In early July, Microsoft shared details of a large-scale phishing attack that targeted more than 10,000 organizations since September 2021. Cybercriminals spoofed the Office online authentication landing page to hijack user information, even on accounts protected by multifactor authentication (MFA). Attackers leveraged the stolen credentials and session cookies to access affected users’ mailboxes to execute follow-on business email compromise (BEC) campaigns.
Unfortunately, this type of phishing campaign happens daily because communication platforms like email and text are common entry points in many cyberattacks. This incident serves as an important reminder for MSPs, who are prime targets for cybercriminals looking to exploit partner-customer relationships, to ensure they have the proper email threat protection in place to safeguard their company, employees, and customers.
How Phishing Attacks Are Evolving
There has been no shortage of phishing activity in 2022, with a 1,122% increase reported in the first quarter of 2022 compared to Q1 2021 data. Nearly 20% of all phishing activity occurred in April, likely due to cybercriminals preying on unsuspecting tax season victims. While the volume of phishing attacks typically ebbs and flows, threat actors today are increasingly turning to highly targeted attacks, commonly referred to as spear phishing.
The traditional approach to phishing attacks relies on cybercriminals casting a wide net with little consideration for a person’s identity. Spear phishing is a well-researched approach where threat actors mine information, often from victims’ public social media pages, to craft personalized attacks. In the last six months, email-based spear phishing attacks increased 136% compared to the previous six-month period, based on AppRiver’s email threat protection global traffic, which processes over 13 billion messages per year.
Preventing BEC with a Layered Approach
Microsoft has a number of security features in place to protect the inbox, including conditional access policies that allow administrators to limit access down to specific devices, IP addresses, and more. However, the Microsoft 365 suite of products is such a pivotal staple in today’s business landscape that most attacks are constructed with its filters as a model. Despite Microsoft’s ongoing commitment to security, in today’s rapidly evolving threat landscape, relying solely on Microsoft’s tools is no longer enough to stop threat actors.
Organizations need an additional layer of protection to defend against phishing tactics, old and new. By adding email threat protection to their solution stack, security teams can catch even the most subtle intrusion. To proactively defend and protect against email-borne threats such as phishing, malware, or ransomware, the below are must-have additions to a security team’s arsenal of capabilities.
- Attachment Removal: This method allows for simple rules to be created to quickly and easily remove attachments such as .HTM or .HTML commonly associated with phishing attacks.
- Attachment Disarming: This technique offers a methodology for rendering .HTM and .HTML attachments, or other potentially harmful file types, benign via conversion to PDF. Policies can be configured at the domain or mailbox level, allowing users to still receive the information within the .HTM or .HTML attachment but in a safe format.
- Link Protection: This strategy replaces all full, shortened, or obfuscated links in an email message with “wrapped” equivalents before the recipient receives the message. This allows for additional analysis at the “time of click.” Evaluating the true destination at time-of-click is key as threat actors often send out emails with links to benign destinations, then weaponize those destinations after emails have successfully made it through the secure email gateways and into the user’s inbox.
- Message Retraction: This approach simplifies threat remediation by allowing administrators to retract previously delivered messages, either individually or in bulk, from user inboxes.
This latest phishing campaign targeting Microsoft 365 serves as a prompt for MSPs to examine their email security offerings. MSPs that apply security augmentation services to Microsoft 365, including security audit services that look for indicators of compromise and weak spots, increase cyber resilience for themselves and their end customers. It is also important to complement technology with security awareness training, arming users with the knowledge they need to pivot and stay ahead of cybercriminals’ around-the-clock reinvention of malware, phishing, and brand impersonations.
TROY GILL is manager of security research and senior security analyst at AppRiver, an OpenText Company.
