A Quarter of Phishing Emails Bypass Office 365 Anti-Phishing Defenses

Microsoft Office 365 default anti-phishing defenses are bypassed by a quarter of all phishing emails, according to new research from cybersecurity firm Avanan.

Avanan conducted a study of 52 million emails which had been assessed by Office 365 Exchange Online Protection (EOP). 25% of phishing emails were determined to be non-malicious and were delivered to inboxes. In addition, a further 5.3% of emails were delivered as they had been whitelisted, which prevented the phishing emails from being blocked.

EOP scans emails for malware, checks the reputation of the sender, and scans for common signatures of spam (keyword checks for instance). EOP does offer some protection against phishing and correctly identified 69.7% of phishing emails. 49% were marked as spam emails and 20.7% were marked as phishing emails. However, many emails are managing to evade detection.

The research clearly shows that businesses which use EOP alone to protect against phishing attacks are vulnerable to attack. Businesses should therefore pay for the Advanced Threat Protection (APT) provided by Microsoft or use a third-party anti-phishing solution on top of EOP. The latter is likely to be more cost effective for smaller businesses.

The overall percentage of phishing emails in the batch was fairly low. Just 1.04% of the 52.38 million Office 365 emails that were analyzed were phishing emails. The figure was lower for G Suite. 0.5% of the 3.12 million emails analyzed were phishing emails. Avanan reports that around 1 in 99 emails are phishing emails.

One of the ways that phishing attacks succeed is through obfuscation. The emails that are displayed to end users are different from how they appear to machine-based security solutions.

Out of the emails that were assessed by Avanan, 50.7% were used to deliver malware, 40.9% were used to harvest credentials, 8% were extortion-related, and 0.4% were spear phishing attacks.

One of the main ways that these emails succeed is by impersonating well-known brands. Microsoft was the most impersonated brand, used in 43% of brand impersonation attacks, followed by Amazon with 38%. The impersonation of banks and financial institutions accounted for 9.7% of the total, followed by logistics firms (DHL, FedEx, UPS) on 2.5%. One in 25 branded emails were phishing attempts.

An analysis of the phishing emails showed that one of the most accurate indicators of a phishing email is the inclusion of a cryptowallet address. 98% of emails that contained a cryptowallet address were malicious. 35% of emails that included a hyperlink to a WordPress website were phishing emails.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news