Protecting Exchange Online Against Phishing
Reports with grand titles like “Global Phish Report 2019” might appear authoritative but often they are thinly disguised vendor pitches. A real-life and well-known problem is stated followed by an explanation of how the only way to solve the issue is to use the technology that just happens to be sold by the report’s authors.
In this case, the Global Phish Report comes from Avanan, a company who sells anti-phishing tools to protect platforms like Office 365 and G Suite. It contains the starting assertion that “Of the phishing attacks we analyzed, 25% bypassed Office 365 security.”
Avanan go on to explain that their researchers analyzed 55.5 million messages sent to Office 365 and G Suite (Figure 1), presumably sent to customers of their anti-phishing service. No specific details were given about where these companies were located, how many tenants were involved, and what configuration the tenants use.
Avanan said: “we scanned every email after the default security, allowing us to see not only the phishing attacks that were caught, but also those that were missed.” They then concluded that 25% of the phishing messages got past the Exchange Online Protection checks and were delivered to user inboxes (Figure 2). This is what Avanan mean when they say that messages bypassed security.
Phishing on the Increase
This all sounds pretty serious, especially as we know that the volume of phishing attacks is growing. However, it’s not news. Phishing has been part of the attack horizon for several years and any Office 365 tenant that doesn’t take steps to protect their infrastructure and coach users to recognize and resist phishing is asking for trouble.
Avanan’s report includes some useful descriptions of the most common types of phishing that might help you explain these attacks to end users. Two recent examples of phishing attacks aimed at Office 365 users are file deletion alerts and account takeovers.
Performance of Exchange Online Protection
It does not surprise me that some malware gets past Exchange Online Protection (EOP). Good defense against malware comes through a mixture of people and technology. The technology is usually deployed in multiple layers. Office 365 could not sell an email service if it didn’t include anti-malware protection, and EOP delivers out-of-the-box protection against the most common high-volume attacks. In short, EOP is a reasonable first line of defense, but it should not be the only line of defense (unless you like living on the edge).
The Avanan report doesn’t detail the configuration and operational setup of the target tenants. We must assume that the tenant administrators did a decent job of configuring and managing EOP, including using DKIM, DMARC, and SPF to validate inbound messages, but we don’t know. Bad configurations weaken defenses and allow an increased volume of malware to slip through. Missing a quarter of all phishing messages sounds high, but it could happen.
You can tune your EOP configuration to the hilt, but because EOP is a single line of defense, you always run the risk that some malware will penetrate. The battle between attackers and defenders is continuous and even though Microsoft applies increasing amounts of human and artificial intelligence to detect and suppress new attacks, EOP is still only a single line of defense for attackers to get through.
The Need for Multiple Defenses
The upshot is that Office 365 is better protected if multiple defenses are used. Again, there’s nothing new in this statement. Back in the days of on-premises anti-virus, Exchange administrators ran multiple anti-virus engines to make sure that if one engine failed to detect something like the ILoveYou virus, another engine would do the job. EOP uses multiple anti-malware engines for this reason.
Today, anti-malware is an increasingly complex business and many companies deploy multi-layer defenses to achieve maximum defense against malware. For Office 365, you can have inbound email pass through a third-party cloud-based anti-malware service like those run by Mimecast, Symantec, or Avanan (which is why they created the report) or you can use Microsoft’s Office 365 Advanced Threat Protection (ATP), which is included in Office 365 E5 and available as an add-on for other plans.
ATP Helps EOP
Microsoft would like you to use ATP (and if you have E5 licenses, you should). ATP is integrated with EOP and the signals gathered by EOP can be used by ATP in its processing. Basically, EOP takes care of well-known attacks (one notable EOP feature is Zero-hour Auto Purge (ZAP), the ability to process malicious messages if they get to user mailboxes). ATP then adds more advanced techniques like Safe Attachments and Safe Links to protect against day zero attacks and anti-phishing learning models and algorithms to detect and suppress phishing messages.
There’s a good argument to go with the integrated solution and equally compelling arguments to use technologies from multiple sources. The important point is that EOP on its own will not catch some of the most modern and sophisticated phishing attacks. If you just use EOP, expect to see some phishing email turn up in user inboxes; with multiple defenses, a fraction of those messages will get through.
Good to Highlight Problems
Avanan’s report does a good job of highlighting the phishing problem. However, its conclusions are doubtful because it focuses on EOP instead of the EOP/ATP combination, which I think is a more realistic yardstick. If I saw some verifiable data to show that a quarter of phishing messages got past a well-managed Office 365 tenant with ATP deployed, I’d be very worried. But I’m not.