Evasive Phishing is Targeting Office 365

Phishing emails targeting Office 365 customers are increasing dramatically and are the top source of security breaches, according to a new Osterman Research survey commissioned by Cyren. Fifty-four percent of organizations using Office 365 as their corporate email platform reported at least one successful phishing attack during the past 12 months, although usually far more than one—the average number of phishing breaches reported was 11.7.

The survey, “IT Security: Office 365 Benchmarking Survey,” was conducted in September 2018, focuses on the email and Web security status and priorities of IT and security managers at organizations with 100 to 5,000 employees and that use Office 365. The survey results allow security personnel to benchmark their own security posture and planning against their peers, including data on the priority placed on different email and web security features, what capabilities organizations have deployed, and how successfully—or unsuccessfully—their current security is performing across different threat types.

Phishing emails getting through to Office 365 users 

Nearly half of respondents to the survey said that more mass phishing and spearphishing emails are getting through their security and reaching users’ inboxes. Respondents estimate increases of 23 percent for general phishing and 25 percent for spearphishing compared to one year ago. This increase in phishing emails evading detection is certainly driving the higher successful phishing rates noted above. Not surprisingly, the IT managers surveyed ranked phishing as the top threat concern, surpassing ransomware, which was ranked second.

Current security concernsFigure 1: Phishing was the top source of breaches in 2018 for those with Office 365 deployed.

Targeting of executives top scenario

In ranking the level of concern about different phishing scenarios, targeted attacks on executives are at the top. Sixty-five percent of IT managers who have deployed Office 365 are highly or extremely concerned about their executives’ email accounts being hacked, and 62 percent indicated the same for targeted spoofing or impersonation of their executives. But mass-mailed phishing (59 percent) and spoofing of non-executive personnel (52 percent) are not far behind. Employees’ personal banking information getting phished was a top concern for only 45 percent.

Evasive phishing techniques more prevalent

Phishing is considered an industry-wide problem, not just for Office 365 users, due to the increasing speed at which phishing attacks occur, increasing sophistication in phishing techniques, and the rise of the “phishing-as-a-service” industry. This last phenomenon is seen in the proliferation of phishing kits and one-stop-shop phishing services on the darknet and sketchy forums on the Internet, some of which are full service and minimize to the extreme the technical skills formerly needed to get into the phishing business. For example, at one service on the dark web, a $50 monthly subscription (with optional upgrades!) provides a link to a realistic-looking spoofed Office 365 credentials phishing website, hosted and ready-to-go, and three extra links as back-up in case the first link is blocked. The prospective phisher only needs to provide an email address to receive logs with the phished usernames and passwords, and then distribute the site link via email or other methods—which can be done by contracting with specialized distribution services.

The survey report is available for free download, and an on-demand webinar on Office 365 and phishing is available, with senior threat researcher Magni Siggurdson analyzing examples of Office 365-focused phishing attacks.