How Office 365 Advanced Threat Protection’s New Anti-Impersonation Features Help Defend Against Phishing Attacks
Chances are high that you have been the target of several types of nefarious malware phishing campaigns in the past year. Throughout the second half of 2017 alone, Microsoft Office 365 Advanced Threat Protection (O365 ATP) mitigated a billion phishing emails. Because attacks are getting more complex and sophisticated, Microsoft continues to improve O365 ATP to help you defend your digital environment. Office 365 Advanced Threat Protection is just one of four different products from Microsoft with the Advanced Threat Protection branding attached. All work together to provide a layered approach to security. Learn in our article: Addressing Confusion Around Microsoft’s 3 Advanced Threat Protection Solutions.
O365 ATP continues to develop strong defenses against phishing attacks and the results show their effectiveness. O365 ATP has now achieved a malware catch rate greater than 99.9% and a 45 second average file detonation time (meaning that the time for emails to be deep scanned is less than a minute now).
One of the most lucrative attacks for cyber thieves is spear phishing - a subset of phishing attacks that targets a specific individual, group, or organization. These attacks are customized and tend to leverage a sender name or common domain, creating a false sense of trust with the recipient. The success of these malicious emails relies on tricking users by impersonating other users such as a C-level executive, in the hopes of eliciting quick action by the recipient.
Microsoft has recently launched a series of anti-impersonation features focused on domain and user impersonation designed to combat spear-phishing attacks.
Turning on this O365 ATP feature increases protection by leveraging machine learning algorithms to better understand a user’s contact graph – a map of all the people who are likely to send an email to the user based on prior mail flow patterns. This functionality allows you to better manage false positives for the end user as well as helping you flag potentially problematic emails. Additionally, Mailbox Intelligence is able to recognize if an email is coming from an impersonator and flag it. For example, if you normally receive emails from email@example.com and an email comes in from an impersonator with the address firstname.lastname@example.org, the system will recognize that this is not the correct email address and flag the email.
Phishing attacks can be countered effectively, in a way before they even begin, with practiced threat prevention simulation techniques. O365 ATP’s defense against attackers can now preempt the actions of a phishing attack by first simulating it against the protected environment. There are three common types of attacks the simulator can test for:
- Display Name Spear Phishing - when the attacker is impersonating a person familiar to a corporate user for the purpose of making them believe they know the recipient of an email being opened.
- Password Spray - where the attacker has identified emails or usernames within a company through outside sources and then builds a password index with which he will attempt against each username, bypassing the usual “3-5 attempts and you’re out” password failsafe policy.
- Brute Force Password Attempts - the process of an attacker calculating every possible combination that could make up a password and testing it to see if it is correct for the usernames chosen, albeit slower for longer passwords, can be very effective for shorter more common passwords.
Thankfully many of these attacks and others can be thwarted with the proper policies and user training. Tracking the results from the Attack Simulator will really show where things are weak and help you prioritize next steps.
Attack Simulator reports back on the user responses and behavior when under attack to the admin. The attack simulator then leverages the Microsoft Intelligent Security Graph to show detailed reports of high risk accounts, giving quick visibility into the weakest links. Admins can then take actions like adding Multi-factor Authentication, enhancing password complexity issues, locking out accounts, and developing training plans for their end users.
To summarize, there is a three-step process to best utilize Attack Simulator to better protect your organization’s employees.
- Simulate the attack with Attack Simulator by engaging users on the network as the “targets” of an attack.
- Capture and review the results of actions taken or not taken following the “attack” by the targeted users.
- Develop training curriculum to deploy to your organization’s employees.
Following this three-step process will embolden your organization’s employees with new awareness and a more responsible view of their digital identity’s security needs.
This feature allows you to whitelist users and domains that should be excluded from impersonation evaluations. These entities are then classified as ‘trusted’ and emails sent from them will bypass additional security checks and help prevent false positives that could hinder approved email communication.
There is no doubt Microsoft’s technology is making considerable strides in battling threats to your environment and users, but it’s important to note that these safeguards are not out-of-the-box features of Office 365. To ensure you are protected, you must also purchase O365 ATP which is available for only $2 per user per month, or as part of either the Office 365 E5 plan or the Microsoft 365 E5 plan.
As a Microsoft Gold Partner, Interlink Cloud Advisors can help make sure that your O365 is operating properly and defending against phishing and other malware threats. Contact us to learn more about how you can employ O365 ATP to protect your organization.
About the author
Welcome to the Interlink Cloud Blog
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations or warranties regarding the information from our partners or other external sources.