers can’t stop. 

You need a stronger solution for Office 365 secure email than Attack Simulator. Contact Inky for a personalized demo and see how Inky Phish Fence can protect your organization.