There are over 200 million monthly active Office 365 business users. It has fast become a staple of modern working, providing all the tools needed for employees to connect to the content, people and information they need from any device. However, like any commonly used service, it has become a target for cyber criminals, with Microsoft being in the top ten brands used for phishing attacks.

Some Examples of Office 365 phishing attacks

Voicemail notifications

You only need to check the news and social media to unearth numerous examples of phishing campaigns making use of Office 365. Just recently, attackers have been using an Office 365 email with unicode to bypass Secure Email Gateways (SEGs) and push recipients to a phishing page.

Financial compensation

Microsoft reported a COVID-19 related phishing campaign using financial compensation as the lure. Recipients were pointed to an Office 365 login page attempting to harvest login credentials. In a 24-hour period, around 2,300 unique HTML attachments were spotted.

Suite attacks

The number of tools that sit under the Office 365 umbrella give bad actors multiple options to craft their attacks. A recent example is the PerSwaysion attackers, who used Microsoft Sway to poach Office 365 credentials from at least 150 executives. There are also incidences of Sharepoint, One Drive and One Note (as well many others) being used in successful phishing campaigns.

There is a growing sophistication in Office 365 phishing attacks. One redditor experienced a case of a phishing page able to load corporate branding based on email. Another example shows a fake Office 365 domain with its own live chat functionality. There are other examples of phishing attacks that are able to intercept Multi-Factor Authentication (MFA) tokens as well as use OAuth apps instead of capturing login credentials. In fact, MFA can be bypassed with publicly available tools like Modlishka, which can be set up in minutes.

As phishing tools have become more and more advanced, they have now developed to the state that they are being sold as a packaged product. With a little bit of research, it’s quite easy to find phishing kits for top-tier brands, meaning that the legwork of setting up all the assets convincingly is already done, and all phishers need to do is execute a campaign.

In our May 2020 Cloud Security report, we observed a spike in attempts to connect to Office 365 phishing domains after a long period of stability, and despite the peak passing, we can already see hits to Office 365 phishing domains returning to normal.

Based on this information, it’s becoming increasingly evident that security is being evaded and used to steal users’ Microsoft login credentials. In fact, 30.3% of phishing emails sent to organizations using Office 365 Exchange Online Protection (EOP) were delivered to inboxes, bypassing security measures. But email is only one delivery mechanism — 87% of successful phishing incidents take place outside of email, and this can include SMS, social media or IM platforms, and these messages direct users to phishing pages where their credentials are snatched.

With cybercriminals continuing to evolve and diversify their tactics to avoid security technologies, what can businesses do to ensure their employees never reach phishing pages? Moreover, what happens if a user does have their Office 365 credentials phished? What contingencies are in place to mitigate onward threats?

How can businesses protect Office 365 from cyber threats?

Zero-day in-network protection

If a victim has been lured into clicking on a phishing link, you are reliant on them being aware and tech savvy enough to spot that it is a phishing page and not enter their details. But that isn’t everyone, particularly if the phishing page is anything like the previously mentioned examples. As much as security awareness training is important, an online training course every 6-12 months is not sufficient, especially as phishing campaign tactics morph so quickly. The best bet is to prevent that phishing page from being loaded. This is where in-network protection is important. With risk analysis through machine learning, if a page is deemed malicious, that page is blocked. This also extends to zero-day phishing attacks, which are those that threat intelligence sources have yet to identify as threats. Understandably, the window of time between creation and detection of a phishing campaign is the most dangerous, so a security solution that can detect zero-day attacks is key to mitigating phishing risks.

Adaptive Access

Login credentials alone should not be enough for someone to access a system — the context of a session needs to be assessed as well. For example, is the endpoint healthy? Does it have any malware or risky apps installed? Are there any device vulnerabilities? Is the connection secure? The application of adaptive access provides another layer of defense against phishing attacks, and also forms part of the wider Zero Trust Network Access (ZTNA) strategy.

Zero Trust Network Access

The traditional castle-and-moat approach to network security has been weakened by the increased mobility and adoption of cloud services, like Office 365. For a long time, there have been calls to migrate to a ZTNA approach and it seems like many companies are beginning to make the transition, with 78% of IT security teams looking to embrace zero trust network access in the future, and 19% actively implementing. It’s a no-brainer for companies with more modern, cloud-based architectures.

Office 365 will always be a prime target for attackers as it is the gateway to so much of a company’s information and people. With threats coming from all angles, companies need to think beyond just preventing those threats and consider the whole access equation, and pivoting to ZTNA will unquestionably improve a company’s risk profile.