Let’s be honest: administering email is a pain. Routing issues, disk quotas, bouncebacks, the times when users can send but not receive emails, receive but not send, or they flat out cannot send or receive—the list goes on.
It’s no wonder that email-hosting services like Office 365 have become so popular. Such cloud-based email services remove a lot of the headaches caused by email configuration. They even include basic security features, meant to keep users safe from the latest threats.
They also provide options to simplify the user experience. Users can go directly to an Office 365 web page, enter their company credentials and log right into their email accounts from anywhere they like.
Take all this into account, add the reduction in costs that cloud email solutions often bring, and it sounds like the perfect solution. As a result, the use of services like Office 365 has skyrocketed.
Of course, its popularity has led to malicious attacks. Attackers are crafting and launching phishing campaigns targeting Office 365 users. The attackers attempt to steal a user’s login credentials with the goal of taking over the accounts. If successful, attackers can often log into the compromised accounts, and perform a wide variety of malicious activity:
At first glance, this may not seem very different than external email-based attacks. However, there is one critical difference: The malicious emails sent are now coming from legitimate accounts. For the recipient, it’s often even someone that they know, eliciting trust in a way that would not necessarily be afforded to an unknown source. To make things more complicated, attackers often leverage “conversation hijacking,” where they deliver their payload by replying to an email that’s already located in the compromised inbox.
Figure 1 – An example Office 365 phishing email.
However, there’s so much more that an attacker can do besides sending emails. Once an attacker has access to a legitimate mailbox, they can also do the following:
These activities can go unnoticed, simply because the attacker is gathering information while logged in using authorized credentials. This gives the attacker time for reconnaissance: a chance to observe and plan additional attacks. Nor will this type of attack set off a security alert in the same way something like a brute-force attack against a webmail client will, where the attacker guesses password after password until they get in or are detected.
The methods used by attackers to gain access to an Office 365 account are fairly straightforward. The phishing campaigns usually take the form of an email from Microsoft. The email contains a request to log in, claiming the user needs to reset their password, hasn’t logged in recently, or that there’s a problem with the account that needs their attention. A URL is included, enticing the reader to click to remedy the issue.
The chain of events usually plays out like this:
Given this series of events, the user would be none-the-wiser that their credentials had been stolen.
Figure 2 – Office 365 login vs. phishing login. Can you spot the difference?
How successful are these attacks? While it’s unlikely anyone but the attackers would have data on the number of stolen credentials, or overall success rate, we can draw a few conclusions by looking at the phishing emails.
Agari Data Inc. is one company that monitors a variety of data points surrounding phishing campaigns. In fact, in their quarterly Email Fraud and Identity Deception Trends report, they often look at brand impersonation trends and provided some fresh numbers for us.
Over the last few quarters, there has been a steady increase in the number of phishing emails impersonating Microsoft. While Microsoft has long been the most commonly impersonated brand, it now accounts for more than half of all brand impersonations seen in the last quarter.
Figure 3 – Brand Impersonation Phishing Emails masquerading as “Microsoft”
To its credit, Microsoft has baked a number of security technologies into its Office 365 offerings. However, given how these types of phishing attacks take place off their network, there is very little that can be done from within the cloud to protect against it. If an attacker gains valid credentials and uses them, how can you tell the difference based on a login attempt?
Fortunately, there are several steps you can take to further protect your email:
Cloud email services like Office 365 aren’t going anywhere. Given the many advantages that they present, there’s no reason they should. The fact is, given the current threat landscape, it’s often necessary to leverage additional security.
Based on a recent study conducted by ESG on behalf of Cisco, more than 80 percent of respondents reported that their organization is using SaaS email services. However, 43 percent of respondents still found that, after the move, they required secondary security technologies in order to shore up their email defenses.
At the end of the day, there are still valid needs for IT teams to set policies, gain visibility and control, utilize sandboxes, and leverage external blocking capabilities. Cloud email offers a lot of advantages, but to fully deliver on its promise, there is still a role for IT to ensure it is as secure as it can be.
Published with permission from blogs.cisco.com.