Phishing emails used to be poorly written and contain plenty of spelling mistakes, so even when they were pretending to be your bank, or your latest international package waiting for delivery, there were plenty of indicators that would make you suspicious. These emails relied on traditional means to gain initial access, such as embedded links, QR codes, or attachments, trying to trick the recipient into clicking on them to compromise the user or device – but Gen AI has changed the game.
Our research teams have been observing a trend where adversaries are now using GenAI to craft phishing emails - improving the language, tailoring them to each recipient, and overall making them appear more legitimate. This makes it harder for recipients and email security solutions to identify them. In addition, AI has enabled adversaries to pivot away from traditional means of compromise like phishing links - instead, they now use AI to converse with the target over longer periods of time to ultimately extract money via payroll fraud, invoicing scams, or simply to gather PII. Business Email Compromise (BEC) campaigns are now smarter, more sophisticated, and harder to detect, because the text itself is being weaponized to build trust relationships, rather than outside tools to achieve quick compromise.
Social engineering is entering a new era, and it means that email and collaboration security solutions need to adapt to identify the nuanced differences between emails, more deeply understand their contents, and recognize malicious intent to continue keep up with the evolving threat landscape.
That’s why we are excited to announce that Microsoft Defender for Office 365 now uses purpose-built Large Language Models (LLM) at scale to provide AI-powered email and collaboration security. Our solution now parses language to understand and identify attacker intent and classifies threats at machine speed – keeping malicious emails out of your inbox and giving security operations (SOC) teams a new level of insight into adversary techniques.
Since our initial rollout to select customers over the past few months, we’ve seen a tremendous impact in keeping malicious emails out of our customers’ inboxes:
Statistics: 99.995% attacker intent detection accuracy and filtering / 140K BEC emails blocked daily based on LLM alone
The new LLM-powered content analysis and filtering is now generally available and has been rolled out to all customers.
Enabling effective email campaign investigation with threat classifications
With the addition of LLM-native protection, we’re strengthening our customers’ defenses by detecting, classifying, and mitigating these threats in real-time to keep malicious emails out of end user inboxes. At the same time, this new technology provides a new level of insight into attacker techniques, which ensures that even the most subtle forms of Business Email Compromise (BEC) and phishing threats are identified early.
The graphic below depicts the flow of email using our core filtering stack and the new LLM-based model. Following the intent analysis, Defender for Office 365 classifies each threat campaign into a specific category, such as payroll fraud or gift card scam, filtering malicious email before delivery to end users.
Image 1: Microsoft Defender for Office 365 email analysis and filtering stack.
At the same time, we believe that this information is key for security operations (SOC) teams in enabling a faster, smarter, and more holistic response. Going into public preview in the coming weeks, we will expose threat classification information in the Microsoft Defender portal to improve threat intelligence insights and response over time. It will enable SOC teams to better understand attacker intent and identify and track the impact of large-scale phishing and spam campaigns across their organization,
The new threat classification system provides several improvements for analysts:
- Granular Threat Identification: Provides a deep analysis, classifying threats by type, intent, and severity.
- Improved incident analysis and faster response: The real-time classification helps security analysts build custom detections and makes it easier to prioritize high-risk incidents, speeding up response and lowering breach risk.
- Inclusion in advanced hunting: Perform deeper investigation to identify the tactics and patterns used by the attacker.
Threat classification in the Defender portal will start rolling out to customers in December and initially the new threat classification will include various types of phishing threat categories, including Payroll Fraud, Invoice Scams, Gift Card fraud, Corporate Data Theft, PII Gathering, Lure-Based Attacks, and Task Manipulation.
The information is surfaced and available across all key experiences in the Microsoft Defender portal including the Defender for Office 365 threat explorer, the incident experience, and advanced hunting. Within the incident experience, threat classification information is included in relevant alerts and response actions as shown in image 2.
Image 2: Integration of threat classification information in the incident experience
In advanced hunting, analysts can now build queries based on threat classification, to better understand how their organization is affected by various campaign types.
Image 3: Integration of threat classification information into the advanced hunting experience in the Defender portal
As email threat campaigns continue to evolve, AI-based protection will play a key role in keeping up with attackers. Today’s announcement is only the first step in showcasing how Microsoft Defender for Office 365 uses Large Language Models (LLMs) to keep malicious emails out of inboxes and provides SecOps teams with better insights into attacker techniques to secure organizations against large scale campaigns. We will continue to innovate in this space to provide leading email and collaboration protection, informed by the latest technology and a deep understanding of the threat landscape.
More information:
- Join us online or in-person and watch the new LLM capabilities in action during this Microsoft Ignite session Simplify your SOC with Rob Lefferts and Allie Mellen.
- Want to know what other Threat Protection innovations are new at Ignite? Check out our XDR blog.
- Learn how to manage incidents in the Microsoft Defender portal.
- Learn more about Microsoft Defender for Office 365
Microsoft
