Office 365 Phishing Attack
Chuck's Cyber Wall
Cybersecurity experts are seeing a significant rise in Office 365 Phishing Attacks, with a focus on executive accounts, small business owners, and office/practice managers.
Why this focus?
Every person they catch at this level opens the door to organization-wide Spear Phishing attacks where the attacker can use a compromised email account to assure victims that the phishing emails are legitimate and encourage them to fall for the scam. And because the vast majority of these attacks are automated, everyone is a target.
Let’s put this in perspective. According to the 2022 Cybersecurity Statistics, in 2021, Google registered over 2 million phishing websites, leading the 300% cybercrime increase in the USA. Phishing is the most significant cyber threat to big businesses, small businesses, and individuals. 36% of data breaches in 2021 involved phishing attacks, up from 25% in 2020. On top of this, 85% of phishing attacks involve brand impersonation.
Here are some other notable stats:
- 95% of data breaches are caused by human error
- Data breaches cost an average of $4.24 million
- 97% of users are unable to recognize a sophisticated phishing email
- 30% of phishing emails are opened, and 12% click on malicious links
- 85% of all organizations in the world have been hit by a phishing attack at least once
- Phishing attacks provide attackers with the access to make Ransomware attacks
Taking all of that into account, it’s easy to see why we all need to be concerned.
WHY MICROSOFT ACCOUNTS?
More and more organizations, especially small businesses, are moving to Office 365. Between their productivity (Word, Excel, etc.), document management (OneDrive, Sharepoint, etc.), and communication (Outlook, Teams, etc.) software, Microsoft offers a suite of services at affordable prices that are tailored to fit many needs. Whether or not you are a fan of Microsoft, their business model is popular and effective.
The thing is, just like small business owners, hackers are looking for the biggest bang for their buck. A phishing website costs $3-$12 to put up. An email list can be purchased on the dark web for around $200. Phishing email build kits sell for around $50. They are spending money to make money, so it makes sense that they want to catch as many people as possible when they are ready to cast their net. Targeting Microsoft credentials provides them with information to sell – validated credentials fetch a high price on the dark web.
Typically, catching one person makes back the initial investment. But if that one person often sends emails that include attachments, such as PDFs, invoices, business quotes, etc, it opens the door to potentially hundreds or thousands of additional victims. And for attackers, that means more money!
Phishing attacks take many forms, from the simple to the complex. Some of the more successful are:
- Emailed link claiming that Mary wants to share a file with you that asks for you to login when you click on it – credentials stolen
- A Sharepoint link takes you to a fake 0365 login page when you click on it – credentials stolen
- A pretend automated message saying that you missed a Teams chat that asks for you to login when you click on it – credentials stolen
And even if you are not currently a Microsoft user, they can still target you. Since they have such a visible name brand with many products and logos that are easy to imitate, we see lures that promise coupons, demos, special pricing, and other such offers. Clicking on them will almost certainly infect your device with malware including: keyloggers, ransomware, and tools that allow them to bypass security.
The single most effective tool against all kinds of phishing is Security Awareness Training! No matter how elaborate the phishing lure might be, there are always tells. Whether it is the email address, language used, format, a manufactured sense of urgency, or other such indicator, users who know what to look for are much less likely to fall for the scam. We discuss Phishing a great deal specifically for this reason.
And it’s working.
Almost 70% of users are actively aware of phishing attacks, and about 15% of them are reporting phishing attacks to their security teams. That is way up from 15% awareness and 1.2% reporting only three years ago.
The problem is that it only takes 1 person to click on a malicious link to expose credentials, infect a network with ransomware, or – worse – cause a data breach. For that reason, security professionals also recommend:
- Activating 2FA (2 Factor Authentication) on every account that supports it
- Always use a passphrase instead of a password; they are longer and more secure
- Run security updates as soon as they are available
- Make sure your antivirus program is active and updated
- Be suspicious of any requests for personal information
- Don’t click on links; manually go to the website or make a phone call
- Don’t get drawn in by demands for urgency; take a breath and check their legitimacy
With hackers growing more advanced, attacks are only going to increase in number and complexity. If you have a Microsoft account at home or work, you are a target. Of course, you are also a target if you use: Google, Amazon, Facebook, Netflix, Apple, any financial services, commerce services, educational services, government services – the list goes on and on and on.
So far as hackers are concerned, we are all targets, and awareness is the defense that is most likely to keep us safe.
Director of Cybersecurity and Marketing
I’ve always had a love of working with technology, being fortunate enough to have grown up with a grandfather who taught me how to fix things for myself and not be afraid to jump in and get my hands dirty. Over the last three decades, I’ve worked as a technician, trainer, technical writer, and manager in small business, enterprise organizations, and government. In addition, I’m an author, having published multiple works available online and in print. You can find my creative work at https://WritingDistracted.com