Microsoft is by far the most popular brand in phishing scams targeting businesses today. It also provides one of the most common email security solutions. Yet Microsoft’s email security misses many of the phishing emails that impersonate its own brand. Here, BitDam’s co-founder and CTO Maor Hizkiev writes how this issue can be addressed.Â
Over 650,000 businesses trust Microsoft’s Office 365 (O365) suite in the U.S alone. That word – “trust†– has been synonymous with Microsoft as it has supported organizations with its operating system and suite of applications since 1975.
It is this very trust, however, that is creating a significant blind spot and massive danger when it comes to users of O365 products, particularly their email and email security tools.
The Gatekeeper Is Ineffective
With Microsoft usage being ubiquitous in a business setting, it’s no wonder that Microsoft users have become the target of phishing attacks. In fact, research shows that Microsoft is by far the most popular brand when it comes to phishing scams that target businesses.
This makes sense. But this is also where things get really interesting.
Microsoft is also the provider of some of the most common and widely used email security solutions. Astonishingly, Microsoft’s very own email security products – the basic plan and Office ATP/Microsoft Defender for Office 365 – miss many of the phishing emails that impersonate Microsoft’s brand.
These emails look to harvest user login details to Office 365 and other Microsoft systems. With these credentials in hand, attackers can wreak havoc on an organization, including leveraging a compromised user account for lateral movement and accessing a company’s (or government department’s) most sensitive data.
Why does it happen? And how come Microsoft’s email security solutions let phishing emails into the organization, especially when these emails impersonate the Microsoft brand itself?
Learn More: Want to Stay on Top of Cyber Threats? Try Thinking Like an Attacker
The Root of The Problem: Efficiency vs Effectiveness
In our opinion, the root of the problem is Microsoft’s technological approach to threat detection.
Microsoft’s email security, including its Office ATP (Advanced Threat Protection), is based on a combination of statistical models and reputation. As such, it identifies suspicious content and correlates known attack patterns to identify threats.
This approach is definitely efficient, as it focuses on real-time scanning of only the most suspicious content, enabling relatively good coverage at scale and catching many attacks. But is it effective enough? Is being safe most of the time being safe at all?Â
Missing The Most Dangerous Types of Attack
Unfortunately, the answer is a resounding NO. As a result of this approach, a large weak spot emerges.
What about emerging attacks that are seen by the system for the first time – and therefore not yet defined as threats?
For example, threat actors are using spear-phishing methods to create targeted attacks. These attacks often include creating domain names that contain the victim’s domain within them – to evade reputation checks – and use the company logo on the Microsoft login page instead of the generic Microsoft one. Specifically, attackers use the following tactics:
- Logo: Users who fall for a spear-phishing email and click a link are directed to a page where their own company logo is displayed. This, of course, increases the level of trust that the user has in the login portal and makes it more likely that they’ll share their credentials.
- URL: Not only do attackers incorporate the target’s URL into the fake URLs that they use – often at the beginning, so that this is all the user sees – but they also use an original, legitimate-looking URL that redirects to the malicious URL, fooling both users and automated checks.
- Branding, Look and Feel: Attackers even take things to the next level by utilizing a background that fits the victim’s branding, such as an image or branded background.Â
Not only do these tactics ensure the fake page looks legitimate to users, they also make it harder for phishing detection engines that are based on reputation or image analysis to detect these attacks.
As we’ve seen, Microsoft’s detection methods are ineffective when it comes to these threats.Â
What about attacks that utilize new techniques, and therefore slip under the radar? Only after the attack is widely spread and identified by statistical models, or once reputation engines mark the sender or URL as suspicious, can Microsoft’s defenses block the attack.
Attackers have quickly learned to take advantage of this vulnerability and design attacks that look legitimate to these AI engines, which in turn “assume†they are safe and don’t even scan them.
Learn More: Cyber Threat Intelligence: A Useful Tactic To Reduce Cyber Risks
Examples of Microsoft-Impersonating Phishing Attacks
During the past few months, the team at BitDam has detected many phishing attacks that impersonate Microsoft services such as Office 365Opens a new window , OneDrive, Sharepoint, Teams, and even Microsoft Planner – all of which bypassed Office ATP’s security layer, and would have reached the end-users were it not for BitDam.
What follows are several examples of such phishing attacks and the reasons why Microsoft did not detect them. These phishing attacks include targeted attacks that were sent from real email accounts with a good reputation, attacks that use multiple hops to evade security solutions, and fake login pages to various Microsoft services (O365, Exchange, OneDrive, Teams and more.Â
When The Default Isn’t Good Enough
Clearly, trusting Microsoft with your organization’s email security is more hopeful than anything else. If Microsoft can’t protect users against attacks impersonating itself, it raises bigger questions around the level of email security in general – especially when it comes to the threat of phishing.
Based on the explanation of how Microsoft threat detection works, we always recommend adding a purpose-built phishing protection solution to your current security stack (many of them can be deployed from the Microsoft Azure marketplace). All it takes is for one fake Microsoft email to get through, and your entire company can be compromised. It’s not worth taking the risk.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!