Microsoft 365 Phishing

Microsoft 365 phishing attacks are inevitable due to the number of businesses that use the software package. According to Microsoft, more than 1 million businesses worldwide use Microsoft 365, with Microsoft reporting earlier in 2022 that it has surpassed 345 million users worldwide. That makes Microsoft 365 a big target. If a phishing campaign can be developed that bypasses Microsoft’s protections, a highly successful campaign can be conducted on all businesses that use Microsoft 365.

Microsoft 365 phishing attacks are conducted to steal Microsoft 365 credentials, allowing threat actors to gain access to accounts and obtain large volumes of sensitive data. These attacks also give threat actors a foothold in the network from where they can conduct a much more extensive compromise. Credentials stolen in attacks are often sold on hacking forums to other threat actors, including ransomware gangs. Microsoft 365 accounts contain a wealth of valuable and easily monetized data, and the email accounts can be used to conduct convincing phishing and business email compromise (BEC) attacks,

After gaining access to accounts, the attackers search through mailboxes looking for information about financial transactions, allowing them to create convincing emails to redirect upcoming payments to accounts under their control.  BEC attacks see transfers of hundreds of thousands or even millions of dollars made, with the scams often not detected until after the funds have been withdrawn. Attacks on Microsoft accounts can be extremely profitable.

Microsoft 365 Phishing Attacks Bypass MFA Protection

In the summer of 2019, Microsoft published a blog post that highlighted the importance of implementing multifactor authentication on accounts, stating that this easily implemented measure will block 99.9% of automated attacks on accounts. The number of businesses that have implemented multifactor authentication on their accounts is growing, and that has the potential to prevent phishing attacks from succeeding; however, recently phishing campaigns have been conducted that allow threat actors to bypass multifactor authentication.

These phishing campaigns look similar to many others, but this is an adversary-in-the-middle (AitM) phishing campaign that uses a reverse proxy in the backend infrastructure. The target’s email address is encoded in the URL of the phishing page, which is used to populate the login field on the phishing site. The user only needs to enter their password. The phishing pages pull the content from the genuine Microsoft login page in real time, so when the password is entered on the phishing page, it is automatically used to log in on the genuine Microsoft site. The phishing page also displays the multifactor authentication prompt in real-time, and when the login process is completed and the MFA is passed, the site captures the user’s session cookie, which allows the threat actor to access the genuine Microsoft 365 account without having to authenticate again. This is achieved using the Evilginx2 phishing toolkit. In some cases, once access was gained, a different method of authentication was established to allow the threat actor to continue to access the account when the session cookie expired or was revoked.

How to Improve Defenses Against Microsoft 365 Phishing Campaigns

Many Microsoft 365 phishing attacks are not capable of bypassing multifactor authentication, so it should be implemented, but steps should be taken to protect against the AitM attacks that do successfully bypass MFA. Microsoft recommends setting up conditional access policies that check for compliant devices and trusted IP addresses before completing the authentication process. It is also recommended to monitor for suspicious logins, such as unusual locations or ISPs.

One of the most important measures to take to block Microsoft 365 phishing attacks is to ensure that you have robust anti-phishing controls in place. Microsoft offers a basic level of protection for email accounts through Exchange Online Protection (EOP) that includes connection filtering, anti-malware controls, policy filtering, and content filtering. EOP will block a high percentage of spam and phishing emails and all known malware; however, more advanced measures are needed to block sophisticated phishing attacks and zero-day malware.

The best defense against phishing is to implement third-party solutions to augment EOP and Defender. With SpamTitan Cloud, it is easy to augment Microsoft’s native EOP protection and greatly improve your defenses against zero-day spam and malware. SpamTitan Cloud performs real-time analysis of inbound and outbound emails to identify spam and phishing emails, scans emails and attachments using dual anti-virus engines and sends emails to a Bitdefender-powered sandbox for behavioral analysis to identify zero-day and obfuscated malware threats.

PhishTitan is recommended for protecting against the advanced phishing threats that Microsoft often misses. PhishTitan is an advanced, AI and machine learning-driven anti-phishing solution for Microsoft 365 that augments EOP and Defender and delivers phishing protection with unbeatable accuracy and minimal false positives. Independent tests by Virus Bulletin in Q1, 2024, confirmed the engine that powers PhishTitan has a phishing catch rate of 99.914%, a malware catch rate of 99.511%, and a 0.00% false positive rate.

PhishTitan conducts behavior, heuristic, and AI & LLM-driven anti-phishing analysis on internal and external emails using a proprietary algorithm that adapts to new phishing techniques, ensuring that zero-day phishing and business email compromise attacks are identified and blocked with the highest detection accuracy possible. LLM intelligence and continuous user feedback ensure the solution adapts to changing tactics and improves over time. PhishTitan rewrites URLs to reveal the true destination, provides time-of-click protection by blocking attempts to visit malicious sites, and protects against malware. Banner notifications are added to emails to warn users about potentially malicious emails and administrators can conduct post-delivery remediation to quickly remove phishing emails from all M365 inboxes.

PhishTitan is cost-effective, intuitive, and easy to use, and connects via M365 APIs with no MX changes required. Implementing PhishTitan on M365 accounts takes just 7 minutes from start to finish. Customers also benefit from TitanHQ’s world-class customer support and are provided with access to webinars and courses to help them get the most out of PhishTitan. PhishTitan is suitable for businesses of all sizes, with MSPs benefiting from easy implementation, a multi-tenant view for effortless customer management, and new client setup taking just 10 minutes.

It is also strongly recommended to provide training to the workforce to teach employees how to recognize and avoid Microsoft 365 phishing attempts. Regular security awareness training coupled with phishing simulations has been proven to greatly reduce susceptibility to phishing attacks. TitanHQ’s SafeTitan security awareness training platform includes an extensive library of interactive and enjoyable training content to help businesses turn their employees into security Titans, with the phishing simulator including hundreds of phishing templates taken from real-world attacks. SafeTitan is the only behavior-driven security awareness training platform that delivers intervention training in real-time

For more information on improving your defenses against Microsoft 365 phishing attacks, contact TitanHQ today.