Forum Discussion
How Microsoft thwarts phishing attacks with Office 365
It's no surprise Office 365 phishing attacks are on the rise, Office 365 is a nice juicy target for the bad guys. If just one account is compromised, it potentially provides access to so much data, that could snowball and risk major data leakage etc.
Image credit Fujitsu http://bit.ly/2wNKTBB
How many users would fall for a fake login screen taking the above into account, like this:
Image credit: http://bit.ly/2vKinO3
Or this perhaps:
Image source: http://bit.ly/2jbiXCz
Microsoft has published "Microsoft thwarts phishing attacks with Office 365", that is well worth reviewing and getting a better understanding of what Microsoft is doing about this.
10 Replies
This article and illustration is a useful summary of how the solutions in Microsoft 365 (EMS, Windows 10 & Office 365), as well as Azure, can disrupt the different stages of phishing attacks:
A few updates that might be of interest including the risk of ransomware infecting Office 365 mailboxes and the corresponding mitigation.
Ransomware is a well-known threat that usually comes in via phishing links or via email attachments. Taking this to the next level there is a risk of Office 365 mailboxes from being encrypted and held for ransom. Other cloud services may also be affected.
This was shown a couple of days ago on an Office 365 mailbox, while it was simulated it's still alarming and well worth reviewing.
Here is a demonstration, which shows a link in a phishing email being clicked and the user agreeing to grant rights, then all emails being encrypted and then finally the ransom being paid and all emails restored:
It's possible to mitigate this threat but it does have implications, as it requires turning Integrated Apps off on a tenant per these instructions, this setting is on by default:
Obviously, review the impact before changing this setting. Coaching/training staff in how to spot phishing emails is crucial and not to act upon when they are instructed to carry out actions, like clicking links etc. Make sure staff know about Safety tips and how to take them into account - Safety tips in email messages in Office 365.
Also, it's important that when harmful spam/phishing does get through that these are reported properly, here are are some instructions on how to do this - When creating support tickets about spam, be sure to include message headers.
- Yes, it will be really important to set company tenant right regarding security. Which must be carefully balanced between security and usability.
That's true Petr, it's always a balancing act and is important to get the right approach, that doesn't unnecessarily diminish productivity but also protects from different types of threats. Things like conditional access and MFA are great in those regards.
Microsoft has talked more about what they are calling Illicit Consent Grants, which was the approach used in that proof of concept to encrypt a user's Office 365 mailbox for ransom.
"Office 365 Security has been tracking an emergent threat to customer data in the Office 365 cloud over the last year. This blog post is intended to help IT Administrators of Office 365 organizations detect, monitor, and remediate this threat."
Microsoft is recommending admins proactively run at least weekly a script to unearth applications with illicit permissions. Further advice here - Defending Against Illicit Consent Grants.
It would be great if these are added in Azure AD reporting, as currently this can only be viewed on a per-user basis in the portal. Then get them added to Secure Score, as an additional check.
Awesome - thanks for sharing this success story on ATP!
I believe the most-impactful, user-facing improvement they've made on this front is to finally start rolling out the functionality to not display user photos is spoofed messages: https://blogs.msdn.microsoft.com/tzink/2017/09/05/showing-a-question-mark-in-the-sender-photo-when-a-message-is-not-authenticated/
Thanks Vasil, that's a useful feature that should help and sounds like it's overdure. If I understand correctly, does that mean if someone spoofs your emaill address (for example), currently it shows your photo to the recipient, lending more credence that's it's a really a legitimate email when it's actually from the spoofed sender? With this feature, there will be a question mark on the sender photo instead, as it's unauthenticated.
It would be nice to see it across all Outlook plaforms, assuming it's OWA/Outlook.com only, which it sounds like.
