Posey's Tips & Tricks

Office 365's Phishing Problem Goes Deeper

A recent report suggests that Microsoft's own e-mail security protections have trouble differentiating between real and fraudulent messages from itself.

• By Brien Posey
• 05/06/2019

I recently read Avanan's "Global Phish Report" for 2019, which was chock-full of statistics related to recent phishing attack trends.

If I am to be completely honest with you, I usually find these types of reports to be mind-numbing. I've always found reading statistical reports to be about as exciting as watching paint dry. Even so, there were a couple of things within the Avanan report that caught my attention.

First, the report's Executive Summary states:

Of the phishing attacks we analyzed, 25% bypassed Office 365 security, a number that is likely to increase as hackers design new obfuscation methods that take advantage of zero-day vulnerabilities on the platform.

In other words, the report found that Office 365's native message-screening capabilities are only about 75 percent effective, at least when it comes to identifying phishing attacks.

In some ways, this particular statistic really surprised me. In other ways, it didn't surprise me at all.

The main reason I found Avanan's statistic to be somewhat surprising is that phishing attacks should be at least somewhat easy to identify. If, for example, an e-mail message claims to be from a large, well-known bank, but the links within the message point to a rather dubious domain rather than to the bank's domain, that's a pretty good indication that the message is a phishing attack. Similarly, if a message is purported to have come from a Fortune 500 company but is filled with spelling errors, that's another good indication that the message isn't what it claims to be.

At the same time, though, the idea of Office 365's message-scanning capabilities only being about 75 percent effective wasn't a total surprise. I have never taken the time to count how many phishing e-mails make it into my mailbox, but I can tell you that there are phishing messages that evade Microsoft's filtering mechanisms and make it into my inbox on an almost daily basis.

I can accept the idea that Microsoft's message filtering is not going to be 100 percent effective. After all, the world's largest technology companies have been working for decades to eradicate spam and phishing messages, but just have not succeeded yet.

Even so, there was a second statistic listed within the report that I found to be a bit more puzzling.

The Avanan report found that many phishing e-mails were designed to impersonate well-known brands. The report found that roughly one out of every 25 branded e-mails (that is, messages from well-known brands) was a phishing message. As you would probably expect, the bad actors are attempting to impersonate some brands more than others. For example, FedEx is impersonated relatively often, while the mom-and-pop bait shop down the street has probably never been impersonated.

The reason I bring this up is because the report found that during most of the year, "Microsoft is by far the most impersonated brand," accounting for 43 percent of all brand-impersonation messages. Amazon.com is in second place, accounting for 38 percent -- except during the holiday season, when it briefly surpasses Microsoft as the most-impersonated brand.

So here is what bothers me about this: The Avanan report focuses heavily on Office 365 and, although the report never makes a direct statement, reading between the lines would seem to suggest that Microsoft's scanning engines (more specifically, Exchange Online Protection) have trouble detecting messages impersonating Microsoft.

Now, I will be the first to admit that there is a possibility that I am simply interpreting the report incorrectly. I can't seem to recall getting any messages in my Office 365 inbox recently from someone impersonating Microsoft, so it is entirely possible that Microsoft is able to guard against messages from imposters.

However, if Microsoft really does have trouble differentiating between real and fraudulent messages from itself, then that is a big problem.

Regardless of the current state of phishing attacks, I think that e-mail-based phishing will become far less common in the next couple of years. One of the big trends in IT at the moment is the rampant adoption of artificial intelligence (AI) engines in practically every application imaginable. As AI continues to mature, it will undoubtedly make it so that cloud-based message filters are better able to detect phishing messages.