How to Take Phishing Protection Up a Level For Microsoft M365 Users

Phishing attacks continue to grow in volume and complexity. According to the FBI, phishing is the number one internet crime. “3.4 billion phishing emails are sent every day.”

In the second quarter of 2023, users in North America encountered around 484,000 phishing and malicious attempts worldwide, making it the region with the highest number of such incidents.

Europe ranked second, with over 462,000 phishing and malicious attempts.

Microsoft M365, and specifically Azure Cloud, is one of the most attacked platforms in the world. Most M365 users are students, corporate users, government, and small-to-medium (SMB). Attacking M365 with zero-day attacks through malicious emails can be highly profitable for cybercriminals because of the valuable data stored on the platform.

Organizations have realized that stopping next-generation email attacks against M365 users requires additional protection covering everything from anti-phishing policy settings to user impersonation protection.

This article discusses the various adaptive controls available within Microsoft M365 security and options for organizations to leverage additional features from advanced AI email security providers like Trustifi.

Understanding M365 Phishing Protection.

M365 services close to 3.6 million customers. Hackers are among these users. Cybercriminals and hackers will subscribe to M365 to test their various email phishing messages and launch their attack campaigns.

Users of M365 find stopping phishing attacks very challenging because of the near-perfect messages created by AI. These AI-generated messages need to improve in spelling, grammar, or dialect. Hackers continuously alter their attack patterns to help reduce their detection by email security filters.

Hackers use email phishing attacks to steal credentials and execute impersonation attacks posing as CEOs and high leaders. These impersonation attacks lead to a BEC attack, in which they attempt to get another firm to pay a false invoice or extend access to sensitive information.

Another challenge with M365 is that it has stolen credentials. These M365 User credentials live on the Dark Web for a price.

MFA Bypassing A Reality for M365 Users.

Hackers stealing M365 credentials adds to additional security problems for organizations. These same credentials service Azure cloud and office applications. Microsoft offers multi-factor authentication (MFA) to help reduce the security risk from credential harvesting. However, hackers using a phishing tool called EvilProxy used a reverse proxy method to bypass MFA.

They wait before launching the next attack to avoid suspicion and detection, and users may end up approving the attackers’ requests unwillingly.

What Advanced Protection Features are available from Microsoft to protect M365 users?

Users of the various Microsoft M365 solutions and services capabilities have access to Microsoft Defender to help stop advanced threats, including malware, viruses, and attacks in email attachments. Defender serves as an endpoint detection and response (EDR) to help protect end-user devices by providing real-time threat response, zero-day protection, and the ability to detect malicious and suspicious links. This solution offers exceptional reporting and tracking capabilities to help organizations gain insight into various attacks.

Safe Attachments

Safe attachments are a critical addition to Defender’s capabilities. This feature includes the organization’s subscription and helps detect malicious attachments in inbound and outbound email messages. Once the organization’s email security engineers enable it, safe attachment protection extends to Sharepoint, OneDrive, and Teams.

Safe Links

Safe links help detect malicious links before the user gains access. A warning message will be displayed if M365 detects a possible malicious link. Admins also have the option to block malicious links dynamically after the user has clicked.

What are Some Examples of Phishing Messages Targeting M365 Users?

Here are examples of M365 email phishing attacks. Many attack methods target users’ credentials, access to a Microsoft Team meeting in the program, and access to Sharepoint online files.

This email phishing message below attempted to lure a UCLA user to click on a malicious link. Hackers use this malicious link to distribute malware. (Notice the CLICK Here button).

The second example of an email phishing attack against an M365 user contained threatening and hostile language designed to intimidate the user. Through intimidation, hackers want the users to react quickly and follow the instructions embedded within the message.

This message originated from Main Street Bank.

Hackers attacking M365 users will leverage several attack methods simultaneously instead of a single campaign. Using several techniques increases the odds of achieving a breach. Thanks to Microsoft Defender, users will be protected against multiple attack vectors.

How to Enable M365 Advanced Threat Detection?

The following steps will help organizations reduce suspicious messages by enabling advanced protection layers for M365 Advanced Email Security features.

“Step 1: To set up email security in M365, ensure you have the proper subscription, the correct user roles, and Azure Active Directory Premium activated.”

“Step 2: To deploy Microsoft Defender for M365, log in to your M365 console, go to ‘Security Compliance,’ then ‘Threat Management,’ and finally ‘Microsoft Defender for M365’.”

“Step 3: Once deployed, you can configure Microsoft Defender for M365. Log in to the M365 console and go to the ‘Security Compliance’ tab. Click ‘Threat Management’ and then ‘Microsoft Defender for M365′. Adjust the ‘General’ tab settings to configure the solution.”

“Step 4: To set up Advanced Threat Protection(ATP) with Microsoft Defender for M365, go to the Security Compliance tab in the M365 console, click on Threat Management, Advanced Threat Protection, and configure the settings on the General tab.”

“Step 5: To configure Windows Security Center to work with Microsoft Defender for M365 on Windows 10, open Security Center and go to the ‘Settings’ tab. Click on ‘Account Protection’ on the left side, then select ‘Microsoft Defender for M365’. In the ‘General’ tab, adjust the settings for the Security Center.”

Once your security engineers have executed these steps for Defender for M365, the next step is to configure the anti-phishing policies.

Setting Up Anti-phishing Policies with M365?

With ATP anti-phishing enabled, Microsoft M365 scans all incoming messages for possible phishing attacks using cloud-based AI. If anything suspicious is detected, the user is alerted immediately, and an admin logs the information for review. M365’s Anti-Phishing Policies use algorithms and machine learning to detect impersonation. When activated, they scan all incoming emails to detect malicious content.

Step 1: Access the Defender for M365 Admin Console.

“Step 2: https://security.microsoft.com, go to Email Collaboration Policies Rules Threat policies; Anti-phishing in the Policies section.”

“Step 3: https://security.microsoft.com/antiphishing on the Anti-phishing page, select Create to open the new anti-phishing policy wizard.”

“Step 4: Click on Anti-phishing – Enter a unique name and description.”

Step 5: Click on Default policy – Enable selected policies.

Step 6: The following window will appear: Edit or delete policies as needed.

Step 7: Switch the button from Off to On to enable anti-phishing and anti-spam policies.

Note: “For the anti-phishing policies named Standard Preset Security Policy and Strict Preset Security Policy associated with preset security policies, you can’t change the policy settings in the details flyout. Instead, you select View preset security policies on the details page at https://security.microsoft.com/presetSecurityPolicies to change the preset security policies.”

What are Some Best Practices for M365 Phishing Protection?

M365 has several policies to help fine-tune its capabilities to help stop phishing attacks.

Connection Filter Policy.

Use this policy to create a safelist of sending servers to help block malicious IPs.

Anti-spam Inbound Policy.

Use this policy to define spam emails based on criteria such as the number of emails from the same sender (default is five emails) or other email elements.

Anti-Spam Outbound Policy.

Spam can come from external sources and inadvertently from within a company, affecting its domain reputation and potentially blocking essential emails. A well-tuned outbound spam policy will help your marketing department avoid having their outbound emails with attachments blocked. This is critical to protecting your organization’s brand and domain credibility.

Anti-Malware Policy.

This policy allows organizations to set up file extension blocking lists to help stop zero-day type attacks. By enabling this policy, users will have access to several filtering engines, real-time alerting, and access anti-malware signature updates.

Mailbox Intelligence.

Defender for M365 uses machine learning in the Mailbox Intelligence feature. It analyzes user email patterns and creates a “sender map” for each user. This feature helps identify potential spoofing attempts and verify the legitimacy of emails. This feature includes Mailbox Intelligence for protected emails, improving the accuracy of results in scenarios involving users with Impersonation Protection.

How Essential is Security Awareness, Attack Simulation, and Training to Help Stop Phishing?

Even with advanced email security services offered within the M365 subscription, security awareness training and attack simulation are equally important. Organizations need to leverage technology with training to stop email phishing attacks.

Most email phishing messages bypass even the most advanced email security solutions by creating simple text-only messages with less than 50 words. These messages end up in the end-user’s inbox. It is up to the end-user to disregard these text-only phishing messages. However, many users who read the messages will often reply.

Security awareness training combined with attack simulations helps boost end-users’ knowledge and helps them make the correct decision when faced with a possible email phishing message. With solid awareness training, the user will likely mark messages using the “flag as spam or phish,” which could prevent a ransomware outbreak.

Why Should Organizations Optimize Third-Party Anti-Phishing Tools to Help Future-Proof Their Email Security?

M365 email solutions, including its anti-spam, anti-phish, and anti-malware policies, help stop many email attacks. However, organizations quickly realize that M365 is vulnerable, especially to zero-day and adversarial AI attacks.

Remarkably, 15% of emails passing existing security filters contained compromising or malicious content, highlighting Trustifi’s ability to detect threats that legacy email security solutions overlooked.

Additionally, 62% of inboxes suffered attacks despite established security measures.

Trustifi’s report underscores the critical need for advanced email security measures in today’s threat landscape.

Implementing additional layers of email security through third-party providers like Trustifi helps organizations in several ways:

• Adding Trustifi’s cloud-based advanced AI capabilities protects organizations from AI-enabled email messages that successfully bypass Defender for M365. Spam messages, phishing, and clone phishing messages continue to bypass M365.
• Trustifi catches over 90% of sophisticated phishing attacks that traditional email security platforms miss.

Having a solution like Trustifi to help augment M365’s policies increases along with bringing additional layers of easy-to-configure including:

• Data Loss Prevention (DLP)
• Ease-of-User Email Encryption.
• Data Tokenization.
• Account Takeover Prevention.