“Office 365 Undelivered/Pending”- Something Phishy

You probably already know what “phishing” is. You probably know not to click on suspicious links or open suspicious attachments in an email message. You almost certainly know not to tell others your passwords or type them into suspicious websites. Security isn’t so hard, right?

Yet…

“Suspicious” seems like an awfully subjective criterion. That message from your mother certainly isn’t suspicious. Nor is that email from your boss. And that message from one of your vendors seems perfectly reasonable. Or is it?

It used to be that most phishing attempts were clumsy and easy to recognize. They had misspellings and grammar mistakes. The sender was someone you didn’t know. They were apropos of nothing and completely lacking in context.

Today’s phishing attempts, however, are much more sophisticated, and can easily fool even vigilant end-users.

One recent phishing scam, outlined here, uses some of Microsoft’s own technology to fool users into thinking the login page is legitimate. In this scam, the original email looks like the one below and seems believable enough.

After the user clicks on the link, the page that follows looks like the standard Microsoft Office 365 login screen, even for organizations that have branded the page with their own logos. Understandably, users can be led to believe that the login screen is legit because they see their own company’s logo.

With phishing (and other attacks) getting smarter, is there any hope at all? The answer is yes, there are still steps you can take.

Security Awareness Training

As silly as it may sound, one of the best ways to stay vigilant is to … stay vigilant. As we’ve noted in the past, humans are the weakest link in any security program and education is the best defense. Users should receive regular and ongoing security awareness training to keep them wary of evolving scams and attacks.

Kraft Kennedy conducts simulated phishing attacks by email and phone as part of our security training program. Before training, a shockingly high percentage of people fall for these scams. Post-training, the number drops dramatically, usually to zero.

Multi-Factor Authentication

Most data and services, whether located on-premises or in the cloud, can be protected via multi-factor authentication (“MFA”), which requires an additional step beyond just entering a user ID and password. By protecting services with MFA, attackers can be blocked from accessing them, even if they have managed to acquire a valid user ID and password. Even better, the real user will get a notification that someone has entered their password, alerting him/her that the password may have been compromised.

Advanced Security Tools

Just as phishing attempts are smarter, security tools are becoming more advanced as well. It’s not just anti-virus any more! There are many other security tools that can help thwart phishing or other attacks. Such tools include Cisco Umbrella, Mimecast Targeted Threat Protection, and others.

Microsoft’s suite of security solutions is particularly promising. Many of them, such as MFA and Azure Information Protection, are already available to firms with Windows 10.

Is your firm safe against sophisticated phishing attacks? Get in touch with one of our experts to discuss how you can strengthen your defenses. Kraft Kennedy’s Managed Security Services includes security awareness training, 24/7 monitoring by security analysts, and state-of-the-art technical defenses.