HIT Think

Best practices for defending against emerging email threats

Research done by Intel revealed that 97 percent of computer users cannot identify phishing emails. When the phishing attack comes from a trusted coworker, users are often defenseless on their own.

Protecting against insider email threats presents a significant challenge for security operations teams, and the increasing popularity of Microsoft Office 365 has deepened cyber vulnerability because of the architectural limitations of traditional cloud email security gateway products.

Phishers know their audience—predatory emails tend to look like any other email a user might receive. As researchers at Carnegie Mellon University noted in a recent study, “Users who share similar interests belong to a specific user segment and are susceptible to a specific type of attack.”

Thus, the web marketer will receive a phishing email offering an amazing deal on search engine optimization, and the attorney will be tempted by an app that matches her with new clients. If the attacker is perceived to be a coworker or organizational superior, the risk is even greater. Behind the guise of a trusted source or a familiar subject, phishers lurk.

A vivid example of the danger of phishing attacks took place during a study at the US Military Academy in 2004. Some 500 cadets received an email from Colonel Robert Melville requesting that they click on a link, and 80 percent of them did so, despite the fact that no one by the name of Robert Melville worked at the Academy and that the link was potentially dangerous. Trained to obey orders, the cadets dropped their guard and did something they had been instructed to do. The episode demonstrated how vulnerable even a disciplined organization can be to social engineering attacks.

Insider threats are an unfortunate reality in today’s workplace. Although relatively rare, they can be quite damaging. Insider attacks take many different forms—rogue employees may access unauthorized data or improperly override security controls for personal financial gain. Luckily, when attacks come from the inside, there are HR policies and laws that protect the organization. This is not the case when external hackers pretend to be insider employees.

HDM-102116-Phishing (1).png

Faux insiders have the power to wreak havoc and cause financial losses and are an overall more complex threat to counter. For example, in a CEO fraud, an attacker posing as a senior executive, commands an underling to execute a bank transfer to a “vendor” on a rushed basis. Such was the case at a startup in the UK, where a hacker pretending to be the firm’s CEO was able to direct £16,000 to an offshore bank account controlled by criminals.

Organizations that use cloud-based email solutions like the increasingly popular Office 365 email are especially vulnerable to faux insider phishing attacks. The problems begin in the very architecture of the cloud-based email system. Gateway-based solutions, whether they are hosted on-premises or in the cloud, sit in line in the SMTP mail flow.

Gateway types of solutions, whether they are hosted, on premises or cloud-based email security services, sit in line in the SMTP mail flow. As a result, they can only scan the incoming and outgoing email flows. In the process, as the emails pass through the gateway, they inherit the IP of the cloud service. This masks the original sender, rendering Exchange Online Protection’s reputation-based defenses useless. With this architecture, there is no filtering of internal emails at all. Even Microsoft Advanced Threat Protection (ATP) does not filter internal emails.

Imagine that a user’s Office 365 account is compromised, perhaps by way of a convincing but fake Microsoft Login web page. The risks are severe in this scenario. With an actual Office 365 credential in hand, the attacker can take over the user’s email account and send emails to “colleagues” that look completely authentic—because they are. He or she can send attack emails from a real account—they appear as legitimate emails from one coworker to another on the actual email system.

chart insider email threats.png

The Microsoft vulnerability is manifesting itself in a striking set of statistics. Vade Secure research shows that fake Microsoft sites represent the No. 1 phishing URL hit in the second quarter of 2018, outdistancing even the number of PayPal phishing scams. Indeed, Microsoft-based phishing attacks have more than quadrupled since the start of the year.

For reprint and licensing requests for this article, click here.