So you’re considering a move to Office 365? Or, maybe you just moved? After you board up the server room and breathe a huge sigh of relief, it’s time to rethink what you know about email security.
1. Microsoft's data center is more secure than yours. But that doesn’t matter.
One benefit of moving to Office 365 is the physical security of the Microsoft's data centers. They've invested intrusion prevention and have round the clock resources to keep attackers out of their servers. What is more important to you, however, is how well they keep attackers out of your account. How well does Microsoft prevent email-based phishing and malware attacks? Remember, when you move to Office 365, you are relying on Microsoft’s ability to detect malware and phishing attacks within email. So, no matter how secure their data center is, it’s all for nothing if your users get hacked because of an email message that Microsoft's filters allow into your inbox.
To help answer this question, we went back to the beginning of the year to review all the phishing attacks we have blocked for our customers. On average, Microsoft has missed one email attack per user per day. How do we know Microsoft missed these attacks? Because we are in a unique position in how we secure Office 365. The Avanan scanning engines run after Microsoft security scans have completed. Whatever we see, Microsoft has passed off as clean. Pretty simple.
2. Anyone can check whether you are using Office 365
A simple MX record lookup will tell hackers that you are using Office 365. This is important because it changes how hackers may target your organization. For example, if a hacker knows someone is using Office 365, what do you suppose the format of the phishing attack would look like? It will probably look like a OneDrive share. And what kind of credential harvest page would the URL within the email point to? It would probably look like the fake Office 365 login page we often see below.
But before a hacker launches their attack, they’ll do one more thing. They’ll run the actual email through their own Office 365 account to test whether Microsoft will actually block their attack.
3. Microsoft does provide some email protection. But it is not enough.
By default, Microsoft offers a security layer that provides anti-virus, anti-spam, and anti-phishing for its email services. You get these automatically with any Microsoft license. If you pay an additional $2/user/month, or sign up for the $35/user/month E5 package, you can get Microsoft Advanced Threat Protection (ATP). Because of the attackers ability to pre-test their attack, customer experiences with ATP have been disappointing (as you can read here), echoing the reviews of ATP found online.
To be clear, we have found that the email protection in Office 365 is better than other cloud-based email providers. It does provide some level of protection. It filters many of large-scale, spam-like attacks and can identify the source of bulk malicious senders, but it struggles with more sophisticated, targeted attacks.
We believe, however, that even if their solution isn’t “good enough,” the correct solution should not be to replace their protection, but to address the gaps and build upon what Microsoft is already providing. Additional security should take a layered approach that includes Microsoft as one of those layers.
4. Securing email in the cloud is much different than securing email in your data center.
Securing email within a single, on-premises server is a world apart from securing cloud-based email, which is part of a much larger suite of cloud applications. Many of the tools for data-center email security do not apply to cloud-based email. Rather than a point solution, cloud based email must be understood as part of a much larger whole.
Solutions like Proofpoint and Mimecast are limited by their narrow view of an email account, relying upon a Secure Email Gateway (SEG) that scans each message from outside Office 365. From there, they cannot scan internal, employee-to-employee emails, see historical email conversations, monitor real time user events, identify compromised Office 365 accounts, or take actions on an email after it has passed them by.
While these missing capabilities are significant, the greatest weakness of the SEG-based approach is the fact that the SEG architecture requires you to disable Microsoft's own layers of security. This is often referred to as “rip and replace” security; rather than adding new layers, they are just swapping what you have for their own. When they produce a report showing how many attacks they blocked, there is no way for a customer to know how many attacks would have been blocked with Microsoft’s default security. Worse, they cannot see the missed attacks that Microsoft would have blocked.
For those customers who use Proofpoint and Mimecast, we often see attacks that they've missed, but are ordinarily blocked by Microsoft for other customers. For example, here is a common attack missed by Proofpoint but blocked by Microsoft. Because a Proofpoint installation requires you to disable Microsoft's filters, they bypass both and end up in the user's inbox.
Email with Same Link Detected by O365
The path to better security is not to replace what you are already paying for with your Office 365 subscription. The path to better security is adding additional layers that fill the gaps to offer complete protection.
5. Yesterday it was malware. Today it’s your SaaS credentials.
According to the Verizon 2017 Data Breach Investigations Report, “80% of hacking-related breaches leveraged either stolen passwords and/or weak or guessable passwords.” As Brian Krebs points out in this blog, hackers are working hard every day to get your users to give up their credentials to Office 365 and another SaaS applications. Once a hacker has your credentials, they can weaponize your company's SaaS accounts against you.
A typical Office 365 attack looks something like this:
1. Hacker sends an email spoofing a person of authority in the company—the CEO, CFO or the IT help desk. This will come from an external email address, but be designed to look internal.
2. The phishing email will ask the person to “review a document” with a link to what is assumed to be the OneDrive document for review.
3. The link, however, will take the user to an exact replica of an Office 365 login page, where they will capture their credentials.
4. The hacker will login to the user’s account and implement email rules to create silent back door access:
- Forward all incoming emails to an external address,
- Delete certain new emails in Sent Items,
- Move/Delete all incoming emails into a sub folder.
5. The hacker can now send phishing emails from this user’s account with impunity. All future phishing attacks will come from within the company with a real internal address.
Our own analysis shows that 65% of the phishing attacks were an attempt to get the user to give up their SaaS credentials. Your security solution needs to protect the entire business suite; not just email.
6. Not all phishing attacks contain links
While most of the phishing attacks we stop are after user credentials, about 25% are Business Email Compromise (BEC) attempts get the recipient to take some insecure action. In these cases, the emails do not contain the usual signs of being malicious—no links to click on and no malicious attachments. It could be as simple as someone pretending to be the CFO emailing the accounts payable department asking them to “Please pay this invoice.” Or it could be asking a colleague to hop on a Zoom call:
These are highly-targeted attacks where the hacker leverages public data from sites like LinkedIn to understand the roles and responsibilities of your employees. Often, these hackers may even become a customer of yours so they can see how your organization communicates with customers, or simply to see the format of your company's help desk ticketing emails. These attacks are rising in frequency. Even worse is that default security and SEGs don't have the internal knowledge and context necessary to prevent these attacks.
7. Multi-factor Authentication: a not-so-easy fix.
We recommend that every customer enable Multi-factor Authentication (MFA). Admittedly, though, this can be a challenge. If you turn on MFA without putting much thought into the the people and process, expect your help desk to be flooded with calls from users who are locked out of their accounts.
The Yale IT department put together a great case study on the implementation of 2FA for their user community. It took them six months to roll out and included an “informative sponsorship video,“ "outreach meetings,” and “face-to-face meetings with university leaders in faculty and administrative departments”.
While important, MFA does not solve the phishing problem.
New, targeted, attacks are designed around the MFA process.
1. Attackers automate the login to happen simultaneously with the capture of the the user's credentials. The victim believes they are authenticating their own login, but they are, instead, approving the attackers scripted attempt.
2. New Cloud Access Trojan attacks only require a single login to create a permanent back door. Once they have created mailbox rules to route messages or approved a malicious API or created a silent back-up service, they never need to log in again.
8. Office 365 Security goes well beyond email.
When email was in your data center, email was just email. In Office 365, email is part of a much larger ecosystem and securing Office 365 requires more than just protection of inbound messages. This includes detecting compromised accounts, protecting content going in and out of OneDrive & SharePoint, monitoring for connected apps, compliance, integration with SIEM, and so much more.
A cloud security solution must incorporate all parts of the Office 365 environment. It must go beyond preventing inbound malware through the single email entry-point.
It must incorporate other SaaS applications beyond just Office 365.
- Office 365 email is not the same as on-premises email.
- Office 365 requires a multi-layered approach to security.
- Microsoft provides an important filter that can catch attacks that others don't.
- It’s better to supplement Microsoft's protection than replace it.
Yesterday's SEG security technologies are not built for the cloud. They are a point solution for securing a data-center server that ignores the much larger Office 365 ecosystem. SEG security is a square peg in a round hole—out of place in today's SaaS environment.
You need cloud-native security, built specifically for today's cloud-native world.