Hardening MS Office 365 Advanced Threat Protection Vulnerabilities with Mailbox Level Security

Office 365 Advanced Threat Protection & business email compromise
Eyal Benishti
| 2018 May 9

As email phishing grows more sophisticated and remains a primary attack vector for data breaches, many security providers are attempting to step up their solutions to better mitigate risk. Microsoft is no exception, as the tech giant continues to invest in its Office 365 Advanced Threat Protection (ATP), which it proclaims to provide protection, detection and response to “unknown and sophisticated attacks.”

Many MS Office 365 users rely on ATP for email, file and application security protections; however, the service remains highly-vulnerable to socially-engineered attacks. This is especially problematic for email security, as sophisticated phishing techniques, like business email compromise (BEC), are now meticulously designed to easily bypass the rules-based technology that is inherent to ATP. In October 2017, Microsoft announced that its ATP had missed 34,000 phishing emails.

Socially-Engineered Attacks Can Pass Through Traditional Security

According to the FBI, BEC attacks are on the rise and reached record levels in 2017. The success of this emerging phishing technique is due in large part to the fact that most traditional rules-based security technology, similar to those deployed by secure email gateways (SEGs), can no longer identify and prevent attacks that lack malicious payloads and look and feel authentic.

Since Microsoft introduced Advanced Threat Protection in 2015, it has bolstered its capabilities to meet parts of the evolving email security threat landscape. While it does now offer some protection against large-scale mass attacks, it still has shortcomings that leave Office 365 users vulnerable to highly-targeted, socially engineered messages.

Last year, researchers at Cyren analyzed 10.7 million messages delivered through Office 365 and found that nearly 10 percent were spam, malware or phishing attempts. Researchers blamed the misses not only on improper configurations, but also on the fact that Microsoft’s solution relies on reputation-based filtering.

Typical phishing attacks on Office 365 users start with a spoofed email is sent to a person in a targeted company, often asking them to review a OneDrive document. The included link will then take the recipient to a phony Office 365 page to capture their login ID and password. From there, the hacker will then login to the user’s account to send phishing messages.

Once an account has been compromised, it is extremely difficult for traditional security systems like MS ATP to detect the attack until the damage has already been done. When a hacker can compromise a CFO’s account and send what appears as a personal email to an accounts payable clerk to pay an invoice, there’s a good chance they’ll act.

ATP Not Good Enough to Stop Highly Targeted Phishing Attempts

Hackers will go to great lengths to create highly-sophisticated and compelling attacks. In many cases, they will visit company websites, social media and find exactly the right information to create believable emails. A recent article at CNBC.com indicated these attacks can cost an average of $130,000, and Trend Micro forecasts global losses from BEC scams will surpass $9 billion in 2018.

Microsoft Office 365 Advanced Threat Protection offers three paid subscription tiers (E1, E3 and E5) for companies with 300 or more users. Each tier includes attachment scanning and sandboxing (Safe Attachments), URL reputation filtering (Safe Links), basic anti-spoofing and threat intelligence, and anti-phishing via URL detonation link analysis technology, however ATP can also be bought stand alone

During the mail-flow protection stage, all emails pass through ATP’s anti-spoof frameworks including SPF, DMARC and DKIM. ATP also features new anti-impersonation features that claims to examine content, while users receive real-time ATP reports that offer visibility into all malicious emails targeted and blocked by Office 365. And through Attack Simulator, a tool through which E5 admins can test the readiness of users to spear phishing and other attacks, organizations can assess their employee’s awareness and ability to identify phishing attempts.

Sounds great; however, MS Office 365 ATP is not without significant vulnerabilities. For one, the service permits hackers to lookup MX records to determine if users are using Office 365, then target their attack accordingly with a fake Office 365 login or a file share through OneDrive. Also, any hacker can activate a mailbox with Microsoft ATP protection and then constantly test their attacks against the system through trial and error until they find a strategy that works. At only $10 an account, hackers can open hundreds of accounts to test their techniques and still make a solid profit should their attacks prove successful in the long run. Just last week, researchers a zero-day vulnerability named "baseStriker" in which Office 365 servers is a flaw in how Office 365 servers scan incoming emails. According to SC Magazine, "baseStriker is able to penetrate Office 365 by essentially confusing APT, Safelinks or other cyber defenses by splitting and hiding the malicious link using a URL tag. The malicious link is included in an email, but instead of being part of the primary link it is separated." As currently constructed, ATP is unprepared to mitigate any such type of social engineering attack.

The IRONSCALES Alternative: Filling the Gap of End-to-End Protection with Mailbox Level Security

Many complimentary security solutions to ATP use external Mail Transfer Agents (MTAs) to scan messages outside of Office 365, but these systems can inadvertently disable Microsoft’s security in the process. IRONSCALES was founded in part to extend the basic security available through Office 365 with powerful protections that achieve the following:

  • Offer superior protection against advanced and targeted threats not addressed by Microsoft ATP
  • Offer Microsoft's customers decentralized threat intelligence for their SOC or security teams which is actionable and scalable
  • Offer a complimentary and much needed layer of defense if you are leveraging all the email security features of Office 365 such as archiving and Data Leak Prevention (DLP).

IRONSCALES is an automated phishing detection and remediation platform that offers an additional layer of protection with security in the mailbox itself.

A major part of the platform is IronSights, the most advanced mailbox-level anomaly detection, based on a patented contextual and human behavioral analysis that proactively combats impersonation and spoofing emails in real-time. IronSights was built to automatically find the malicious emails that were sophisticated enough to bypass MS Office ATP and land in inboxes. Using machine learning algorithms, IronSights continuously studies every employee's inbox to detect anomalies and communication habits based on a sophisticated user behavioral analysis. All suspicious emails are visually flagged the second an email hits an inbox, and a quick button link inside Outlook & Gmail toolbar enables instant SOC team notification while prompting security tools for further investigation and immediate remediation.

Acting as a Virtual Security member to flag suspicious emails as they hit the user’s inbox, IronSights utilizes machine intelligence to reduce the risk of human error in identifying malicious emails, and it gives organizations a mailbox-layer of defense to ensure unprecedented protection and threat remediation. And when an attack is detected or reported by end users, IronTraps, our automated incident response module, kicks into action with fully-automated remediation and enterprise-wide removal of all malicious emails even if there are no indicators of compromise unlike ATP's Zero Hour Auto Purge (ZAP) that can only remediate malware that has reached users’ inboxes based on content scanned by the AV and Sandbox.

To learn more about how IronSights can work in tandem with MS Office 365 ATP, or without it altogether, visit https://ironscales.com/contact-us/. To learn why industry analyst Ovum calls the IRONSCALES’ phishing prevention, detection and response platform one to watch “for their potential impact on markets and could be suitable for certain enterprise and public sector IT organizations,” visit https://ironscales.com/ovum_landing/

 

Share