Cloud

10/31/2017
03:09 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
0%
100%

Office 365 Missed 34,000 Phishing Emails Last Month

Nearly 10% of emails delivered to Office 365 inboxes were spam, phishing messages, and known or zero-day malware.

Microsoft Office 365 missed 9.3% emails containing spam, phishing, and malware from the beginning of September through early October, report Cyren researchers, who analyzed 10.7 million messages.

The threat intelligence firm gauges clients' email security with its Email Security Gap Analysis tool. Inbound emails are processed by its email security system, and all messages that go on to users' inboxes are BCC'd to Cyren's system for automated analysis.

"It's a standard engagement we have with clients," says Pete Starr, Cyren's director of field engineering. "But occasionally we get some interesting nuggets of information." Researchers were curious about how Office 365 was performing, which led to evaluating its security.

During the month of September, Cyren analyzed 10.7 million emails forwarded by Office 365 to user mailboxes for companies tested during that time frame. Of the messages evaluated, 9.75 million (90.7%) were found to be clean. This included 4.6 million newsletter emails, which made up nearly half of legitimate email traffic.

Nearly one million (9.3% of) messages were spam or malicious emails missed by Office 365, says Cyren, noting that the standard Office365 email service has Exchange Online Protection (EOP) to protect against malware and spam. The "false negatives" should not have made it to inboxes.

Researchers found 957,039 emails, or 8.93% of all email traffic, turned out to be spam. Usually, these messages are filtered out through content scanning or pattern detection applied to elements of the email message or its distribution pattern.

Spam aside, 34,077 emails delivered to Office 365 users were phishing messages. Of these, 18,052 were financial phishing emails requesting banking details or account access, 5,424 were password phishing emails, and 10,601 were general phishing emails.

"The biggest shock was just how much was coming through," says Starr. "Yes, the majority of it is spam, but quite a lot is something you don't want."

He refers to the malware attachments found on 3,900 emails delivered to users. While a tiny percentage (0.04%) of all emails delivered, it's also the most dangerous. Of those malware emails, 1,438 were zero-day attachments with no previously known malware signatures. However, malware attached to 2,462 emails was known and should have been detected.

"What really surprised me was the two-and-a-half thousand samples of known malware," Starr says. "Stuff caught by basic, signature-based detection. You expect that kind of stuff to be filtered out."

Is the customer at fault, or is Microsoft? Starr puts some blame on both parties. "Your average Office 365 customer is less well-configured; they perhaps don’t have the best policies on average," he explains.

However, he continues, Microsoft's solution is particularly reliant on reputation-based filtering, meaning the extent of their knowledge is only as good as their database. Today, with the rise of distributed attacks involving malware, phishing, spam, and botnets, many machines involved are fresh IPs. There's a good chance they won't exist inside an IP reputation database, he says.

"Being able to track new IPs is very, very difficult," says Starr. "You find out about them when it's too late."

For businesses hoping to improve their email security, he advises being more sensible about whitelists, noting that many organizations are too broad when adding domain names to their whitelists and letting potentially harmful messages in.

Another mistake is not appreciating how much valid email exists in other languages, like Chinese or Russian. "People either completely block, or completely allow them," he adds, suggesting users take full advantage of email features to set more specific filters.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
marklas1
100%
0%
marklas1,
User Rank: Apprentice
11/2/2017 | 3:08:11 PM
Re: Very low on usable and/or verifiable details
My first thought was regarding ATP and whether or not it was being used.  No email system offers anything beyond some basic features.  You will need to add an additional service to actually get ahead of the problem.
cdansbee
50%
50%
cdansbee,
User Rank: Apprentice
11/2/2017 | 11:33:21 AM
Re: Very low on usable and/or verifiable details
Agree completely! This article fails to produce any actual findings from any sources other than Microsoft's competition. Unfortunately, people will read the headline and jump to the conclusion that EOL is not a good option, which seems to be what the author is after. 

It seems Dark Reading may be chasing headlines on this one.
dmstork
100%
0%
dmstork,
User Rank: Strategist
11/1/2017 | 9:18:32 AM
Very low on usable and/or verifiable details
Unfortunatly the research paper is very low on details, which exact settings where used in Office 365 (default settings tend to change for new tenants) and whether or not Office 365 Advanced Threat Protection was added. Also, the exact setup is a little bit questionable as there are multiple layers of scanning (even down to mailbox level) that scanning takes place (also after the mail landed in the mailbox).

But looking at their website, it becomes clear that Exchange Online Protection is actually a direct competitor of theirs. That is a clear conflict of interest and IMHO should've been mentioned in this article otherwise this is just an elaborate ad...
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12242
PUBLISHED: 2018-09-19
The Symantec Messaging Gateway product prior to 10.6.6 may be susceptible to an authentication bypass exploit, which is a type of issue that can allow attackers to potentially circumvent security mechanisms currently in place and gain access to the system or network.
CVE-2018-12243
PUBLISHED: 2018-09-19
The Symantec Messaging Gateway product prior to 10.6.6 may be susceptible to a XML external entity (XXE) exploit, which is a type of issue where XML input containing a reference to an external entity is processed by a weakly configured XML parser. The attack uses file URI schemes or relative paths i...
CVE-2018-14792
PUBLISHED: 2018-09-19
WECON PLC Editor version 1.3.3U may allow an attacker to execute code under the current process when processing project files.
CVE-2018-16607
PUBLISHED: 2018-09-19
Cross-site scripting (XSS) vulnerability in the Orgs Page in Open-AudIT Professional edition in 2.2.7 allows remote attackers to inject arbitrary web script via the Orgs name field.
CVE-2018-16785
PUBLISHED: 2018-09-19
XML injection vulnerability exists in the file of DedeCMS V5.7 SP2 version, which can be utilized by attackers to create script file to obtain webshell