Microsoft 365 Phishing

The number of Microsoft 365 phishing attacks has increased in recent years, with 2022 seeing a marked increase in phishing attacks targeting Microsoft 365 users. These attacks seek Microsoft 365 credentials, which are extremely valuable to cybercriminals. They provide access to the user’s email account which can contain a treasure trove of monetizable data. Once the account is accessed it can be used to conduct internal phishing attacks, distribute malware, or perform attacks on business contacts. Conducting phishing and malware distribution campaigns using a real company email account greatly increases the success rate.

Genuine accounts, especially if the right ones are compromised such as the CEO’s or those of other senior board members, can be used for conducting business email compromise attacks to trick employees into making fraudulent wire transfers. Microsoft 365 credentials will often give the attacker access to other Microsoft services such as OneDrive and SharePoint where even more sensitive data is stored. Microsoft 365 credentials may give attackers access to Skype, which can be used for instant messaging phishing – Sending files containing malware to contacts.

Successful Microsoft 365 phishing attacks, even if the credentials of only one or two employee are obtained, can be all that is needed for a threat actor to steal vast amounts of data and conduct devastating follow-on attacks, such as ransomware attacks that affect the entire network.

Recent Microsoft 365 Phishing Campaign

One particularly worrying development is a recent Microsoft 365 phishing campaign that uses a DocuSign lure. The emails are particularly well crafted and target executives, with the emails personalized due to reconnaissance being conducted before the attack. The emails include a link that appears to be a DocuSign file, with the email requesting the target review the document. The link directs the target to a fake Microsoft 365 single sign-on page.

This campaign used adversary-in-the-middle attack (AitM) techniques involving a reverse proxy to authentication requests to the genuine Microsoft 365 login page. The experience for the user is no different from them logging in on the genuine login page. When the login credentials are entered, the session cookie is stolen and used to assume the identity of the target, allowing multifactor authentication to also be bypassed. The target is then informed that the authentication process has failed, but the attacker has access to their account and sets up a second authenticator app to give them provide persistent access to the account.

This is just one example of many Microsoft 365 phishing attacks that are now being conducted. It demonstrates that multifactor authentication – while important – is not always effective at blocking phishing attacks. Businesses that rely on Microsoft 365 in-built phishing defenses, even if MFA is enabled, are not immune to attacks.

Zero Day Attacks are Succeeding

Microsoft 365 phishing attacks commonly seek credentials, but these attacks are often conducted to distribute malware. Microsoft 365 accounts have an in-built spam filter – Exchange Online Protection – that blocks spam emails, phishing attempts, and malware. The level of protection provided is somewhat basic, and while EOP does a good job at blocking spam, it is far less effective at blocking phishing. Known phishing attacks are blocked but novel phishing attacks bypass the filters. They are only blocked when a phishing campaign has been identified and the signature is added to the solution. All known malware variants are blocked but not zero-day malware threats. Zero-day malware is malware that has not been detected in the wild and had its signature added to antivirus engines.

These zero-day attacks are common. Acronis reports that 81% of malware it identifies is only detected once and is never seen again. Most malware variants only have an average lifespan of 2.3 days before they disappear. By the time their signatures have been added to AV engines, they have been sufficiently altered to ensure they are not detected.

Advanced Defenses Are Required to Block Microsoft 365 Phishing Attacks

Businesses need more than EOP to block increasingly sophisticated phishing attacks on Microsoft 365 accounts. EOP serves as a good base, but other layers of protection need to be added. You need more than a solution that checks for specific words in subject lines and the message body, relies on blacklists of known malicious URLs, and only features signature-based malware and phishing detection.

SpamTitan from TitanHQ provides many more layers of protection in a single email security solution. It is layered on top of the measures provided by Microsoft, so doesn’t replace them. SpamTitan adds the following layers of protection:

  • Dual antivirus engines
  • Email sandboxing for behavioral analysis of malware to identify zero-day malware threats
  • URL reputation analysis during scanning against multiple reputations
  • Greylisting for blocking mass phishing campaigns
  • Heuristic rules and Bayesian analysis on message headers, message bodies, and attachments
  • Machine learning capabilities to identify zero-day phishing threats
  • Extensive threat intelligence gathered through millions of endpoints
  • Spam confidence levels can be applied by user, user-group, and domain relative to risk.

The solution works seamlessly with Microsoft 265, syncs with Active Directory and LDAP, supports whitelists and blacklists, is easy to implement, use, and maintain, and is infinitely scalable and universally compatible. We also recommend taking advantage of the SafeTitan security awareness training and phishing simulation platform for training employees on how to recognize and avoid threats.

For more information on how you can improve your Microsoft 365 phishing defenses, give the TitanHQ team a call. TitanHQ’s award-winning cybersecurity solutions are available on a free trial, with full product support provided during that trial. Product demonstrations can be scheduled on request.