- stock.ado

A quarter of phishing emails bypass Office 365 security

Cloud-based email is leaving enterprises vulnerable to phishing attacks capable of giving cyber criminals access to a wide range of critical data, warn security researchers

A quarter of phishing emails bypass default Office 365 security, an analysis of more than 52 million emails across nine industry sectors by enterprise cloud-native security firm Avanan reveals.

That proportion is expected to increase as attackers design new obfuscation methods that take advantage of zero-day vulnerabilities on the Office 365 and other cloud-based office software platforms, according to the Global phish report.

The report notes that phishing attacks have become the most widespread email threat to organisations around the world, with attacks keeping pace with security controls, evolving to evade detection.

“For most organisations, phishing is the number one email security threat, outranking both malware and ransomware,” the report said, highlighting the finding that one in every 99 emails is a phishing attack.

“Cloud-based email, despite all of its benefits, has unfortunately launched a new era of phishing attacks,” said Yoav Nathaniel, lead security analyst at Avanan. “The nature of the cloud provides more vectors for hackers and gives them broader access to critical data when a phishing attack is successful.

“Organisations are in desperate need for more information on phishing attacks and how to combat these attacks. We conducted this research to help inform organisations and shed light on how to keep sophisticated attacks out of their environment,” he said.

In their analysis of emails sent to Office 365, Avanan researchers scanned every email after the default security, enabling them to see the phishing attacks that were caught as well as those that were missed.

Whitelisting emails

The analysis shows that while 49% of phishing emails were marked as spam by Office 365 Exchange Online Protection (EOP) and 20.7% were identified correctly as phishing emails, 25% were marked as clean and 5.3% were not blocked due to admin configurations set up by the organisation that inadvertently whitelist emails that would otherwise get blocked, meaning that 30.3% of phishing emails were delivered. 

According to the researchers, obfuscation methods are the most advanced phishing attacks, leveraging specific vulnerabilities in Office 365 security layers.

“Hackers obfuscate the URL [uniform resource locator], making it unrecognisable to Office 365 security, which fails to blacklist the malicious content,” the report said, which means attackers can use URLs that are even known to be malicious.

“And because EOP and Advanced Threat Protection (ATP) use the same first layer of email body parsing (though ATP has a unique attachment parser), all email body obfuscation methods we tested effectively bypassed both security layers of Office 365,” the report said.

Obfuscation methods have been used in some of the most notable attacks in the past year, the reports said, with researchers uncovering several high-profile obfuscation methods. Most notably, the BaseStriker attack, which used <base> tags in the html of the email to split links into multiple parts, making them unrecognisable to Microsoft Safe Links.

Most recently, the report said the NoRelationship attack bypassed Proofpoint and EOP by removing malicious links from the relationship file to confuse link parsers, which scan Office documents like PowerPoint ,Word, and Excel.

An analysis of 55.5 million emails, including 3.1 million sent to organisations using G-suite revealed that attackers use four main approaches.

The top objective is to lure recipients into launching malware on their systems (50.7%), followed by credential harvesting (40.9%), extortion (8%) and spear phishing (0.4%).

Malicious content

Malware attacks often bypass traditional malware scans because the email itself is not malicious, but contains a link that triggers a download of malicious content or has a malicious attachment.

Credential harvesting attacks are typically designed to lure the victim into divulging personal information that grants access to corporate and online accounts or personal finances.

Usually, credential harvesting attacks impersonate trusted brands to trick the recipient into entering their username and password in a spoofed login page. With these credentials, hackers take over the victim’s account or sell the information on the black market.

Although spear phishing is far less common than the other three vectors, the report said it often has the largest impact because these attacks typically target high-level employees who have access to either company finances or other sensitive information.

The report notes that these phishing attacks can also be the most difficult to detect, given the lack of attachments or links that can be flagged by anti-phishing tools.

“They rely on social engineering, rather than technical bypass methods, to deceive targets into surrendering a wealth of information,” the report said.

Approached for comment, a Microsoft spokesperson said: “Contrary to Avanan’s marketing claims, Office 365 uses a multi-layered filtering solution to detect and combat phishing attacks.”

In a September 2018 blog post, company representative Debraj Ghosh said that since launching Office 365 Exchange Online Protection (EOP) and Advanced Threat Protection (ATP), Microsoft has continuously made significant enhancements across anti-phish capabilities, reporting, and effectiveness in malware and phish catch. 

“To this end, we have reported a >99.9% average malware catch rate, and the lowest miss rate of phish emails reported amongst other security vendors for Office 365.”

The blog post also notes that often third-party testing is incomplete in its assessment of the full end to end service. 

“These tests at times can provide guidance on the performance of a particular service and how it compares with peers. However, there are often gaps in the testing that can misconstrue results,” the blog post reads.

The blog cited the main gaps from third-party testing as: how to count a “miss”, misconfiguring the solution, and the fact that third-party testing does not measure many aspects of the email security stack.

Read more on Hackers and cybercrime prevention

Data Center
Data Management