Microsoft Is a Magnet for Phishing Attacks: Here Is What Businesses Can Do to Protect Their Sensitive Email Content
Phishing attacks can have a devastating impact on businesses, resulting in financial losses, reputational damage, and legal liabilities. Moreover, phishing attacks are becoming more sophisticated, with hackers using advanced techniques such as spear phishing, vishing, and smishing to target specific individuals and organizations.
One software platform that has proven particularly popular for phishing attacks is Microsoft Office. In this blog post, we will explore the phishing risks that businesses face when using Microsoft Outlook, and discuss how businesses can protect themselves against targeted phishing and whaling attacks that threaten to expose confidential email communications and other sensitive content.
Phishing’s Devastating Impact on Businesses
Phishing continues to be a lucrative and mainstay vector for adversaries year over year. According to Mandiant Special Report M-Tends 2023, in 2022, phishing returned to the second most utilized vector for initial infection in intrusions, representing 22% of intrusions where the initial infection vector was identified. This is an increase from 12% of intrusions seen in 2021.
The Netwrix 2023 Hybrid Security Trends Report finds that 68% of organizations suffered a cyberattack within the last 12 months; phishing being the most common attack vector. Phishing remains the most common attack vector. In the report, Dirk Schrader, VP of Security Research at Netwrix, notes that “Phishing emails used to be easy to spot, thanks to grammar and spelling mistakes and obviously incorrect graphics. But the advent of AI tools like ChatGPT will make it easy for threat actors to quickly create well-formed messages, including spear-phishing messages that target specific individuals, that are likely to fool more recipients into clicking on malicious links or opening infected attachments.”
How a Phishing Attack Works
To understand the risks of phishing, consider this fictitious scenario. William Morgan, a member of the finance team at Tiger Manufacturing, receives an email from what he presumed was Microsoft, requesting his Microsoft 365 credentials for a system upgrade.
Despite the email’s suspicious nature, William provides his credentials, which allows hackers to gain access to his entire Microsoft Outlook inbox. The hacker then registers multiple domain names on GoDaddy that vary slightly from Tiger Manufacturing’s domain name (e.g., Tigger Manufacturing, Tiger Manufactering, Tiger Manufcaturing, etc.). The hacker then registers several Microsoft Office 365 trial accounts in these fake domains.
The hacker then uses the trial accounts to send phishing emails to Tiger Manufacturing’s customers with fraudulent invoices and banking details. Some customers fall for the scam and wire funds to a German account. The hacker chooses a German account because Microsoft considers a German P.O. box a legitimate account address.
Joseph, Tiger’s chief information security officer (CISO), identifies the attacker’s unsophisticated, but nevertheless successful, tactics and notifies GoDaddy and Microsoft immediately. GoDaddy ignores his calls and Microsoft eventually freezes the free trial accounts after several requests.
Although Microsoft freezes the free trial accounts, they don’t release the syslog details that could have revealed the specific files and emails that the attacker downloaded from William’s Outlook inbox. Therefore, Tiger Manufacturing doesn’t truly know the full extent of the attack, and is obligated to take the worse case path and inform every customer who could conceivably have been breached.
Don’t Expect Microsoft to Protect You From a Phishing Attack
First and foremost, Microsoft is a software company focused on enhancing workforce productivity. While the company will say security is a top priority, productivity is the top priority. With almost 350 million global Microsoft Office 365 users, Microsoft is ill-equipped to protect that many users. The platform therefore will always be susceptible to phishing.
While Tiger Manufacturing is a fictitious company, phishing schemes plague businesses every day without regard to size, industry, or location. In fact, in late 2023, researchers identified hundreds of compromised Microsoft Office 365 user accounts in dozens of Microsoft Azure environments. Many of these accounts belonged to senior executives with titles like President/CEO, CFO/Treasurer, Sales Director, Finance Manager, and more. Senior executives are popular phishing targets as they typically possess privileges to sensitive information that can be stolen and monetized.
The phishing campaign lured executives to click “View Document” buttons that re-directed victims to pages that asked for account credentials providing hackers access to sensitive corporate, financial, and systems information.
Ultimately, businesses cannot rely on Microsoft to prevent, identify, or remediate phishing attacks and account takeovers.
Phishing Attack Variations
Phishing attacks are becoming more sophisticated as hackers deploy increasingly advanced techniques, such as social engineering, spoofing, and malware. Social engineering involves using psychological manipulation to trick the victim into divulging sensitive information, while spoofing involves disguising the origin of a message to make it appear legitimate. Malware can be used to infect a victim’s device and steal information or take control of the device.
Phishing attacks come in many different forms, each designed to trick individuals into revealing sensitive information or performing actions that could compromise their personally identifiable information or protected health information (PII/PHI), customer records, financial data, intellectual property, or other forms of sensitive information. In addition to whaling, other types of phishing schemes include:
1. Whaling: Targeting Top Executives for Sensitive Information
Whaling, as we saw above with the recent attack on Microsoft Azure, is a targeted form of phishing in which cybercriminals try to gain access to sensitive information from high-profile individuals like CEOs, CFOs, or other top executives. These executives are particularly vulnerable to whaling attacks, as they often have access to more sensitive information and are less likely to be trained in cybersecurity best practices.
The attackers use social engineering tactics disguised as legitimate-looking emails that appear to come from other senior executives or trusted sources. If successful, the executive clicks on a malicious link, provides login credentials to a business-critical application, or sends confidential documents. Whaling attacks are often sophisticated and well-crafted, making them difficult to detect and defend against. It is crucial therefore that organizations and their employees remain vigilant and take appropriate measures to protect their sensitive information against such attacks.
2. Deceptive Email Phishing: Leveraging Familiar but Counterfeit Identities
Deceptive email phishing is one of the most common types of phishing scams. In a deceptive email phishing attack, an attacker sends an email that appears to be from legitimate organizations or known individuals. The email contains a link to a fake website that looks like the real one, asking the user to provide confidential information such as passwords, account numbers, or credit card information. The email may also contain an attachment that, once downloaded, installs malware on the victim’s computer or device.
3. Spear Phishing: Zeroing in on a Specific Target
Spear phishing is a more advanced type of phishing attack that targets a specific individual or group, as opposed to phishing’s broader, “scatter-shot” approach. In a spear-phishing attack, an attacker gathers personal information about a target and uses it to create a personalized message that increases the chances of success. The email may ask for specific information, account login credentials, or contain a link to a fake website or a malicious attachment.
4. Smishing: Phishing via Text
Smishing is a type of phishing attack that uses text messages to trick users into providing sensitive information or downloading malware. The message appears to be from a legitimate source, such as a bank or service provider, and asks the user to provide personal information or click on a link to a fraudulent website.
5. Vishing: Phishing via Phone
Vishing is another form of phishing attack that uses phone calls instead of emails or texts to deceive users into revealing sensitive information or performing actions they would not normally do, such as transferring money. In a vishing attack, an attacker may pose as a bank or service provider and use tactics to persuade the victim to provide confidential information or transfer funds.
6. Clone Phishing: Manipulating Legitimate Emails
Clone phishing is a type of phishing attack in which attackers duplicate, or clone, a legitimate email, often with the same content, but with different—and often malicious—links and attachments. The email may appear to be from a trusted source, such as a bank or service provider, and ask the victim to provide personal or sensitive information.
7. Pharming: Deceiving Victims With Fraudulent Websites
Pharming is a type of phishing attack in which attackers redirect users to a fake website that appears to be legitimate. The website is designed to steal login credentials or financial information from the victim. Attackers may use malware or DNS spoofing to redirect the victim to the fake website.
8. Business Email Compromise (BEC): Impersonating a Trusted Colleague
BEC is a type of phishing attack that involves impersonating a trusted coworker, partner, or vendor to trick victims into transferring money or sharing sensitive information. In a business email compromise attack, an attacker may use a fraudulent email address (like in the fictitious Tiger Manufacturing scenario above) and request an urgent action, such as a wire transfer or changing account information. This type of phishing attack can result in significant financial losses or data breaches.
The Cybersecurity Gaps in Microsoft’s Armor: Phishing Attacks Made Easy
Microsoft is widely known for its productivity tools that are used by millions of people and businesses worldwide. The defensibility of these products, however, can fall short. There are, in fact, several gaps in the Microsoft Office 365 platform that make it vulnerable to phishing attacks. Here are a few examples:
Low Visibility Into File Activity Creates Governance Gaps
A major Microsoft Office 365 gap is the lack of visibility into external content sharing, namely who is sharing what content with whom. Organizations can’t adequately protect intellectual property, PII, PHI, sales contracts, financial data, and other sensitive information if they don’t know where it’s stored, who has access to it, or with whom they’re sharing it. This level of visibility is fundamental to content governance, protection, and regulatory compliance. While many companies rely on Office 365 to share documents and collaborate with third parties using OneDrive and SharePoint Online, these applications don’t provide adequate visibility. With insufficient visibility and reporting, organizations increase their risk of a data leak, data breach, or compliance violation.
Poor URL Filtering Invites Pharming Attacks
Microsoft’s Exchange Online and SharePoint Online applications lack a robust URL filtering system. Email and file sharing through these applications can be easily duplicated, leading users to believe that they are interacting with a trusted source. Hackers can exploit this gap by sending phishing emails or attaching malicious files that, when accessed, infect the user’s device or steal their login credentials.
Zero-trust Woes: Lack of Multi-factor Authentication Creates a Glaring Security Gap
Microsoft’s failure to integrate zero-trust principles leaves its customers vulnerable to unauthorized access. Due to the absence of multi-factor authentication in Microsoft applications, cybercriminals can exploit this gap using credential stuffing, brute-force attacks, or phishing to discover a user’s password. Then they use the user’s credentials to collect sensitive content to which they have access. Microsoft stops at single-factor encryption, leaving organizations vulnerable after a successful phishing attack. Without a second factor to verify the legitimacy of the user logging on, cybercriminals can easily exploit this security gap to gain access to sensitive content. Security architects must assume therefore that some phishing attacks will succeed. They must implement multi-factor authentication in other systems and applications instead to limit the damage caused by unauthorized access.
Microsoft’s Email Security Gaps Invite Phishing Attacks
Microsoft’s email security measures are not as robust as they should be. While Microsoft’s Exchange Online Protection (EOP) offers some protection against spam and viruses, it fails to detect many phishing attacks. Microsoft’s advanced threat protection (ATP) is an add-on service for EOP, which can potentially discover zero-day malware sent to users as part of a phishing attack, but only for those customers who pay extra for the service.
Kiteworks Closes Microsoft Security Gaps and Vulnerabilities to Protect Businesses From Phishing Attacks, Data Breaches, and Compliance Violations
The Kiteworks Private Content Network provides organizations a secure email solution that mitigates the risk of phishing attacks, data breaches, and compliance violations. With Kiteworks secure email, businesses virtually eliminate the risk of phishing emails. This is because Kiteworks is a closed, invitation-only system. Unlike traditional email platforms, which allow anyone to send an email to anyone else, Kiteworks only accepts emails from authorized individuals. Phishing attacks like business email compromise, clone phishing, spear phishing, and whaling, as well as spam and other online scams, are therefore almost impossible to get through.
Kiteworks also provides extensive authentication and user management capabilities, including one-time passcodes (OTP) via any SMS service like Twilio, CLX, CM, and FoxBox as well as time-based one-time password (TOTP) authenticator that supports soft tokens from authenticator apps such as Google Authenticator, Microsoft Authenticator, and Authy. Kiteworks can also require one-time users like email recipients to authenticate via an SMS code to ensure only authorized users access sensitive email content.
With Kiteworks, businesses can monitor all file transfers and usage across the organization. This visibility ensures that any suspicious activity like failed login attempts, logins from an unfamiliar IP address, and suspicious downloads are quickly detected, allowing for swift action to mitigate potential risks. Additionally, Kiteworks integrates with leading enterprise data loss prevention (DLP) solutions, so if an attacker were to obtain an employee’s credentials and try to exfiltrate sensitive content via email or file sharing, the DLP solution would likely flag the attempt and block the transfer.
Kiteworks also offers a Microsoft Outlook plugin that allows enterprise employees to use their existing Microsoft email application but with all the security and compliance capabilities Kiteworks offers. With the plugin, employees use an application, Microsoft Office, that they’re already familiar with, so adoption and utilization concerns are non-issues. Emails are sent and received over the Kiteworks Private Content Network, a closed network that customers, partners, suppliers, and other trusted third parties must be invited into. Emails and their attachments are encrypted in transit and at rest and every file is tracked and logged.
Kiteworks’ closed email system, bolstered by MFA, file activity visibility, and DLP, virtually eliminates phishing risks. Content security, governance, and compliance are further enhanced by a content-defined zero-trust approach that ensures only authorized users can access sensitive data. This includes a hardened virtual appliance and flexible secure deployment options, including on-premises, private cloud, and a FedRAMP virtual private cloud. Lastly, with granular access controls, role-based permissions, and identity and access management (IAM) integration, businesses can rest assured that their sensitive email content remains confidential.
Schedule a custom demo today and learn more about Kiteworks’ secure email capabilities.
Additional Resources
- Brief Choosing Kiteworks Over Microsoft Purview Means Choosing Best-of-Breed Protection
- Blog Post Secure File Sharing via Email: A Comprehensive Guide
- Brief Choosing Kiteworks Over Microsoft Purview Means Choosing Best- of-Breed Protection
- Video What You Need to Know About Kiteworks Microsoft Plugin Capability
- Blog Post What to Look for in a Secure Email Provider