Increasingly, cyberattackers are laser-focused on crafting attacks that are specialized to bypass Microsoft's default security, researchers say — which is going to require a shift in defense posture for organizations going forward.
"Many hackers think of email and Microsoft 365 as their initial points of compromise, [so they] will test and verify that they are able to bypass Microsoft’s default security," according to a new report from Avanan that flags an uptick in its customer telemetry of malicious emails landing in Microsoft-protected email boxes. "This does not mean that Microsoft's security got worse. It means that the hackers got better, faster, and learned more methods to obfuscate and bypass the default security."
Some of the eye-catching numbers in the report, gleaned from analyzing 3 million corporate emails in the past year, include:
- About 19% of phishing emails observed by Avanan bypassed Microsoft Exchange Online Protection (EOP) and Defender.
- Since 2020, Defender's missed phishing rates among Avanan's customers have increased by 74%.
- On average, Defender sends only 7% of phishing messages received by Avanan customers to the Junk folder.
- In good news: Microsoft flagged and blocked 93% of business email compromise attempts.
- Microsoft catches 90% of emails booby-trapped with malware-laden attachments.
Again, the numbers speak to the evolution of phishing and the fact that attackers are increasingly using tactics like leveraging legitimate services to avoid including obviously malicious links in emails, using masking techniques like vanity URLs, and avoiding attachments altogether.
To defend themselves against these custom-built attacks, organizations can go to basic defense-in-depth approaches with four main prongs, according to Roger Grimes, data-driven defense evangelist at KnowBe4.
Those prongs include: A better focus on preventing social engineering, using a best defense-in-depth combination of policies, technical defenses, and education; patch software and firmware, especially any that are listed on CISA's Known Exploited Vulnerability Catalog; use phishing-resistant multifactor authentication (MFA); and using different, secure, passwords for every site and service where MFA cannot be used.
"There are no other defenses, besides these four, that would have the most impact on decreasing cybersecurity risk," Grimes says. "It is the world's lack of focus on these four defenses that has made hackers and malware so successful for so long."