How to Improve Microsoft 365 Phishing Defenses
Given the extent to which Microsoft 365 is used by businesses, it should come as no surprise that Microsoft 365 phishing attacks are so common. At least 4 million businesses worldwide use Microsoft 365, and the Office 365 package has around 345 million uses and growing. That makes Microsoft 365 users a huge target, and Microsoft 365 phishing attacks are increasing.
Phishing is the Leading Attack Vector
Phishing is one of the most common ways for cybercriminals to gain access to Microsoft 365 accounts and the most common scam reported to the Federal Bureau of Investigation’s Internet Crime Complaint Center. According to the Verizon Data Breach Investigation Report (DBIR), in 2021, 36% of all security breaches were the direct result of phishing attacks. 46% of organizations report receiving malware via email, and 83% of organizations said they had experienced phishing attacks in the past 12 months, up from 76% in 2017. One recent study involved an analysis of more than 55 million emails and found one in every 99 messages was a phishing email. Alarmingly, around 25% of those emails were able to bypass spam filters and were delivered to Microsoft 365 inboxes.
Phishing-as-a-Service Platforms Make Microsoft 365 Phishing Attacks Simple
Conducting Microsoft 365 phishing attacks has been made much easier due to phishing-as-a-service (PhaaS) platforms. These platforms open up Microsoft 365 phishing to a much broader range of threat actors and lower the bar considerably. Anyone can register to use these platforms and start conducting their own phishing campaigns. One of the latest PhaaS platforms, Caffeine, doesn’t even require the approval of users to get started by an admin. Anyone can simply register and use the platform to start conducting their campaigns. This platform is focused on conducting attacks on Russian and Chinese targets, although there are several PhaaS platforms that are used to target companies and individuals in the West.
These platforms give users access to a dashboard that provides them with all the tools they need to create their campaigns, including lures to steal Microsoft 365 credentials and distribute malware and create landing pages. They often include many advanced features and can tailor the landing pages to specific victims, manage redirects, and implement IP blocking and geo-blocking. All that is required is to pay the subscription and supply the email lists, and the latter can be cheaply purchased on darknet sites and hacking forums.
Microsoft 365 Phishing Campaigns Are Bypassing MFA
One of the ways that businesses are improving their defenses against Microsoft 365 phishing attacks is multifactor authentication. If Microsoft 365 credentials are stolen in a phishing attack, the username and password alone are not sufficient to access the account. An additional form of authentication must be provided before access to the account is granted. Microsoft stated in 2019 that MFA will block more than 99.9% of automated attacks on accounts; however, phishing kits have been developed that can bypass MFA protections.
Multiple phishing kits – Evilginx2, Muraena, and Modilshka for example – are available that are reverse proxies that are used for adversary-in-the-middle attacks. They sit between the victim and Microsoft 365, and when the user lands on the phishing page their credentials are captured and relayed to Microsoft, allowing the attacker to log in. If MFA has been configured, the attacker can intercept the authentication cookies when the user is prompted to enter their MFA code, and thus bypass MFA and access the account.
How to Improve Your Defenses Against Microsoft 365 Phishing Attacks
Microsoft 365 is such a big target that phishing attacks are likely to continue to increase, especially with the availability of PhaaS platforms and the ability of threat actors to bypass MFA protection. Businesses, therefore, need to ensure their phishing defenses are capable of protecting against attacks.
A spam filter alone is no longer sufficient to protect against Microsoft 365 phishing attacks. What is needed is a defense-in-depth approach to phishing, with multiple solutions used that provide several layers of protection. Should any one element of the defenses fail, others will be in place that can identify and block the threat.
A secure email gateway or advanced spam filter is essential. These solutions scan all inbound (and outbound) emails looking for the signatures of spam and phishing emails. They will block emails from known malicious IP addresses, scan for malware, and analyze message content. Advanced solutions should be used that feature antivirus protection, sandboxing for detecting zero-day malware threats, and machine learning/AI algorithms for predicting new phishing attacks. Advanced malicious URL detection is also recommended, which rewrites URLs in emails and follows all redirects.
A DNS filter should be used for blocking the web-based component of the attack. When an attempt is made to visit a phishing website, the DNS filter will provide time-of-click protection and will assess the content of the destination URL. A connection to the site will not be made of the website is malicious. DNS filters can also block downloads of malware from the Internet.
Multifactor authentication is vital for account protection. Any form of MFA is better than nothing, but organizations should implement phishing-resistant MFA, such as FIDO/ WebAuthn authentication or Public key infrastructure (PKI)-based MFA, or at least use number matching in MFA applications.
Phishing is successful as it exploits human weaknesses. Do not neglect the human element. You should provide your workforce with regular security awareness training to make employees aware of the threat and teach them how they can identify phishing attempts. Phishing simulations should also be conducted to reinforce training and identify weak links.