Microsoft: actually IT admins are also to blame for phishing attacks working against users
- 10 December, 2019 06:18
Microsoft has launched ‘Campaign views’ to give Office 365 admins an overview of phishing attacks that sheds light on why users fall for phishing, including administrator-controlled settings that expose users to malicious emails.
Microsoft has launched a public preview of “Campaign views” for Office 365 Advanced Threat Protection, offering enterprise customers more details about how attackers are using phishing to target human vulnerabilities in both users and IT admins to breach organizations.
The service promisse to provide security teams the “full story” about phishing attacks, which are the easiest method for gaining a foothold in an organizations.
Phishing has become more sophisticated as rewards for scams like business email compromise (BEC) have increased. BEC scams using targeted phishing have cost businesses $26 billion in the past three years, according to the FBI.
Phishing attacks work because there are so many ways to trick a target’s employees, who have varying degrees of knowledge and resistance to the attack, which could involve simply opening an attachment, enabling an Office macro, or acting on an email about a wire transfer that appears to come from the CEO.
Often phishing is blamed on 'silly' users who didn't heed the IT department's advice not to click on links, for example. But another weakness is the IT admin who may have configured accounts incorrectly, which Microsoft is attempting to resolve.
Microsoft's top two claims with "Campaigns" are that it will help remediate compromises or vulnerable users, and that it will be “improving security posture by eliminating configuration flaws that impact the organization”.
Microsoft promises security teams will be able to see when a campaign started, the sending pattern and timeline, how big the campaign was and how many users fell prey to it, which also tells who did or didn’t fall for the ruse.
Security teams should also be able to see a list of IP addresses and senders used to coordinate an attack, see which messages were blocked or got through by either by Microsoft technologies or admin-set policies.
Microsoft also claims that “one large customer we’ve worked with, was able to identify multiple configuration flaws in their tenant, by using campaign views for just a short duration of time.”
In another case, a third pf phishing emails detected by office 365 ATO “delivered into user inboxes due to a configuration control (domain allow list) that was exploited by the attacker.”
According to Microsoft, the Campaigns feature should make it easier to “see how poor security configurations are helping attackers beat your organization’s defenses”, such as allowing users to override the Safe Links block.
In some case, user clicks were blocked by Microsoft’s Safe Links feature, but in other cases users overrode the setting and clicked through to a malware-hosting site.
“Campaigns make it easy to see how poor security configurations are helping attackers beat your organization’s defenses,” Microsoft said.
Campaign views is available for customers with the following plans:
- Office 365 Advanced Threat Protection Plan 2
- Office 365 E5
- Microsoft 365 E5 Security
- Microsoft 365 E5