Office 365 Proves Popular with Phishers

With 180 million active users it's no wonder that Microsoft Office 365 has caught the attention of online criminals.

According to Microsoft, one in five business workers are now using an Office 365 cloud-based service, with adoption particularly popular in the financial services and manufacturing sectors.

And these industries, of course, can provide rich pickings for cybercriminals.

So, it's no surprise to me to learn that phishing attacks targeting Office 365 users outstrip the attacks seen against the likes of Netflix and PayPal, or online banks.

What makes phishing attacks against Office 365 more threatening, of course, is that they're not just after a user's login credentials.

Instead, attackers frequently want to exploit their unauthorised access to an Office 365 account by sending messages from the legitimate account to the victim's business partners or colleagues. A stolen Office 365 password may only raise a tiny amount of money if sold on an underground cybercrime forum compared to the fortunes that can be made through a Business Email Compromise (BEC) attack that requests money be wired to an overseas bank account.

Alternatively, a hacker might be keen to trawl through a compromised email archive for company secrets, and threaten to make them public unless a ransom is paid.

Microsoft has multiple recommendations on how businesses of different sizes can better harden the security of Office 365, but some of the most important steps in my mind include:

• Enabling and enforcing Office 365 multi-factor authentication (MFA, sometimes called two-factor authentication or 2FA) for all users. Two-factor authentication isn't just a great idea for Office 365 accounts, but should also be put in place for other online services where available as it makes it more difficult for phishers to access accounts even if they have successfully stolen a password.

(Of course, Microsoft hasn't done the promotion of multi-factor authentication any favours after suffering an outage last November which locked users out of their Office 365 accounts for a period of time.)

• Hardening account security by enforcing password rules related to length and complexity. Businesses should seriously consider using an enterprise-grade password manager to make it easy for staff to generate unique, complex passwords rather than letting them fall into bad habits.

• Running security software to analyse visited webpages and downloaded files for suspicious content.

• Training and educating staff about the latest threats and risks.

• Submitting suspicious emails to Microsoft for analysis.

Every day there are news stories about organisations being phished, data being lost to hackers, and damage being done to a company's brand.

Often the details of what email system the organisation was using aren't detailed in the media reports, but with the growing uptake of Office 365 it's likely that a fair proportion of them do involve Microsoft's cloud-based services.

Earlier this month, for instance, Missouri Southern State University admitted that it had suffered a data breach after several employees fell victim to a phishing attack back in January 2019.

The breach meant that remote hackers could have potentially accessed emails and attachments containing names, dates of births, home addresses, email addresses, telephone numbers, and social security numbers.

According to the university, it was directed to delay notifying potentially affected individuals while law enforcement completed its investigation, but it wisely immediately reset all employees' Office 365 passwords, and put into process a plan to enhance its IT systems to reduce the chances of future attacks.

Whatever email system you're using inside your business it makes sense to strengthen your defences against the increasingly sophisticated tricks being used by online criminals.