Why Microsoft Should be Ashamed of its Security
Quick Answer
A spear-phishing campaign against an energy-sector company bypassed Microsoft Exchange Online Protection by hosting the lure on Google Drive and impersonating the CEO with a shared document. EOP let it through because the sending host was a legitimate Google service and the link in the body pointed to a real Drive share. The body inspector did not follow the link to inspect the destination, which is what real-time link click protection does: rewrite every URL, then check the endpoint at click time, every time, no matter how long after delivery. If the resolved page or attachment is malicious, the click is blocked. Customers on Exchange Online or Office 365 should layer phishing protection with link click rewriting on top, because gateway scanning of the message body is not enough on its own.
Do you ever wonder why Microsoft consistently tops the list of favorite brands to target with phishing scams? Because it’s one of the most widely used brands, AND because apparently it’s security isn’t very good.
Now comes word of a spear phishing scam, targeting a company in the energy sector, “using a savvy trick to get around the company’s Microsoft email security stack.”
According to an article on ThreatPost, “the campaign impersonated the CEO of the targeted company, sending email via Google Drive purporting to be ‘sharing an important message’ with the recipients. The email was legitimately sent by Google Drive to employees.”
The article goes on to say that “By using an authentic service, this phishing campaign was able to bypass Microsoft Exchange Online Protection and make its way to the end user. The technique of using Google Drive to disseminate a phishing email helps bypass email security service measures because of the difficulty of blocking a legitimate business service.”
That’s Microsoft’s excuse? It’s difficult to block legitimate looking emails? That’s the crux of phishing: making nefarious emails look legitimate. If you can’t block those then you have no protection at all. Wait, it gets worse.
The article adds “the link within the email body links to an actual Google Drive share with documents to download – and the Microsoft email body inspection tool does not examine where the user may be taken after clicking the non-malicious Google Drive link.” Detecting those malicious links is basic phishing protection 101. What’s the difference between Microsoft’s security and no security at all? Not much.
Phishing protection today requires real-time link click protection. Apparently Microsoft, a company worth over a TRILLION dollars, hasn’t gotten the message.
Real-time link click protection involves checking every link in an email, when the link is clicked, no matter when it’s clicked, by following the link all the way to the end to see if it points to is a malicious website (or a malicious attachment). And if the endpoint is malicious, you protect the user by preventing them from having the click go through. That’s how you protect users today, Microsoft.
Microsoft should be ashamed of itself. Leaving its customers vulnerable while telling them they’re safe. If you’re using Microsoft Exchange Online or Office 365 for your email, you cannot rely on their security to keep you safe. You’re going to need additional security that provides real time link click protection. You’re going to need DuoCircle with Advanced Threat Defense.
DuoCircle with Advanced Threat Defense provides email security with real-time link click protection, 24/7 on any device. It works with all email platforms, including Microsoft’s, and can be up and running it 10 minutes. Try it risk free for 30 days.
General Manager
General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.
Secure your email infrastructure
Protect, authenticate, and deliver. Contact our team to find the right solution.