%3CLINGO-SUB%20id%3D%22lingo-sub-279274%22%20slang%3D%22en-US%22%3ERe%3A%20Welcome%20to%20The%20Cyberskinny!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-279274%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F824%22%20target%3D%22_blank%22%3E%40Michael%20Hunsberger%3C%2FA%3E%2C%20yes%20sir.%3C%2FP%3E%0A%3CP%3ECheck%20out%20these%20links%3A%3C%2FP%3E%0A%3CP%3E-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2FSecurityCompliance%2Feop%2Fbest-practices-for-configuring-eop%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEOP%20best%20practices%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Foffice-365-atp%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EATP%20goodness%20here%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere's%20also%20lots%20of%20good%20information%20on%20the%20%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fmicrosoftsecure%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Secure%3C%2FA%3E%20site.%3C%2FP%3E%0A%3CP%3EHope%20that%20helps!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-279269%22%20slang%3D%22en-US%22%3ERe%3A%20Welcome%20to%20The%20Cyberskinny!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-279269%22%20slang%3D%22en-US%22%3E%3CP%3EMichael%20Sampson%2C%20that%20infographic%20is%20from%20the%20original%20Microsoft%20blog%20%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fmicrosoftsecure%2F2018%2F10%2F17%2Fhow-office-365-learned-to-reel-in-phish%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%20I%20read%20it%20as%20%2220%25%20of%20people%20who%20receive%20a%20malicious%20hyperlink%20click%20it%20within%20the%20first%205%20minutes%22%2C%20so%201)%20in%20your%20scenario.%20It's%20not%20clarified%20in%20the%20original%20blog%20so%20it%20could%20be%20interpreted%20in%20either%20of%20the%20ways%20you%20state.%20That%20being%20said%2C%20I%20don't%20think%20it's%20unexpected%20that%201%20in%205%20people%20click%20on%20a%20malicious%20link%20they%20receive%20almost%20immediately.%20Phishing%20training%20and%20awareness%20has%20improved%20greatly%20over%20the%20past%20couple%20of%20years%2C%20but%20so%20have%20phisher's%20ttp's%20(tools%2C%20techniques%2C%20and%20practices).%20Thanks%20for%20reading%20and%20commenting.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-278972%22%20slang%3D%22en-US%22%3ERe%3A%20Welcome%20to%20The%20Cyberskinny!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-278972%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20idea%20-%20looking%20forward%20to%20reading%20more%20in%20the%20coming%20weeks.%20Do%20you%20have%20any%20good%20links%20for%20someone%20just%20getting%20started%20configuring%20EOP%2FATP%20in%20an%20O365%20tenant%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-278259%22%20slang%3D%22en-US%22%3ERe%3A%20Welcome%20to%20The%20Cyberskinny!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-278259%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40549%22%20target%3D%22_blank%22%3E%40Denny%20Stripling%3C%2FA%3E%26nbsp%3BCan%20you%20please%20clarify%20one%20of%20the%20stats%20you%20shared%20above.%20You%20say%20%2220%25%20of%20users%20click%20on%20a%20malicious%20link%20in%20first%205%20minutes.%22%20Does%20this%20mean%3A%3C%2FP%3E%3COL%3E%3CLI%3EOf%20all%20the%20users%20who%20%3CSTRONG%3Ereceive%3C%2FSTRONG%3E%20a%20malicious%20link%2C%2020%25%20click%20on%20it%20in%20the%20first%205%20minutes%2C%20OR%3C%2FLI%3E%3CLI%3EOf%20all%20the%20users%20who%20%3CSTRONG%3Eeventually%20click%3C%2FSTRONG%3E%20a%20malicious%20link%2C%2020%25%20do%20so%20in%20the%20first%205%20minutes.%3C%2FLI%3E%3C%2FOL%3E%3CP%3EI%20read%20the%20stat%20as%20%231%2C%20but%20I%20think%20you%20mean%20%232.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-276979%22%20slang%3D%22en-US%22%3EWelcome%20to%20The%20Cyberskinny!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-276979%22%20slang%3D%22en-US%22%3E%3CP%3EWelcome%20to%20my%20new%20blog%2C%20where%20we%20will%20savor%20tasty%20cybersecurity%20morsels%20from%20time%20to%20time.%20Topics%20may%20be%20industry-focused%20(Healthcare%20more%20often%20than%20not)%20or%20they%20may%20be%20industry-agnostic%2C%20but%20they%20will%20be%20cybersecurity-based.%20And%20they%20will%20be%20skinny.%20I%20haven't%20decided%20on%20a%20cadence%20yet%20so%20let's%20see%20where%20this%20goes.%20If%20you%20can%20pick%20out%20the%20%3CEM%3E%3CEM%3Esecondary%20theme%3C%2FEM%3E%3C%2FEM%3E%20of%20today's%20tasty%20tapas%2C%20feel%20free%20to%20let%20the%20world%20know%20in%20the%20comments!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you're%20reading%20this%20blog%2C%20you're%20probably%20familiar%20with%20this%20fact%3A%20%3CU%3E%3CSTRONG%3EPhishing%20is%20a%20problem.%20A%20big%20one.%20%3C%2FSTRONG%3E%3C%2FU%3E%3C%2FP%3E%0A%3CP%3EPhishers%20around%20the%20world%20sit%20at%20their%20computers%20looking%20surly%20and%20muttering%20things%20like%20%22I%20aim%20to%20misbehave%22.%20Then%20they%20send%20out%20massive%2C%20broad%20phishing%20email%20campaigns.%20I%20mean%2C%20who%20doesn't%20want%20a%20Nigerian%20prince%20to%20hook%20them%20up%20with%20some%20sweet%20coin%3F%3C%2FP%3E%0A%3CP%3EThe%20savvier%20ones%20take%20the%20time%20to%20identify%20juicy%20targets%20and%20begin%20to%20socially%20stalk%20(aka%20%22engineer%22)%20them.%20They%20identify%20some%20poor%20Mrs.%20Reynolds%20and%20initiate%20a%20campaign%20to%20gain%20her%20virtual%20trust%2C%20generally%20with%20but%20one%20goal%20in%20mind%3A%20%3CI%3Eget%20those%20creds%3C%2FI%3E.%26nbsp%3B%20Once%20they%20have%20%3CI%3Ethose%20creds%3C%2FI%3E%2C%20the%20nefarious%20game%20is%20afoot.%3C%2FP%3E%0A%3CP%3EWe've%20all%20likely%20seen%20the%20situation%20and%20the%20numbers%20but%20they're%20worth%20repeating.%3C%2FP%3E%0A%3CP%3EHere's%20a%20good%20view%20of%20what%20the%20phishing%20attack%20spectrum%20looks%20like.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22CS%20phishing%20spectrum.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58070i1B93FC78B9D89F48%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22CS%20phishing%20spectrum.png%22%20alt%3D%22CS%20phishing%20spectrum.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDo%20users%20bite%3F%20Yes.%20Yes%20they%20do.%20And%20the%20further%20attackers%20move%20to%20the%20right%20above%2C%20the%20higher%20the%20hook%20rate%20(and%20monetary%20gain)%20they%20achieve.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22CS%20phishing%20numbers.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58071i004722CFD1C85D18%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22CS%20phishing%20numbers.png%22%20alt%3D%22CS%20phishing%20numbers.png%22%20%2F%3E%3C%2FSPAN%3ESo%20how%20do%20we%20protect%20ourselves%2C%20our%20customers%2C%20our%20patients%2C%20our%20employees%3F%20Normally%20a%20lengthy%20discussion%20ensues%20at%20this%20point%20but%20in%20today's%20Cyberskinny%20we%20are%20going%20to%20discuss%20one%20thing%20in%20particular%3A%20Protecting%20users%20from%20Phishing%20at%20the%20front%20door%20-%20i.e.%20the%20email%20entry%20vector.%20%3CI%3EShiny%3C%2FI%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20one%20of%20the%20largest%20and%20most%20heavily%20attacked%20email%20services%20on%20the%20planet%2C%20Microsoft's%20Office365%20serves%20as%20an%20excellent%20petri%20dish%20for%20a%20phishing%20miss%2Fcatch%20rate%20study.%20Microsoft%20recently%20posted%20an%20excellent%20%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fmicrosoftsecure%2F2018%2F10%2F17%2Fhow-office-365-learned-to-reel-in-phish%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Eblog%3C%2FA%3E%20describing%20a%20market%20comparison%20of%20our%20now%20top-flight%20phishing%20protection%20as%20surfaced%20through%20Office365%20EOP%20(Exchange%20Online%20Protection)%20and%20ATP%20(Advanced%20Threat%20Protection).%20I'll%20summarize%20the%20high%20points%20here%20as%20I%20think%20they%20bear%20repeating.%20You%20can%20check%20out%20the%20official%20blog%20for%20all%20the%20juicy%20details.%3C%2FP%3E%0A%3CP%3EMicrosoft%20tested%20phish%20catch%20rate%20(model%20captured%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Privacy-and-Compliance%2FHow-Microsoft-Measures-Effectiveness-of-Malware-amp-Phish-Catch%2Fba-p%2F263248%22%20target%3D%22_blank%22%3Ehere%3C%2FA%3E)%20for%20Office365%20email%20accounts%20across%20two%20periods%20from%20Nov%20'17-Jan%20'18%20and%20May%20'18-Sept%20'18.%20We%20compared%20our%20own%20solution%20(EOP%2FATP)%20against%2011%20other%20email%20protection%20vendors.%20The%20volume%20of%20O365%20email%20that%20Microsoft%20protects%20is%20staggering%20compared%20to%20the%20rest%20of%20the%20market%2C%20hence%20some%20normalization%20had%20to%20be%20applied%20(again%2C%20the%20blog%20has%20the%20gory%20details).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20how%20did%20it%20play%20out%3F%3C%2FP%3E%0A%3CP%3EIn%20January%20the%20results%20showed%20that%E2%80%A6%20hmmm.%20Decent%20results%2C%20but%20subpar%20compared%20to%20the%20high%20bar%20that%20had%20been%20set%20across%20the%20market.%20Looks%20like%20we%20had%20some%20work%20to%20do.%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20the%20engineers%20in%20Redmond%20strapped%20on%20their%20orange%2Fred%2Fyellow%20woven%20hats%20and%20went%20to%20work.%3C%2FP%3E%0A%3CP%3ETheir%20progress%20was%20covered%20in%20a%20three-part%20blog%20series%20starting%20in%20March%20(%22Schooling%20a%20Sea%20of%20Phish%20Parts%201-3%22%2C%20part%201%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Privacy-and-Compliance%2FSchooling-A-Sea-of-Phish-Part-1-How-Office-365-Advanced-Threat%2Fba-p%2F168378%22%20target%3D%22_blank%22%3Ehere%3C%2FA%3E)%20and%20the%20same%20testing%20methodology%20was%20run%20again%20from%20May%20to%20September.%20The%20results%3F%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EA%20massive%20improvement%2C%20putting%20Microsoft's%20EOP%20and%20ATP%20right%20at%20the%20very%20top%20of%20the%20heap%20in%20terms%20of%20phish%20catch%20rate%3C%2FSTRONG%3E%20(see%20bottom%20figure%20in%20this%20blog).%20This%20is%20indicative%20of%20Microsoft's%20massive%20signal%20in%20the%20Intelligent%20Security%20Graph%20(%3CEM%3E6.5%20trillion%20signals%20per%20day%3C%2FEM%3E)%20paired%20with%20ever-evolving%20machine%20learning%20and%20AI%2C%20supported%20by%203%2C500%20security%20researchers%20and%20an%20annual%20%241B%20spend%20on%20security%20R%26amp%3BD.%3C%2FP%3E%0A%3CP%3EIf%20you%20haven't%20considered%20Microsoft%20to%20be%20one%20of%20your%20primary%20security%20partners%20(and%20two%20years%20ago%20I%20couldn't%20fault%20you)%2C%20you%20should%20now.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20strap%20on%20your%20blue%20hat%20(and%20browncoat)%2C%20fire%20up%20some%20EOP%2FATP%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2FSecurityCompliance%2Feop%2Fbest-practices-for-configuring-eop%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere's%3C%2FA%3E%20how)%20and%20protect%20your%20O365%20users%20with%20arguably%20the%20best%20solution%20in%20the%20industry.%20Ahhhh%E2%80%A6%20%3CI%3ESerenity%3C%2FI%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20hope%20to%20see%20you%20back%20here%20again%20soon%20and%20remember%E2%80%A6%20%3CI%3Eyou%20can't%20stop%20the%20signal.%3C%2FI%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%26nbsp%3B%3C%2FI%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22CS%20phish%20results.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58074i84BCACA9F9AA29DB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22CS%20phish%20results.png%22%20alt%3D%22CS%20phish%20results.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FI%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-276979%22%20slang%3D%22en-US%22%3E%3CP%3EJoin%20us%20today%20for%20the%20Cyberskinny%2C%20where%20we%20will%20partake%20of%20some%20bite-sized%20morsels%20of%20cybersecurity%20goodness.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22security%20pic.png%22%20style%3D%22width%3A%20457px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58075i8ED644CABBF4AA26%2Fimage-dimensions%2F457x105%3Fv%3D1.0%22%20width%3D%22457%22%20height%3D%22105%22%20title%3D%22security%20pic.png%22%20alt%3D%22security%20pic.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Microsoft

Welcome to my new blog, where we will savor tasty cybersecurity morsels from time to time. Topics may be industry-focused (Healthcare more often than not) or they may be industry-agnostic, but they will be cybersecurity-based. And they will be skinny. I haven't decided on a cadence yet so let's see where this goes. If you can pick out the secondary theme of today's tasty tapas, feel free to let the world know in the comments!

 

If you're reading this blog, you're probably familiar with this fact: Phishing is a problem. A big one.

Phishers around the world sit at their computers looking surly and muttering things like "I aim to misbehave". Then they send out massive, broad phishing email campaigns. I mean, who doesn't want a Nigerian prince to hook them up with some sweet coin?

The savvier ones take the time to identify juicy targets and begin to socially stalk (aka "engineer") them. They identify some poor Mrs. Reynolds and initiate a campaign to gain her virtual trust, generally with but one goal in mind: get those creds.  Once they have those creds, the nefarious game is afoot.

We've all likely seen the situation and the numbers but they're worth repeating.

Here's a good view of what the phishing attack spectrum looks like.


CS phishing spectrum.png

 

Do users bite? Yes. Yes they do. And the further attackers move to the right above, the higher the hook rate (and monetary gain) they achieve.


CS phishing numbers.pngSo how do we protect ourselves, our customers, our patients, our employees? Normally a lengthy discussion ensues at this point but in today's Cyberskinny we are going to discuss one thing in particular: Protecting users from Phishing at the front door - i.e. the email entry vector. Shiny.

 

As one of the largest and most heavily attacked email services on the planet, Microsoft's Office365 serves as an excellent petri dish for a phishing miss/catch rate study. Microsoft recently posted an excellent blog describing a market comparison of our now top-flight phishing protection as surfaced through Office365 EOP (Exchange Online Protection) and ATP (Advanced Threat Protection). I'll summarize the high points here as I think they bear repeating. You can check out the official blog for all the juicy details.

Microsoft tested phish catch rate (model captured here) for Office365 email accounts across two periods from Nov '17-Jan '18 and May '18-Sept '18. We compared our own solution (EOP/ATP) against 11 other email protection vendors. The volume of O365 email that Microsoft protects is staggering compared to the rest of the market, hence some normalization had to be applied (again, the blog has the gory details).

 

So how did it play out?

In January the results showed that… hmmm. Decent results, but subpar compared to the high bar that had been set across the market. Looks like we had some work to do. 

So the engineers in Redmond strapped on their orange/red/yellow woven hats and went to work.

Their progress was covered in a three-part blog series starting in March ("Schooling a Sea of Phish Parts 1-3", part 1 here) and the same testing methodology was run again from May to September. The results?

A massive improvement, putting Microsoft's EOP and ATP right at the very top of the heap in terms of phish catch rate (see bottom figure in this blog). This is indicative of Microsoft's massive signal in the Intelligent Security Graph (6.5 trillion signals per day) paired with ever-evolving machine learning and AI, supported by 3,500 security researchers and an annual $1B spend on security R&D.

If you haven't considered Microsoft to be one of your primary security partners (and two years ago I couldn't fault you), you should now.

 

So strap on your blue hat (and browncoat), fire up some EOP/ATP (here's how) and protect your O365 users with arguably the best solution in the industry. Ahhhh… Serenity.

 

I hope to see you back here again soon and remember… you can't stop the signal.

 

CS phish results.png

 

4 Comments
Occasional Contributor

@Denny Stripling Can you please clarify one of the stats you shared above. You say "20% of users click on a malicious link in first 5 minutes." Does this mean:

  1. Of all the users who receive a malicious link, 20% click on it in the first 5 minutes, OR
  2. Of all the users who eventually click a malicious link, 20% do so in the first 5 minutes.

I read the stat as #1, but I think you mean #2.

New Contributor

Great idea - looking forward to reading more in the coming weeks. Do you have any good links for someone just getting started configuring EOP/ATP in an O365 tenant? 

Microsoft

Michael Sampson, that infographic is from the original Microsoft blog here. I read it as "20% of people who receive a malicious hyperlink click it within the first 5 minutes", so 1) in your scenario. It's not clarified in the original blog so it could be interpreted in either of the ways you state. That being said, I don't think it's unexpected that 1 in 5 people click on a malicious link they receive almost immediately. Phishing training and awareness has improved greatly over the past couple of years, but so have phisher's ttp's (tools, techniques, and practices). Thanks for reading and commenting.

Microsoft

@Michael Hunsberger, yes sir.

Check out these links:

- EOP best practices

- ATP goodness here

 

There's also lots of good information on the Microsoft Secure site.

Hope that helps!