Email Security Blog

Office 365 – Phishing Weaknesses You Must Solve

Microsoft, makers of Office 365, reports they see more than 5 billion threats detected on devices every month.  That represents more than 100 million unique phishing emails targeting Office 365 users annually.  There is no reason to believe that will end anytime soon.

Microsoft acknowledges it doesn’t stop them all.  You know that’s true if you use email. You’ve seen those obvious phishing email attacks that make it through your Office 365 security into your inbox. 

While these phishing schemes may seem obvious to you, they are not that obvious to everybody. There is no shortage of successful email phishing attacks.  As many as 30% of phishing emails get opened by users and 12% of those users click on the malicious link or attachment.  Despite all the safeguards, the SANS Institute reports that 95% of all successful attacks on enterprise networks can be attributed to phishing attacks.

The Weakest Link

The saying goes you are only as strong as your weakest link.  With Office 365, the weakest line is still human. Employees that click on phishing emails are responsible for the majority of successful phishing attacks.  While training is part of the solution, no training program is 100% successful.  With normal turnover and new employees, it is nearly impossible to make sure every employee is well trained to spot and defeat phishing emails on their own.

That's why it's critical to stop Office 365 phishing emails before they make it through your employee's inbox.

The Next Generation of Office 365 Phishing Attacks

The bad guys are clever if nothing else.  Every time one of their scams gets exposed, they find a new one to bypass Office 365 security.  Here are just a few examples of phishing attacks that were successful in past years:

SharePoint Phishing Attacks

Dubbed “PhishPoint,” a recent phishing attack bypasses Office 365 Security by inserting malicious links into SharePoint documents.  The email attack looks identical to the standard SharePoint invitation. Instead of putting the phishing link in the email itself, hackers are using SharePoint files to host the malicious link.  It’s not until users go to access an actual SharePoint file that they are redirected to a spoofed Office 365 login screen.

PDF Attacks

Similar to the SharePoint attacks, malicious links are embedded in a PDF file that is attached to a legitimate-looking email.  This attack can be especially nasty if the scammers have already successfully phished someone inside the company.  They send this PDF with a personal note to someone using a legitimate company email.

The BaseStriker Attack

Office 365 security uses a feature called Safe Links.  As part of the company’s advanced threat protection (ATP) built-in to Office 365, it actually replaces URLs in incoming emails.  When you click on a link, it first redirects you to a Microsoft domain where it checks the original URL for suspicious activity.  The idea is to reduce clicks to malicious links. However, scammers were able to use a <base> tag (thus the name) to define a base URL that is used by all subsequent links regardless of whether they are replaced.  So when users clicked on the link, instead of directing it to the Microsoft domain, it instead sent people to the malicious link.

The Impact

The impact of Office 365 Phishing attacks can be catastrophic.  Not only are email and contact compromised, but businesses use their Office 365 security credentials for One Drive, Share Point, Skype, Exchange, and the Office 365 App store.  That potentially exposes proprietary and confidential data about companies.

The Solution Selected by the Most Successful CIOs

The solution selected by the most successful CIOs is INKY Phish Fence.  Like Office 365 security, INKY uses proxies for URLs.  Microsoft compares the URL to its database for known threats.  Inky goes a step beyond to render the page and examine the HTML content for signs of phishing, malware, and credential harvesting.  Instead of relying on known threats, INKY can identify new threats. 

INKY also analyzes the actual text within email and attachments for words that are used in phishing attacks and flags them with a warning banner.  Office 365 does not offer any type of warning banners. Inky’s banners are visible on both desktop and mobile email clients.  INKY Phish Fence provides warnings and also acts as real-time training for users to help them detect future phishing attempts.

More Than Address Matching

Microsoft uses address matching to catch impersonators.  INKY offers Behavior Profiling through AI and employs machine learning to build data-rich social graphs of senders.  If an email does not align with the profile, Inky flags it with a warning message.

INKY also uses Computer Vision to scan the email for visual brand identifiers the same way a human would.  It identifies logos and text and can discern nearly font and character anomalies that are nearly imperceptible to users. Office 365 security depends solely on address or look-alike address matching.

Identify Zero-Day Phishing Attacks

INKY even identifies zero-day phishing attacks that others miss.  Email security solutions from Microsoft and others, including Mimecast and Proofpoint, don't solve the problem.

INKY protects and defends Office 365, Exchange, and G-Suite email from phishing attacks.  Get a free demo of Inky Phish Fence today.