Microsoft 365 has 258 million corporate users: a figure greater than one third of Europe’s population. This will startle most readers, yet many will also find it easy to understand why gaining access to an organisation’s Microsoft 365 platform is not simply desirable, but immensely lucrative.
In 2019, Microsoft was the number one impersonated brand when it came to phishing attacks. However, it is not just the millions upon millions of users that make it particularly prone to attack, but also the nature of the platform. Microsoft 365 is a multisystem platform which combines file storage, productivity, email and collaboration applications, such as SharePoint and OneDrive.
In many organisations, the various Microsoft 365 applications house some of the most sensitive, and for cybercriminals, the most lucrative, information. In 2017, a Ponemon report revealed that 52% of respondents admitted that their organisation stored sensitive or confidential data in SharePoint.
Therefore, from a cybercriminal’s perspective, simply gaining access to an organisation’s SharePoint provides enough ammunition to cause serious damage. With just one set of legitimate Microsoft 365 credentials, a cybercriminal can begin engaging in spear-phishing: a well-known practice with a high financial payout.
Spear-phishing is a form of cyberattack where the cybercriminal masquerades as a trusted sender and targets individual users personally. With legitimate Microsoft 365 credentials, a cybercriminal can easily impersonate other employees and demand ransoms, request wire transfers and much more. They can also acquire other users’ credentials and use this to wreak further havoc.
Often attackers impersonate Microsoft 365 platforms to trick users. When users are brought to these pages, they are manipulated into thinking they are trustworthy and, unknowingly, disclose their login information to cybercriminals. Phishers are also able to build landing pages with a windows.net domain and Microsoft-signed SSL certificates by taking advantage of the Microsoft Azure Binary Large Object (BLOB) storage.
The form that attacks take has changed over the past few years. Phishing attacks are usually more targeted than they were in the past and attackers no longer send out a singular email to thousands of recipients. Attacks are now far more sophisticated and most use a unique image, URL, subject line and sender/IP for each email. Nevertheless, below are some of the common techniques that Stryve partner Vade Secure has identified:
Voice message attacks involve cybercriminals sending an email with a subject line that reads “Incoming: You received a voice message from +1 508 *** – 250 seconds.” Often these emails appear legitimate, contain a realistic-looking phone number and are personalised to include the recipient’s name. Recipients are prompted to click on the phishing link contained within the email.
Moreover, these emails often look like they have been sent from Microsoft directly. For example, the display name may appear as “voice mail service” and the domain address may appear as “Microsoft.com.” As mentioned above, the link contained within the email will bring recipients to a page that appears entirely legitimate but is actually a site created by phishers and designed to harvest unsuspecting victim’s information. A message may also appear to come from firstname.lastname@example.org or another similar address. Messages like this may contain a link to a PDF which is hosted on a SharePoint site that has been compromised by cybercriminals.
Cybercriminals also send emails which demand that the recipient takes immediate action. Usually, these email request that the user updates their payment information or account details. Often, to bypass reputation-based email filtering systems, these emails will contain links to legitimate websites that have simply been hacked. Users do not realise what has happened until it is too late and they are often tricked into disclosing their Microsoft 365 login credentials. Moreover, an attack like this may simply be the first step in a sophisticated and multi-phased attack. If successful, this attack would enable a cybercriminal to begin conducting a lateral attack within an organisation using the credentials they stole.
This form of attack involves the recipient receiving an email informing them that someone, usually with a common name like John or Julie, has shared a file with them. The email then redirects the users to a fake OneDrive page and asks the recipient to log into their account. Most users will simply assume that they have been logged out of their account and sleep-walk through the process of logging back in again. Cybercriminals rely on users’ trusting nature and absent-mindedness to carry out this attack. As soon as users enter their credentials into the fake site, they are harvested by the cybercriminal.
The phisher may also gain access to a user’s account by signing up to a free Microsoft 365 trial and using this to access SharePoint and upload credential-grabbing files or malware. The cybercriminal will then share these files with unsuspecting victims and steal their credentials.
Microsoft 365 does provide some level of protection to users in the form of Exchange Online Protection (EOP), however, this defence alone is insufficient because often phishy emails slip through. To mitigate attacks and minimise the risk of your organisation falling victim to one, two approaches should be taken:
1. Train users – It is important that organisations provide regular, comprehensive training for employees. Employees that are vigilant and aware are more likely to spot a phishy email and prevent an attack from occurring. However, it is important that training is not given simply when an attack occurs; it should be an on-going and regular process.
2. Add another layer of security – While training users is important, human error is a natural part of life. Employees cannot be expected to spot every form of attack, particularly as they become more sophisticated. An additional layer of security should sit natively inside Microsoft 365 through an API to complement EOP. A native Microsoft 365 solution layers with EOP and enables the API solution to detect multiphase and insider attacks by scanning the internal email.
Cybercriminals are aware that many organisations rely on Microsoft 365 and use the multisystem platform to both process and store sensitive information. Therefore, gaining access to an organisation’s Microsoft 365 is extremely advantageous. Relying on Microsoft 365 does not pose a threat to your organisation but doing so blindly will.
As mentioned above, it is vital that employees receive regular training and are aware of the threat that phishing and other cyberattacks pose. However, it is also important that organisations ensure that they have comprehensive defences in place. As a Vade Secure partner, Stryve offers a solution that guarantees protection and peace of mind.
Vade Secure is the global leader in predictive email defence, protecting 600 million mailboxes in 76 countries. The Vade Secure solution helps small businesses protect their Microsoft 365 users from advanced email threats, including phishing, spear phishing, and malware.
Vade Secure for Microsoft 365 is the only native email security solution for Microsoft 365, and it combines powerful, AI-based threat detection with a simple configuration based on a once-off set-up. It blocks attacks from the very first email by using machine learning models that perform real-time analysis of the entire email, including any URLs included in the mail and any attachments. With a Vade Secure solution in place and the help of experts like us, companies can feel assured that their brand and business is always protected.