Office 365 phishing emails come in common patterns. I'll list them here and also cover Office 365 anti-phishing features for prevention, detection, and response.
Today, the typical Office 365 phishing emails direct users to fake Office 365 Sign-in pages. The victim submits their credentials, effectively handing over their password. Fraudsters use that login to access the victim’s address book, then pose as those contacts to ask the victim for more information.
As it stands now, email fraudsters are increasingly targeting this ubiquitous platform's 260 million active business users with harrowing efficacy. According to HelpNet Security, nearly a million phishing emails managed to evade Office 365 security controls in just six months this year.
What is Phishing?
Phishing is when a malicious email is designed to help fraudsters steal personal information like logins, passwords or financial information. These emails will appear to come from a legitimate source but are actually from cybercriminals.
According to the FBI, when these impersonations result in direct financial loss, it can cost a US-based business an average $72,000. When they lead to a data breach, Ponemon Institute's 2020 Cost of a Data Breach Report estimates that the costs average $8.19 million per incident.
Phishing attacks are complicit in nearly 7 in 10 data breaches, according to Verizon's 2020 Data Breach Investigations Report. And given the spikes seen in phishing attacks leveraging the coronavirus, 2020 is likely to shatter 2019's record losses.
Common Office 365 Phishing Emails
Popular cloud platforms like GSuite and Office 365 rank among the hardest hit by phishing attacks, with average losses hitting as high as $2 million in recent times.
Phishing attacks are becoming more targeted, and their impersonations more convincing than in previous years. This means the information, URL, and subject line may be more specific to your business. Below are important attacks to watch out for in your inbox.
Failure to Deliver Attack
Cyber criminals are using the ‘failure to deliver’ emails as part of their phishing attack. If you send an email to a full email inbox, you will receive an email letting you know the sent email was not delivered.
In this Office 365 phishing email, cyber criminals send these emails to your Office 365 account with a link for you to click to send the email again but, instead, it downloads malware onto your computer.
Reactivate Account Email Ploy
Another phishing example is an email requesting you to reactivate your account. In the email, you have to click a link to reactivate. This link brings you to a fake Office 365 login page. On this fraudulent site, once you enter your login information, the cyber criminals can access your account or sell your information.
“PhishPoint” scam is specific to Office 365. This scam occurs when fraudsters set up Office 365 accounts and place documents within a cloud-connected tool such as SharePoint. They then pose as colleagues and send invitations to targets, offering to allow them to edit the file. It's a legitimate SharePoint request, so it makes it through all the malware scans and most other security solutions.
While those files may include malicious links, they increasingly simply include the URL to a lookalike phishing site that the recipient is instructed to enter manually into their browser. This was a popular attack modality early in the coronavirus pandemic, with messages from "HR" pointing recipients to documents with new policies for conducting business during the outbreak.
Scammers are also increasingly sending emails that appear like you received a voicemail. In this email, there will be your email address, a phone number and a link to click to hear your voicemail. The link to hear the voicemail, however, will be malicious.
Office 365's built-in security controls are growing more adept at catching this form of phishing, forcing con artists to increasingly employ the combination of a text-only email message with an actual phone-based voice mail.
In a 2019 attack, it's believed the perpetrators used phishing emails and deepfake technology to mimic the voice of a corporate CEO—successfully conning one company out of more than $250,000.
Office 365 Admin Attack
Another Office 365 phishing email is an admin attack which targets Office 365 administrators. This email will be received and will require the admin to update their information or billing details. After clicking the link and entering in your information, your personal information will then be stolen.
IT Help Desk Attack
Office 365 phishing emails may also have a subject like “IT Help Desk” that many may assume is an innocuous message from their IT department. However, just like other phishing emails, there will contain a link to update your email or verify information. Your information will then go to the scammer.
Keys to the Kingdom
Unfortunately, the cybercriminals behind these and other phishing attacks have found cloud platforms can be an absolute goldmine.
Filched user credentials can, for instance, open up a whole world of opportunities to exploit, because all too often, the same credentials can grant them access to other O365-connected services, from SharePoint, to Yammer, to Azure, and more.
With Office 365 being one of the top impersonated brands in phishing emails in 2020, it’s important to make sure your emails are valid and do not contain malicious links.
How Can I Prevent Office 365 Phishing Emails?
A great first defense is being able to identify a phishing email. Key characteristics to look out for include:
Sender’s email address: if the sender’s email address is not from the correct company or is from some unknown email address, chances are, it's a scam.
Grammar and spelling: if the content inside the email message is misspelled, grammatically incorrect, or simply doesn’t make sense, that’s another red flag.
Company branding: if the logo, tagline or branding of the company on the email seems off, you may want to dig a little deeper before clicking on any links or responding to the email.
Urgent language: Phishing groups use sophisticated social engineering tactics to fool recipients into acting quickly, before they think to confirm the legitimacy of the request.
Office 365 Anti-Phishing Features
Exchange Online Protection (EOP) is security that is included with any Exchange account, including your Office 365 email. This protection filters emails to protect inboxes from malware or spam.
Office 365's platform-native security controls are considered best in class when it comes to ferreting out spam, malicious URLs, malware, certain keywords, or a high volume of attacks from a single IP.
You will want to configure certain protection settings in order to activate EOP capabilities. These settings include:
Audit logging: In order to view data in these reports, this setting needs to be turned ‘on’
Anti-malware policies: You will want to keep the default setting of “Malware Detection Response” set to ‘no’ and turn ‘on’ the Common Attachment Types Filter
Anti-phishing protection: When adding new users, turn ‘on’ protection, when adding domains to protect, turn ‘on’ “automatically include domains I own”
Anti-spam protection: In “Default spam filter policy”, set the threshold to 5 or in the ‘Spam and bulk actions’ and edit your allowed senders and domains in the ‘allow lists’
Safe links and safe attachments: One Safe Links policy must be created in order to set up safe attachments and you must create one safe Links policy to set up your safe links
Safe attachments for SharePoint, OneDrive, and Microsoft Teams: Turn ‘on’ “AP for SharePoint, OneDrive, and Microsoft Teams”
Zero-hour purge for email: this will be ‘on’ as a default
For specific step-by-step directions and to learn more about added EOP security, read more on Microsoft’s docs, “Protect Against Threats.”
Best Practices for EOP Setup
As best practices when setting up EOP, Microsoft recommends that you:
Use a test domain: This can be a test domain, subdomain, or low volume domain for trying out service features before implementing them on your higher-volume production domains
Synchronize recipients: If your organization has existing user accounts in an on-premises Active Directory environment, you can synchronize those accounts to Azure Active Directory in the cloud
Use recommended settings: Microsoft recommends two security levels in EOP: Standard and Strict configurations for anti-spam, anti-malware, and anti-phishing protection policy settings
Deploying Microsoft Defender
Automated investigation and response (AIR) in Microsoft Defender for Office 365, formally called Office 365 Advanced Threat Protection, builds on EOP.
AIR allows your security team to be notified when a potential threat is encountered, enabling them to decide how to review, prioritize, and respond to those alerts. AIR enables SOC teams to operate more efficiently and effectively by automating investigation processes in response to well-known threats. Appropriate remediation actions await approval, enabling teams to focus on higher-priority tasks without losing sight of important alerts when they are triggered.
To learn specific steps in implementing AIR, you can read more on Microsoft’s Defender for Office 365.
Additional Security Technologies for Office 365
There are also other technologies that help prevent phishing attacks from reaching employee inboxes in the first place, while sniffing out and automatically removing those that do evade early detection.
Cloud Email Protection is a great tool for protecting your Office 365 inbox. This Agari solution adds identity-based defenses to the already existing security on Office 365. By blocking identity deception attacks, Email Security for Office 365 helps reduce costs, improve business agility, and give users the confidence to trust the legitimacy of every email that hits their inboxes.
Agari Phishing Response helps automate a phishing incident response and will reduce remediation time by up to 95%. Because time is extremely valuable in phishing attacks, having automated processes in line will help keep damage, if any, to a minimum.
DMARC is important to set up if you have not already done so. DMARC stands for domain-based messaging authentication, reporting & conformance, and is a standard email authentication protocol that prevents cybercriminals from masquerading as your employees or executives in spoofed emails. Hosted DMARC from Agari is recommended for the fastest, 100% error free deployment across enterprise email ecosystems.