Phishing scams are an attack that rely, predominantly, on social engineering. An attacker will send emails to end-users, deploying a range of tactics to make users think they’re receiving an email with safe attachments or links from a safe sender.
Attackers often go to great lengths to make these emails legitimate. These emails are accompanied by malicious attachments and suspicious links to fake websites that are vehicles for malware and ransomware or can direct users to phishing webpages designed to steal credentials or financial information.. In order for them to work, it needs the recipient to click on something they shouldn’t – be this a malicious attachment or bogus link.
New phishing scams targeting Microsoft 365 users in an attempt to steal their credentials are being reported with increasing frequency. Microsoft services in particular are targeted quite heavily simply for the value Microsoft accounts have: over a million companies worldwide use Microsoft for their teams to work and communicate with, with over 731,000 companies in the USA alone using Microsoft solutions.
That’s a lot of potential attack vectors into businesses that possess priceless data, and information. In this article, we’ll take a look at some of the different kinds of phishing scams targeting Microsoft 365 users, and outline how to protect your organization against them.
What Types Of Phishing Email Scams Are There?
Business Email Compromise
Business email compromise (BEC) is a phishing scam in which a business email account is either overtaken or impersonated for the attacker to then use to trick others at the company that they are a trusted figure.
What is Business Email Compromise?
Phishing And Spear Phishing
With phishing scams, emails are often sent out en-masse. Working on a balance of probabilities, this tactic relies on the idea that at least one or some out of a few hundred people will fall victim to it.
Spear phishing a much more targeted approach. It usually involves singling out a particular individual within a company, with attackers writing an email catered specifically to them. Attackers often glean information from various social media sites and the company website to make a plausible, credible email.
Whaling
Whaling refers to highly targeted phishing attacks aimed at high-ranking employees, such as CEO or other executive positions, in an attempt to steal a company’s highly sensitive information. A frequent goal in this instance is getting the executive to approve a costly payment to the attacker. Probably the more sophisticated tactic out of those listed here, it can be incredibly difficult to detect a whaling scam – both on a technical and social level.
Common Microsoft 365 Phishing Emails
Different types and styles of phishing emails attack businesses and individuals every day. While there are no end to the forms these emails take, there has been two highly sophisticated email attacks in recent years that continue to be reported:
SharePoint
A common phishing tactic aimed at Microsoft 365 users is through a highly convincing scam that impersonates SharePoint to trick users into handing over their credentials. It’s a more targeted attack at employee accounts rather than personal ones, making it a considerable threat to businesses. SharePoint is a tool frequently used by companies for staff to collaborate on projects, so receiving a SharePoint email isn’t beyond the realm of possibility for most people. It’s a highly sophisticated scam too, spoofing the sender so it looks like it’s from Microsoft, making its potential impact widespread and damaging.
How most SharePoint phishing scams work is often a request to collaborate on a document which is sent via email to the user. The attached document of course contains malware which wreaks havoc once downloaded, but attacks focusing on harvesting Office 365 credentials is becoming more common.
Scams focusing on harvesting will contain a link to a genuine document. After clicking this link, users will be then instructed to click once more on a link that says “Access Document”. This link will redirect the user to a malicious website. The user will then be prompted to enter their Microsoft 365 login details, and from there the credentials will be successfully harvested. After this is complete, users are redirected to the real Microsoft 365 page, leaving most unaware of the fact they’ve just fallen victim to cybercrime. From there, attackers can either infiltrate and steal data and information, deploy ransom or malware, or just overtake the account for further use. And it’s a huge problem too: in the past twelve months, over 5200 Sharepoint-based scams had been detected.
OneDrive
Many users of Microsoft’s OneDrive are on the receiving end of phishing scams that largely follow the same tactics as those done for SharePoint. Users will receive an email from Microsoft, altering them that a colleague has requested collaboration or editing on a document within OneDrive. Previews of the document will not be available, stating that the file doesn’t have a preview to be displayed. From there, users are prompted to click a link to access the document. Again, the user will be redirected to a malicious or fake website and prompted to enter their Microsoft credentials.
How To Stop Microsoft Phishing Emails
Implementing Email Security Controls
A lot of phishing emails come from spoofed domains or have spoofed headers. Spoofing is a technical, sophisticated form of attack making it difficult – if impossible – for end-users to detect. Luckily, if there’s a technical will, there’s usually a technical way. Anti-phishing solutions are widely available, helping to detect, flag, and prevent potential phishing scams as they occur. Microsoft 365 does have anti-phishing solutions built into the software already, but it’s not particularly robust or effective. As such, companies would stand to benefit from deploying dedicated anti-phishing solutions alongside.
Anti-phishing software can help to detect when an email has been spoofed – when the sender ID and address doesn’t match the sender details in the actual email. It’s impossible for the end-user to see whether or not a header has been spoofed, but anti-phishing solutions can pick it up by verifying the sender details with the IP address. If an email has come from a location that isn’t where it says it’s from, the software can flag this not only with the user to warn them, but notify admins as well. In other cases, the software can automatically block these emails to prevent them from reaching end-users’ inboxes.
However, some phishing emails don’t use any technical processes at all. Often attackers will impersonate businesses or individuals by creating email addresses and websites with names that match the original at first glance. It can be hard for any solutions to pick these threats up because they are just emails. However, some solutions can check to see if the sender’s name matches the end-user’s contact lists and alert the user if they see any similar names, asking the user to verify the identity first.
One of the tools commonly used is a secure email gateway (SEG). SEGs manage and filter out any potential email-related threats such as phishing scams, spam, malware, and potential Distributed Denial of Service (DDoS) attacks. It uses machine learning to detect and respond to these threats in real-time, ensuring these threats fail to reach end-users’ inboxes.
For business-friendly anti-phishing solutions, check out our top ten list here:
The Top 10 Phishing Protection Solutions
Phishing Awareness Training And Simulations
Unfortunately, there are some things that technology just can’t detect. Phishing emails that don’t rely on spoofing can’t always be spotted by any security solutions because there’s nothing technically amiss to find – they’re just emails. In this case, the best defense against phishing emails is awareness.
Phishing awareness training and simulations are a learning based solution that trains employees to become more aware of phishing attacks. It’s a two pronged approach: users go through training that teaches them how to spot and respond to suspected phishing emails, then their knowledge is tested and kept up to date with phishing email simulations.
Phishing awareness training programs are – usually – virtual and interactive programs that blend scenario-based videos and quizzes that help build a person’s knowledge on how to spot a phishing email in their inbox and what they should do about it when they see it. It helps them to think critically, questioning sender details and the nature of requests. Would a particular employee request to work on a certain document with them? Why haven’t they spoken about this particular task before?
After training is complete, employee knowledge can be tested and improved through phishing simulations. These simulations send fake phishing emails to employees in your network, so they can spot and report potential attacks. Phishing simulations often come with hundreds of templates with customization capabilities, helping you tailor suitable fake emails. If employees fail these simulations, it can be flagged with admins so they can help with further training.
Phishing simulations and awareness training usually come as a package deal, with simulation software being deployed after an employee has finished the course. Follow the link here for an indepth look at some of the top training and simulation solutions on the market and find the right one for your business:
The Top 10 Phishing Simulation And Testing Solutions
Summary
Phishing emails, while seemingly innocuous, can cause irreparable harm to businesses. With the majority of security breaches and data losses occurring from a phishing scam, strengthening protection in this area is critical.
With Microsoft users being more frequently targeted due to the value their accounts possess, any company that uses Microsoft products would strongly benefit from deploying anti-phishing solutions alongside to protect their data. Deploying technical solutions and having staff appropriately trained on the dangers of these emails is vital to the overall health of a company’s cybersecurity.
