Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Hackers Have It Out for Microsoft Email Defenses
Cybercriminals are focusing more and more on crafting special email attacks that evade Microsoft Defender and Office security.
Tara Seals, Managing Editor, News, Dark Reading
October 6, 2022
2 Min Read
Source: tofino via Alamy Stock Photo
Increasingly, cyberattackers are laser-focused on crafting attacks that are specialized to bypass Microsoft's default security, researchers say — which is going to require a shift in defense posture for organizations going forward.
"Many hackers think of email and Microsoft 365 as their initial points of compromise, [so they] will test and verify that they are able to bypass Microsoft’s default security," according to a new report from Avanan that flags an uptick in its customer telemetry of malicious emails landing in Microsoft-protected email boxes. "This does not mean that Microsoft's security got worse. It means that the hackers got better, faster, and learned more methods to obfuscate and bypass the default security."
Some of the eye-catching numbers in the report, gleaned from analyzing 3 million corporate emails in the past year, include:
About 19% of phishing emails observed by Avanan bypassed Microsoft Exchange Online Protection (EOP) and Defender.
Since 2020, Defender's missed phishing rates among Avanan's customers have increased by 74%.
On average, Defender sends only 7% of phishing messages received by Avanan customers to the Junk folder.
In good news: Microsoft flagged and blocked 93% of business email compromise attempts.
Microsoft catches 90% of emails booby-trapped with malware-laden attachments.
Again, the numbers speak to the evolution of phishing and the fact that attackers are increasingly using tactics like leveraging legitimate services to avoid including obviously malicious links in emails, using masking techniques like vanity URLs, and avoiding attachments altogether.
To defend themselves against these custom-built attacks, organizations can go to basic defense-in-depth approaches with four main prongs, according to Roger Grimes, data-driven defense evangelist at KnowBe4.
Those prongs include: A better focus on preventing social engineering, using a best defense-in-depth combination of policies, technical defenses, and education; patch software and firmware, especially any that are listed on CISA's Known Exploited Vulnerability Catalog; use phishing-resistant multifactor authentication (MFA); and using different, secure, passwords for every site and service where MFA cannot be used.
"There are no other defenses, besides these four, that would have the most impact on decreasing cybersecurity risk," Grimes says. "It is the world's lack of focus on these four defenses that has made hackers and malware so successful for so long."
About the Author(s)
You May Also Like
More Insights
Webinars
Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024
Events
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024
