If you subscribe to the notion that hackers go where the users are, it’s not surprising that Microsoft Remains the #1 Impersonated Brand in Phishing Attacks. Others making up the top five include PayPal, Netflix, Facebook and Bank of America, which confirms the theory.
The real problem with Microsoft though isn’t how often they get targeted by phishing emails. The real problem is how many get through. According to Avanan’s 2019 Global Phish Report, “30% of phishing emails sent to organizations using Office 365 Exchange Online Protection (EOP) were delivered to the inbox.” EOP is a “hosted email security service, owned by Microsoft, that filters spam and removes computer viruses from e-mail messages.”
“Microsoft’s own research estimates that Office 365 phishing increased 250% from Jan – Dec 2018.” Apparently EOP isn’t very good at doing its job when you consider letting just one email through can be enough to infect an entire company. The real problem is something called URL obfuscation.
According to Techopedia, “An obfuscated URL is a web address that has been obscured or concealed and has been made to imitate the original URL of a legitimate website. It is done to make users access a spoof website rather than the intended destination.”
From the Global Phish Report, “Obfuscation methods are the most advanced phishing attacks, leveraging specific vulnerabilities in Office 365 security layers. Hackers obfuscate the URL, making it unrecognizable to Office 365 security, which fails to blacklist the malicious content. With this strategy, hackers can use URLs that are even known to be malicious, because Microsoft won’t recognize the format of the URL.”
There are actually three ways to enact URL obfuscation:
- link shorteners,
- URL lookalikes and
- URL redirects.
It’s hard to imagine that users will be keen to spot all of these, and if Microsoft can’t stop them, that leaves users pretty vulnerable.
What users need to protect themselves, regardless of whether their email service is Office 365, Google’s G-Suite or something else, is email security with real-time link click protection. Real-time link click protection doesn’t care if the URL is obfuscated or not because it waits until after the link is clicked to see if it’s malicious.
For real-time link click protection to work though, it must be deployed in the cloud, where it sits between the user and potentially malicious sites. That way, if a user does click on a link leading to a malicious site, the page gets loaded not on the user’s computer, but on a server in the cloud where it gets examined. If it’s found to be malicious, it gets blocked and the user never sees it. A set up like that would certainly protect the hundreds of thousands of Office 365 users who received a phishing email in their inbox.
If you use Office 365 or G-Suite for your email, you’ll want to consider augmenting their native security with cloud-based email security with real-time link click protection.