Business Email Compromise (BEC) is on the rise, and Office 365 users are among the most heavily targeted. With new LinkedIn-integration features potentially upping the stakes, here’s what you need to know now.
It’s official: Office 365 users will soon be able to co-edit documents from within LinkedIn. But who wins more—businesses and their employees? Or the email fraudsters who increasingly launch business email compromise (BEC) attacks targeting this ubiquitous platform’s 130 million users?
First announced at the company’s Ignite Conference on September 24, the move is without a doubt one of the deepest integrations seen since Microsoft acquired the business-centric social network nearly two years ago. The idea, according to Geekwire: Bring together Office 365 users’ company directories and LinkedIn contacts into a single, integrated and collaborative experience.
Yet, while the exact rollout date is not yet known, there’s reason to believe the move could raise what is an already heightened threat from phishing and other advanced email attacks against the platform’s users and their companies.
According to ThreatPost, organizations using O365, including many Fortune 500 companies, were among the hardest hit by BEC attacks in the last year—with an average of $2 million in losses. Will this O365-LinkedIn mashup make this troubling situation even worse?
That depends. These days, the allure of cloud-based platforms such as G-Suite, O365 and others is undeniable. Not only do these fully hosted services help reduce operations and management overhead for the businesses that use them, but they offer a stable email experience with all the security features most businesses employ today.
The problem: Those defenses aren’t even remotely enough anymore. While it’s true most cloud platforms can protect your organization against spam and known viruses and malware, for instance, most fall short against the advanced forms of email fraud that have cost businesses more than $12.5 billion over the last five years.
A BEC variant called a PhishPoint attack involves scammers setting up O365 accounts and placing documents within SharePoint. They then pose as colleagues and send invitations to targets, offering to allow them to edit the file. It’s a legitimate SharePoint request, so it makes it through all the malware scans and most other security solutions.
As Redmond Magazine points out, the file is made up to look like a OneDrive file. So when victims attempt to open the file, they’re presented with a fake OneDrive login screen, which allows the fraudsters to pilfer their login credentials.
This kind of attack is so effective because it leverages social engineering tactics to perpetrate fraud not against computer systems, but against the weakest link in any organization’s cyber-defenses: human beings. And they’re propelled by the simple human truth that victims are much more likely to be fooled into taking action if they believe they’re reacting to a trusted executive, colleague or business partner.
Today, a successful BEC campaign will snare its first victims within one minute and can score as much as $130,000 or more. If it results in a data breach? Those numbers go up—a lot. According to the 2018 Total Cost of a Data Breach Report, the average losses incurred after a successful breach can be as high as $7 million or more.
Unfortunately, the cybercriminals behind these attacks seem to have found cloud platforms can be an absolute goldmine.
That’s because O365 isn’t just a cloud-based email platform. It’s an ecosystem. And as ThreatPost and others point out, filched user credentials can, quite literally, open up a whole world of opportunities to exploit.
Once in, fraudsters can launch what’s called a “chain phishing attack,” pulling off executive impersonation scams, requesting fraudulent wire transfers, stealing valuable IP or sensitive information, or redirecting employee paychecks.
Those same credentials can also grant them access to other O365-connected services, from SharePoint, to Skype, to Yammer, to Azure and—soon, it appears—LinkedIn. What’s more, fraudsters are now free to wage fresh attacks on outside targets by leveraging all the legitimacy conferred by the legitimate email address of a legitimate employee, at a legitimately trusted business. It’s a legitimate nightmare.
Stemming the tide? I’m not going to lie to you, it’s no cakewalk. Sure, security awareness and phishing training can help. Except when it doesn’t. According to the Register, employees—especially in IT—are among the most susceptible to BEC attacks. Worse: Roughly 25% admit they’ve hidden the fact that they’ve fallen victim to an attack out of embarrassment, making matters even worse.
In the face of all this, some organizations will attempt to beef up existing security solutions and perhaps lobby Microsoft to do the same.
But others will find they need to augment O365 with modern, machine learning-based solutions with advanced modeling and behavioral analytics capabilities that can assess not just who’s sending what from where. But also, the ability to determine whether their behavior makes sense given the context of the message and the relationship between sender and recipient.
These same technologies are used by some of the world’s most prominent financial institutions, social media platforms, and government agencies to block BEC cons and stay ahead of cybercriminals.
Time will tell how many, and how quickly, other organizations using O365 will do the same.
To learn more about BEC and executive impersonation attacks and how advanced email threat protection can stop them in their tracks, download this exclusive case study: “Filling the Gaps in Office 365”