Threat Brief: Employers Using Microsoft 365 Are Especially Vulnerable to Phishing Attacks During the Pandemic

by

Microsoft 365 is pervasive and profoundly vulnerable.

Microsoft 365 has been adopted and used at an enormous rate and now powers 600,000 companies in the United States alone.  It’s wildly successful. 

Also successful?  The scammers targeting these companies with sophisticated phishing attacks.  78% of Microsoft 365 administrators have reported successful security breaches, citing email phishing as the leading cause.

All cloud inboxes are simply more vulnerable than on-premises email platforms.  But enterprises using Microsoft 365 consistently report higher levels of successful phishing attacks.

What makes Microsoft 365 uniquely vulnerable to phishing and scams?

  • Its native security has a 16% false negative rate for spam and phishing emails, according to Mimecast.

  • If a scammer uses a spoofed/lookalike/soundalike domain that doesn’t exactly match your domain name, Microsoft 365 won’t flag the activity.  It also won’t flag spoofed domains for your business partners or even well-known brands.  “Saleforce.com” will still go through.

  • Microsoft 365 uses static blacklists when scanning URLs for threats.  Meanwhile phishing sites can have short life spans, even just a few hours.  Analyzing each site in real time is a far stronger form of prevention.

  • And Microsoft 365 uses virtual sandboxing to scan attachments in an email. But sophisticated threats require deeper inspection of embedded documents and code.

Newly remote workforces are also more vulnerable to evasive phishing attacks during the pandemic.

With the world threatened and preoccupied by Covid-19, cybercriminals are taking advantage of the chaos.  Scammers rushed to target scattered workforces that are distracted, stressed, and accessing cloud systems from their home networks.

Since March, Cyren has reported:

  • A surge in malware using Excel4 Macros (XLM) in hidden worksheets, under the guise of “Important information about CoVid-19”

  • AgentTesla sending an email posing to have an order of surgical masks

  • And simple, age-old attacks with malicious Powerpoint slides attached

The pandemic has been a perfect storm for cloud inbox security.

In response to the pandemic, many enterprises abruptly adopted new tools and protocols, without the necessary security measures or training in place.

IT admins and SOC teams were already stretched to the limit. Their cybersecurity skills are in short supply, and sick/depleted staff are struggling to respond to the growing alerts they are bombarded with. 

And, cruelly, phishing and fraud attacks are designed to create a sense of urgency.  They induce people to click or follow instructions--reflexive behavior for an on-edge workforce.  According to the 2019 Global Data Exposure Report, “78% of CSOs and 65% of CEOs admit to clicking on a link they should not have, showing that no level of employee is immune to lapses in judgment.”

Anatomy of an attack

Companies worldwide are up against sophisticated email attacks like Business Email Compromises (BEC).  These attacks are also known as spear phishing, impersonation, and whaling, with the goal of convincing an end-user to release money or provide account information.  

One method of phishing is known as a Phishing URL.  In this attack, you receive an email from Microsoft asking you to verify your credentials.  The email looks completely normal, but what lurks behind the verify button isn’t. 

The goal here is to steal your account password or other confidential information by tricking you into believing you're on a legitimate website.  It’s effective, and even tricked savvy tech reporters on this classic Reply All episode “What Kind Of Idiot Gets Phished?”

If you’re already using an email gateway and URL wrapping, good for you!  But you’re only halfway there.

When an email hits your email gateway, it’s scanned and then delivered to your inbox. The gateway checked the email’s links against a database and the results came back clean.  We can relax, right?

What your SEG doesn’t see?  The “verify your credentials” email “from Microsoft” actually links to a cooking website.  Since that site is real, the email sailed through.

Then 5 minutes later, the clever attackers redirect the URL from the cooking site to a known Microsoft phishing site.  This method is called a delayed detonation. 

Secure Email Gateways cost $3B last year… and phishing attacks are still fooling them.

Despite investing a record $3B in Secure Email Gateways (SEGs) in 2019, US companies still lost $1.7B to phishing. 

Activating or uploading malicious content to a target web page only after the email has been scanned isn’t a new scam.  Advanced SEGs countered this tactic with “time-of-click” detection, which automatically rescans an email when the user clicks the link. It gives the SEG one last chance to detect a malicious URL. 

However, it is not without flaws. Spear phishing and Business Email Compromise (BEC) attacks don’t contain URLs or attachments, so they appear harmless to the SEG. Once the tainted email has evaded the SEG, the user is the last line of defense.

What it looks like:  Often a Business Email Compromise attack uses the organization’s own internal communications to listen, learn, and execute a crime. The attacker might target and then observe the mailbox of a well-placed employee to learn when an executive is going on vacation, what payments are coming due, and who is responsible for vendor payments. This information can be used to plan a convincing wire fraud attack.  (Yes this happens.)  

People are… well, people ¯\_(ツ)_/¯

Evasion tactics trick users as well. 50% of users click on links because social engineering creates a sense of urgency, especially when:

  • cousin domains are used to obfuscate URLs.

  • Punycode attacks use foreign language characters that resemble English ones.

  • Attackers serve up local versions of a spoofed site, so the domain looks legitimate, but it’s not.

What it looks like: Consider the employee who receives a vendor email saying a security vulnerability in the shadow application he is using has just been patched, so “please click now to update and verify your ID.” Not only does a counterfeit email/site look and act like the real thing, it has all the expected security trappings. Even the most vigilant, security-trained users fall for these tricks.

Bad actors even manage to evade detection by cybersecurity companies. They learn the IP address ranges of these companies and block the connection attempt. Or they change a couple of pixels in a fingerprinted image so tampering isn’t detected. Target website HTML code is often obfuscated and encrypted.

It took Microsoft 6 months to finally acknowledge Covid-19-related cybercrimes

On July 7, Microsoft revealed they’ve been working since December 2019 to wrest control of key domains used in vast cyber attacks in 62 countries.  

This particular phishing scheme used Covid-19-related lures to defraud Microsoft 365 customers.  It’s one of many attacks we’ve seen.  With tensions high and IT resources stretched to the limit, the pandemic is the perfect storm for cloud inbox security.  But Microsoft’s silence shows it’s “on companies” to protect themselves and their [remote] employees.

Defense 1:  Layering on Inbox Detection and Response

Enterprises using cloud-hosted email urgently need an inner layer of email security called Inbox Detection and Response (IDR). While the trusty Secure Email Gateway filters spam and known threats, it can’t detect sophisticated or evasive attacks, like account takeovers, phishing, spearphishing, and Business Email Compromise (BEC).

IDR solutions instead hook into users’ inboxes, continuously scan all inbound and outbound emails in all folders​, and automatically follow links.  They check URLs for favicons, mismatched logos, legitimate site maps, domain owners, security certificates, even regionalized code - all indicators that help flag, "Is this a valid email or is it phishing?"

When threats are uncovered, IDR solutions can automatically delete every copy across every mailbox. This automatic remediation removes the burden on the email administrator or security analyst, and it massively reduces the feared "window of vulnerability" caused by malicious emails lingering for lengthy periods within the reach of users.

What happens to the delayed detonation attack while using Inbox Detection and Response?  When this email “detonated,” the Inbox Security system saw the URL now goes to a known phishing website.  The system removed the suspicious message from the inbox (and from all infected mailboxes across the organization).

Defense 2: Use Machine Learning to build a better phishing net

Bad actors are constantly raising the ante on email scams.  According to Microsoft, “phishers have been quietly retaliating, evolving their techniques to try and evade protections. In 2019, we saw phishing attacks reach new levels of creativity and sophistication.”

To keep pace with these evasive attacks, threat protection software has to adapt, and machine-learning algorithms can be a powerful way to keep pace.

Machine-learning algorithms include:

  • Sender Behavior Analysis: detects imposter or spoofed emails, using header analysis, cousin or look-alike domain detection, as well as natural language processing to determine whether the language in the body of an email might be indicative of social engineering.

  • URL Behavior Analysis: protects users from credential theft by extracting URLs from emails and examining the destination web page for evidence that it might be a phishing site. Underlying technologies should be built specifically to detect evasive phishing tactics. For example, automatically access suspect sites from multiple source IP addresses and emulate different browsers to observe how the site renders in different environments.

  • Mailbox Behavior Analysis: profiles mailbox activity to create a baseline of trusted behaviors and relationships. Who sends emails to whom and at what time of day? What volumes?  What do the contents look like? And many others. Mailboxes are then continuously monitored for anomalous behaviors and predictive analytics are used to detect threats. For example, if an executive never sends emails to a finance cloud, and then suddenly he does, late on a Friday evening, requesting a money transfer, this behavior will be an anomaly, indicating a possible BEC attack.

  • Incident Analysis: Enables rapid investigation, containment, response and remediation of threats. Incidents are created whenever an email contravenes a security policy or is reported by the user. Look for automation here too, including clear display of detailed forensic data per incident and automatic aggregation of similar incidents into a single case that can be remediated in one fell swoop.

Defense 3: Crowdsource threats from your employees

Though it’s often positioned as the “last line of defense” against phishing, Inbox Detection and Response (IDR) security layers can gather unique threat intelligence from employees.  

The IDR collects critical feedback from its vantage point in all users’ Microsoft 365 mailboxes.  When users interact with the IDR intelligence engine, such as flagging suspicious emails, machine-learning algorithms incorporate their feedback.  Over time, the IDR engine gets smarter, enriched by the instincts and critical thinking of your front-line employees.  

Crowdsourcing threat intelligence is a powerful way to involve employees in “self-security” and to relieve the burden on IT:

  • As employees submit more emails for review, the engine becomes even more effective over time.

  • IDRs reinforce user training so you get better ROI from security training programs.

  • When employees provide feedback directly within the IDR, they reduce the burden on the IT help desk.

  • Phishing attacks can target hundreds or thousands of employees.  When threats are discovered, an IDR can scan your entire user base and remove suspicious messages from all infected mailboxes across the organization.

If you want to crowdsource threats from an employee base, it has to be easy.  

The best solutions:

  • Engage users inside their inbox, where the threat is.

  • Apply warnings or banners across suspect emails so users don’t reflexively click links or open attachments.

  • Require minimal clicks/time.

  • Are always visible and top of mind.

  • Make it dead simple to submit suspect emails for review.

Cyren Inbox Security

Cyren’s threat visibility is unsurpassed. Our global security cloud processes 25 billion email and web security transactions every day; identifies 9 new threats and blocks over 3,000 known threats each second.

Cyren Inbox Security was built to safeguard each and every Microsoft 365 mailbox in your organization.  It is a continuous and automated layer of security right in the user mailbox:

  • Persistently rescans inbound, outbound and delivered emails in all folders

  • Reduces investigative overhead with automated incident and case management workflows

  • A seamless mailbox plugin lets users scan and report suspicious emails

Cyren Inbox Security includes a simple-to-install and -use Outlook plugin that helps Microsoft 365 users identify phishing attacks.

A prominent button in Outlook lets users click-to-scan any suspicious email, and receive immediate results.

If the response is negative and the user disagrees, the user can simply click to send the email to the Cyren Security Lab for review. All forensics data from crowdsourced intelligence is incorporated in the system and made available for further investigations.

Cyren also provides a 24/7 managed Threat Response Service (TRS) for users of Cyren Inbox Security. Cyren TRS is laser-focused on investigating, analyzing, and resolving threats reported by your users. If Cyren reclassifies an email as suspicious, it will be automatically removed from all user mailboxes in your organization. 


With daily processing of more than 25 billion transactions from Cyren customers and technology partners, we leverage our global visibility to the advantage of every Cyren Inbox Security user.

Ready to play with Cyren Inbox Security for Microsoft 365Start a 30-day trial, no credit card needed >

Go back