How to Protect Your Office 365 Email Users from Phishing

by John Callon

Phishing emails targeting Office 365 customers are the top source of security breaches, according to survey data.

In cased you missed it, in 2018 phishing officially the top concern for IT and security managers who have deployed Office 365 at their companies, having eked past ransomware according to a cybersecurity survey by Osterman Research which we discussed here. Other results from that same survey pretty thoroughly demolished any idea that businesses and security vendors might be getting the upper hand in the battle against phishing—clearly the trend is in the opposite direction.

Re-summing up a couple of key points, the survey told us that phishing is the top source of breaches at companies, with over half of organizations reporting at least one successful phishing attack in the past 12 months (but they actually reported an average 11.7 successful phishing attacks, or one a month…). This is consistent with the fact that over half of respondents said that the volume of phishing emails—both volume phishing and targeted phishing—reaching their Office 365 users increased 25 percent over the past year, and the same number consider their phishing security to be “poor” or “mediocre”.

How to Fight Back Against Evasive Phishing?

The onslaught of phishing attacks and successful breaches is directly correlated to the recent rise of the phishing-as-a-service industry and the increased use of “evasive phishing” techniques. To improve your defenses, here are five steps to consider, which we've included in an Office 365 phishing security solutions primer (link way below):

  1. Supplement Office 365 native email security with cloud-based email gateway protection from a security provider. Cloud-based secure email gateways add more advanced security like time-of-click URL analysis, in-line sandboxing, and more robust protection from phishing and spear phishing. 
  2. Deploy post-delivery inbox scanning.Add a layer of phishing security at the inbox which kicks in after an email has been scanned by the gateway and delivered, choosing among cloud-based services that continuously monitor, detect and remediate Office 365 user inboxes. Such services can also be helpful in aiding incident response, by alerting email administrators for immediate investigation, and automating the removal of the same email attack from all users’ inboxes, once found.
  3. Deploy a web security gateway. An effective web security gateway will block connections to phishing websites and botnet Command & Control servers. Since most threats today are “mixed threats,” coming inbound over the email channel, but completing on the web channel, effective web security can be viewed as an extension of email security (and vice-versa!)
  4. Use multi-factor authentication. Password re-use makes phishing attractive for criminals. Deploy multi-factor authentication on Office 365 to prevent email account compromise. Office 365 login credentials (and other Microsoft apps) are the most heavily targeted business applications because of their reach and the fact that, once credentials are gotten for entry into one app, it opens doors into other integrated services. 
  5. Continuously train users. Educate users about the social engineering tricks that are used, test them, and repeat on an ongoing basis. The Osterman Research survey cited above did find that 94 percent of businesses with over 100 employees are doing some kind of phishing awareness training. The fact that so many phishing attacks are still succeeding obviously indicates the limitations of over-relying on employees to spot phishing emails, and it’s common to hear declarations from IT managers like “40 percent of my users will click on anything….” But the concept of defense-in-depth suggests having alert employees will contribute to mitigating risk. 

Get a free copy of the the two-page Office 365 phishing security primer as well as the above-referred-to Osterman Research Office 365 security benchmarking report here.

Go back