Microsoft 365 Email Protection

With phishing attacks continuing to increase, it is no surprise that many businesses are looking to improve Microsoft 365 email protection. Microsoft 365 is an attractive target for phishers and other cyber threat actors because so many businesses use the cloud-based platform. Microsoft figures indicate over one million businesses worldwide use Microsoft 365. Cyber threat actors can sign up for their own accounts – Office 365 only costs a few dollars a month – and they can practice their techniques to develop phishing campaigns that bypass Microsoft 365 email protection mechanisms.

Businesses report that they frequently have to deal with phishing threats that bypass Microsoft 365 email protection features. 78% of businesses said in one recent survey that phishing was a leading cause of security breaches. Phishing attacks are increasing in number, so more threats have to be dealt with, but so too is the sophistication of attacks. Phishers are becoming much more adept at breaching Microsoft 365 email environments, and while updates are frequently made by Microsoft to improve its defenses, phishers manage to stay one step ahead.

Phishing involves the use of social engineering to trick individuals into taking risky actions – the opening of email attachments or visiting malicious links in emails. Phishing emails can be very convincing, with the sender appearing to be a trusted individual, the reason for a response is very plausible, the logos and format of the emails is the same as the genuine emails that are spoofed, and a pressing reason is given why a quick response is needed. Many employees are fooled by these emails, so it is critical to security to ensure that the vast majority of the emails are blocked and are not delivered to inboxes.

Tactics Used to Bypass Microsoft 365 Email Protection

The tactics, techniques, and procedures used by phishers and other cyber threat actors are constantly changing, but there are some tried and tested techniques that consistently allow threats to bypass Microsoft 365 email protection features.

Zero-day malware

Email security solutions detect malware using known signatures. When malware is identified, its signature is added to the solution to allow the threat to be detected in the future. Changing the malware often, even only slightly, can be sufficient to evade signature-based detection mechanisms. If the malware signature is not in the solution, it cannot be identified. To protect against this, more advanced email security solutions include sandboxing. Email attachments are sent to the sandbox where they are analyzed for malicious behaviors, which allows novel malware variants to be detected.

Rapidly changing URLs

URLs are often used in phishing emails that direct the user to a malicious website or resource. Malware may be downloaded from that URL, or it could host a phishing form that steals credentials. When these malicious sites are identified they are instantly blocked by email security solutions. That is why threat actors often do not use the URLs for long. They simply switch to a different URL. This is why blacklists of known malicious websites are not as effective as they used to be, and many emails with malicious links are delivered.

Multiple redirects are used

Oftentimes URLs are included in emails that direct users to a malicious website. Instead of linking that site directly, a user is sent through a series of redirects before they land on the final malicious URL. Many email security solutions only check the initial URL or give up after one or two redirects.

Hosting malicious content on legitimate platforms

It is an increasingly common tactic to host malicious content on legitimate collaboration platforms such as Google Drive, Dropbox, OneDrive, or SharePoint. Since the domain is legitimate, email security solutions have trouble detecting malicious content, since the domain itself passes reputation checks.

Adding malicious content after email delivery

Email security solutions typically perform a one-time scan of hyperlinks in emails and check them against known blacklists. If the web page is not malicious, the email is delivered. Threat actors send emails with benign URLs, then the web page has malicious content added after delivery. More advanced solutions offer time-of-click protection, so the hyperlink is scanned, and is scanned against at the time the user clicks.

Subtly altered company logos

Phishing emails often use corporate logos to make the emails appear genuine; however, some security solutions can perform checks of corporate logos in emails and compare these to the IP ranges of the company. If the logo and IP address do not match, the email is rejected. Logos are often changed by a few pixels, which is enough to fool the fingerprinting used by an email security solution.

Lookalike domains

Lookalike domains are often used in phishing to evade DMARC, DKIM, and SPF email impersonation checks. These are used to determine if the sender is authorized to use a domain. Lookalike domains with Punycode and foreign characters are used to bypass these checks and fool end users.

Hybrid phishing attacks

A hybrid phishing attack is the use of more than one vector in an attack, one of the most common being callback phishing. With callback phishing, initial contact is made by sending an email with no malicious content other than a telephone number.  Telephone numbers are difficult for email security solutions to detect as malicious, so the emails are usually delivered. When the user calls the number –to prevent a fictitious charge, for instance – the threat actor convinces them to download a malicious file or open a remote access session. Ransomware threat actors are increasingly using this tactic to trick the recipient into opening a remote access session or convince them to download a seemingly benign but malicious file.

Standard Microsoft 365 Email Protection Mechanisms Do Not Block These Techniques

These tactics are all effective at bypassing standard Microsoft 365 email protection features such as those provided as standard through Exchange Online Protection (EOP) with Microsoft 365 licenses. If you want to improve Microsoft 365 email protection you need to augment the native protection features with an email security solution that has advanced threat detection capabilities such as email sandboxing, outbound scanning, machine learning capabilities for detecting novel attacks, time-of-click protection against malicious links, the ability to follow all redirects, and one with extensive threat intelligence feeds for detecting malicious URLs more rapidly.

Defenses should be improved further with multi-factor authentication to protect against credential theft, and regular security awareness training should be provided to the workforce to make end users aware of the threats they may encounter. Phishing simulations should also be conducted to test how employees respond to potential threats. With an advanced email security solution and these additional measures, Microsoft 365 email protection can be significantly improved.