What are phishing emails?
Phishing emails are fake messages, designed to look legitimate.
They cost businesses around the world billions of dollars each year. And they get opened by about 30% of people. These emails will generally impersonate a person or company that you trust or deal with, and attempt to trick you using one of three things:
They’ll use a fake person – someone pretending to be someone you know, so that you share information or transfer money into an attacker’s bank account.
They’ll set up a fake site – So that you enter your private information, like passwords or credit card details, or provide a rogue app with permission to access your data.
They’ll create fake attachments – attackers will disguise malware in fake invoices and shipping notification to remotely access your computer or encrypt your files.
How can I prevent phishing emails with Microsoft 365?
To give our teams the best chance of avoiding phishing emails, not only do we need to make people aware of the methods above, we need to configure the features in Microsoft 365 that address them. Starting with Office 365 Advanced Threat Protection
Start with Office 365 Advanced Threat Protection
This is your companies primary defence against phishing emails. While all Office 365 plans come with a built-in anti-phish policy, it’s not even close to what’s offered in Office 365 Advanced Threat Protection, also known as Office 365 ATP.
Once you’ve purchased Office 365 ATP, you should jump into the Security and Compliance centre and check out your anti-phishing policy.
Its default controls are pretty good for detecting phishing emails that impersonate your users, your domains and external contacts. It develops an understanding of how your users and their contacts interact, the addresses and sending infrastructure they use, and identifies anything out of the ordinary. If it detects an impersonation attempt, the message is either quarantined or delivered with a warning.
You can enhance your protection by adding users in roles like CEO or CFO to the targeted user protection feature. You can also add external domains, that you frequently interact with, to the targeted domains feature.
Use a mail transport rule to warn on external impersonation
You can configure a mail rule that applies a warning to messages where an external sender uses a display name that matches someone internally in your company. We have an example rule on our website that has been pretty popular amongst smaller organisations.
So that helps address fake senders, how about fake attachments and fake websites? Office 365 ATP addresses these with the Safe Attachments and Safe Links policies.
Detect malicious attachments with Safe Attachments policy
The safe attachments policy can protect your users from malware sent by phishing emails, like the COVID-19 phishing campaign that used Excel files to install a malicious remote access tool. The Safe Attachments feature analyses your attachments in a separate environment, running a bunch of checks for malware then blocking the email or removing the unsafe attachment.
Detect malicious websites with a Safe Links Policy
The Safe links policy scans your URLs in emails for links to malicious sites. If a malicious website is detected, Safe Links blocks users from visiting it.
Remove phishing emails from mailboxes after delivery
These tools work by analysing messages for known malware, bad links or untrusted senders and stopping them arriving. But what happens if a bad email gets through, and the system doesn’t realise until later?
You should configure Zero Hour Auto Purge. Zero Hour Auto purge removes bad messages from your mailboxes retroactively and sends them junk, quarantine or deleted items.
Set up Office 365 ATP and Exchange Online Protection with recommended best practices
I’ve just discussed four different security policies in a few minutes. If you’ve spent any time looking at ATP or Exchange Online Protection policies, you’ll probably notice there’s a lot of policies, and most of them are already set up. Should you change anything or leave them as they are?
It would help if you changed them, and Microsoft has two levels of recommended best practices that they say will prevent most unwanted messages from reaching your team.
These two levels are called Strict and Standard. In our experience, Strict is very strict, but it’s a good starting point that you can enable first, and adjust later.
Test users by simulating a phishing campaign
Once your policies are set up, you should test your users. If you purchase Office 365 ATP Plan 2, you can run attack simulations against your team. Attack Simulations can help you identify and find vulnerable users before a real attack impacts them.
Protect your accounts if your team gives up their credentials
But what happens when messages get through? What happens when users get duped and provide their login details to attackers?
Protect your accounts. If a user enters their credentials into a fake website, we need to make sure an attacker can’t use these credentials alone to log in. All Office and Microsoft 365 plans allow you to configure multi-factor authentication; this will ensure that attackers can’t log in without having access to an additional form of verification such as a phone or authentication token.
If you have a plan that includes Azure Identity Protection, you should set up a sign-in risk policy to monitor for unusual logins. These policies use machine learning to detect suspicious activity and can temporarily block sign-ins and accounts if something’s amiss.
Monitor for unusual applications with access to your users’ data.
Now that accounts are getting more secure by default, attackers are requesting access to user data via apps. And it’s worse if they manage to trick an admin user because then attackers can have longstanding access to an entire organisation that persists even when passwords are changed.
It can be challenging to detect if a user clicks a phishing link and provides a rogue app with access to their mailbox, OneDrive or SharePoint data. So you use Microsoft Cloud App Security to get alerted to unusual oAuth applications with access to your teams’ information.
Be extra vigilant if your data has been exposed in the past
Take extra care if you, or companies you regularly interact with, have been breached before. If attackers have had access to your company data and know who usually communicates with who, and for what purposes, they will try to exploit that information by setting up fake emails to hold their fake conversations with their fake invoices to get your real money.
Need help with phishing in Office 365 or Microsoft 365?
If you need assistance setting-up these policies in your organisation or need a hand cleaning up after a successful phishing attack in Microsoft 365, we’d be happy to help. Reach out to us via chat, or using the form below.