Phishing attacks for Microsoft 365, formerly Office 365, are on the rise. In early August 2021, Microsoft issued a warning for users about a new type of phishing attack in which hackers send phishing emails with spoofed sender addresses. By the end of August, the company warned users against another type of phishing attack in which hackers issue a series of malicious redirects to steal Office 365 user names and credentials.
Over the past two years, the rate of phishing attacks has increased significantly, mostly due to the COVID-19 pandemic. A 2021 report from Bolster found a 73 percent increase in phishing and fraudulent sites from 1.9 million to 7 million total sites from 2019 to 2020, with a 185 percent increase in 2020 alone.
Unless companies implement effective phishing awareness training, the rate of phishing attacks will continue to rise. In this post, learn the basics of phishing and best practices to protect your Microsoft 365 users—and your company—from falling prey to phishing attacks.
What is phishing
A subset of malicious social engineering, phishing is a cybersecurity offense that disguises email, telephone, or text messages as coming from a popular brand, such as PayPal or Netflix. It uses trickery to deceive recipients into clicking a link or entering credentials with the intent to compromise devices and steal information.
These malicious links are connected to well-crafted counterfeit websites or domains, where the victims leave their personal information or credit card numbers. The messages often use:
- Catchy subject lines: The subject lines in phishing campaigns are catchy and have compelling calls to action to create a sense of fear of missing out (FOMO).
- Credible hyperlinks: Hackers use operating system tools to disguise contaminated links and make them look harmless.
- Unusual content: The phishing campaigns are built around free giveaways or unrealistic discounts, especially before the holiday season.
Email phishing scams are arguably the most popular, effective, and widespread technique in play today. Here’s how they work:
- A hacker first sends a malicious email to a potential victim.
- The potential victim opens the email and clicks the hyperlink.
- The victim is diverted to a phishing website, where they enter their personal or professional data.
- The hacker steals the data and sells it on the dark web or uses it for malicious purposes.
Common types of phish
The term “phishing” by itself refers to email phishing. Unfortunately, phishing has morphed into several other types:
- Clone phishing: Is based on copies of written communication from a business, but links are substituted with malicious ones. The emails look legitimate to their targets, fooling them into clicking a link.
- Deep fake: Uses artificial intelligence to manipulate the original spoken words, mannerisms, and expressions of a person from audio or video. Used to spread false information or propaganda.
- Pharming: Redirects internet users from a specific, legitimate site to a malicious one by changing the Domain Name System (DNS) table in the web server that hosts it. This form of phishing makes it possible to include legitimate-looking links in phishing emails but is much harder to execute.
- SMS phishing (smishing): Uses phishing techniques over texting communications. Although hackers often disguise the numbers and use shortened links, the messages themselves look authentic.
- Spear phishing: Is based on previously gathered information—such as names, addresses, and social security numbers—about a target that’s publicly available or gained from a data breach.
- Voice phishing (vishing): Uses proprietary software to spoof the phone numbers in use, so the “bad guys” can act as salespeople or corporate executives before approaching a potential victim to disclose personal information. While success rates are significantly lower here, it’s quite effective with the elderly and youth.
- Whaling: Tricks C-suite employees into falling for some sort of emergency where they click a link or attachment that installs malware or steals sensitive information.
Why phishing awareness is important
Phishing is everywhere, and it’s spreading like wildfire. With digitalization in full effect globally and across all sectors and industries, the chances of becoming a potential target are greater than ever. In a recent article from TechRound, Apple users have also fallen victim to phishing—specifically smishing, which has grown by 700% in 2021 compared to the second half of 2020.
The fallout of a phishing attack—any cyberattack or data breach, for that matter—can be detrimental to your organization. In 2020 alone, the FBI found that the Business Email Compromise (BEC) cost Americans over $4 billion. The cost of an attack can cause disruption to your business operations, damage to your reputation, and loss of money and intellectual property.
How to protect Microsoft 365 users from phishing attacks
To prevent a phishing attack from happening to your Microsoft 365 (Office 365) users, implement the following strategies.
1. Use Microsoft’s built-in phishing protection
Microsoft recently moved Microsoft 365 to a “secure by default” model, tightening down its email with out-of-the-box protection for all Exchange users. These measures, powered by machine learning (ML) technology, analyze incoming emails and send suspicious emails to a quarantine folder.
Exchange Online Protection (EOP) includes the following highlights:
- Spoof intelligence insight: Enables users to closely identify, review, and block potentially risky senders.
- Anti-phishing policies and whitelisting capabilities: Gives users the option to turn off spoof intelligence and manually authorize only selected senders.
- Implicit email authentication: Sends all inbound emails through authentication checks for multiple parameters to expose forged senders.
2. Apply an advanced third-party phishing protection
To augment Microsoft 365 phishing protection, use third-party solutions that protect multiple endpoints and mitigate exposure. Some solutions attack the problem by nullifying the risks created by malicious attachments that are sandboxed or reformatted to eliminate the risk altogether. Other tools keep your users safe by examining the sender’s IP and its reputation.
3. Create phishing simulations
Phishing simulations expose employees and teams to malicious emails and text messages and assess how they respond to them. Besides phishing, this method can also assess how participants deal with malware, spyware, and ransomware. When executed properly and periodically, these simulations help rank your employees so you can adjust simulations accordingly.
To make phishing simulations effective:
- Establish a data pipeline with actionable insights for your employees.
- Crunch all data and information offline to devise new training plans.
- Fine-tune and gamify phishing simulations for different departments.
4. Continuously train and test employees on phishing awareness
Besides implementing advanced tools and conducting simulations, continuously train and test your employees on phishing awareness. Choose a phishing awareness solution that:
- Delivers short, bite-sized, and text-based content.
- Engages employees right in their workflow.
- Provides immediate feedback so employees know where they need to improve.
- Uses data and actionable insights—not click rates—to measure success and identify high-risk employees.
- Enables you to customize training according to learners’ needs based on their job role, team, language, and culture.
Reduce phishing risks with BLAST
Follow the guidance in this post to improve your organization’s security posture and boost its “phishing immunity.” In addition to having the right tools in place—either within Microsoft 365 (Office 365) or as a third-party solution—fight phishing and protect your employees with BLAST. BLAST prepares your employees as your first line of defense against phishing attacks. Built on artificial intelligence and machine learning, BLAST enables you to:
- Take out the guesswork: Automatically deliver the right set of phishing simulations for your individual employees and teams.
- Customize simulations: Tailor content to the needs of your employees and teams by job role, department, and location, including high-risk employees, remote workers, and global employees.
- Evaluate ongoing performance ranking and tracking: Gain insights into your high-risk groups and automatically enroll employees in specialized training based on their performance.
This next-gen solution runs independently, requires no configuration, and puts less stress on IT teams. Give phishing the boot. Book a blast demo now.