As a managed service provider, our clients often forward us emails that they suspect may be a phishing attempt. They trust us, so they often leave it to us to determine what’s legitimate and what’s fake. Some are obvious, some are tricky, but one thing that’s different today is the craftiness of the scammer.
I was spurred to write this post from one such email, which stood out for a couple reasons:
- There was no urgency, it just looked like the standard Undeliverable message from Exchange
- It included information about the host: Office 365
Save a minor spelling error towards the bottom, it would hard to determine it was a fake. That said, we’d like to take some time to address the state of phishing in 2018. While the strategy is largely the same, the tactics are changing and it’s important to recognize what’s going on under the hood of these emails.
In 2018, phishing is still the most effective method of malware delivery. There are several key telltale signs that an email is a scam that you should always be on the lookout for should a message arouse the slightest suspicion.
- Urgent Alerts – typically, a phishing email will demand immediate action to prevent a loss of data or money (such as providing credit card information, passwords or social security numbers)
- In most cases you will not receive this kind of message from a legitimate source. Phishers are counting on you being too alarmed to look over the email for other errors. DO NOT GIVE IN!
Source: Microsoft Blogs
- Message Mistakes – phishers are notorious for their poor grammar and spelling ability. A message from a reputable source, like your bank, would not make those mistakes, so an email that does is phishing for sure.
- Oddball Domains – Always double check the domain of the email address that’s messaging you. Often times a phisher will try to use a domain that sort of looks like a reputable source, such as micros0ft.com. Anything other than the domain you expect is likely a scam email.
- Hello USER – An email that does not address you by name should also be cause for suspicion. Most phishing attempts are mass emails to thousands of addresses, and are therefore not personalized,
- Check Your Links – Many phishers use dummy account login pages to trick you into typing in your account info. If you do happen to click a link, make sure the web address you’re directed to is legitimate.
Just as the technology we use and rely on every day is innovating, so too are the cybercriminals clambering for your data. They know that you rely on your infrastructure, and they are now hoping to exploit that. Ultimately, phishing is a threat against your IT environment; and where threats once came from outside, phishers are now trying to emulate the “inside.”
Most people don’t think about all the info that is available online about their company and technology. A quick visit to your company’s About Us page may reveal some key employees, while a simple lookup on MXToolbox will show the host service of your email (GSuite, GoDaddy, Office 365, etc.).
The above info all plays into spoofing, one of the newer strategies utilized by phishers. While phishers can never alter the email address they send from, they CAN alter the metadata of the message file to imitate other users and sources. The metadata refers to the Name information that shows up your inbox that isn’t the email address. See the below example:
Using a specialized app to alter message metadata, a spoofer may imitate the company accountant, and ask for the company card number, for example. Simple rule of thumb should be to NEVER transmit this information by email, and always go by in person or over the phone. Users should always confirm these requests with the requester by those two methods.
So, an email from a source you trust that has any of the telltale signs addressed here or earlier may in fact be a scam email.
Exploits in Filter Exploits
After getting blocked for some time, Phishers now have a better idea of how enterprise anti-spam filters work, and have developed new tactics for getting around them.
This is the spooky part of the blog post. As mentioned, scammers are adapting their tactics to the technology being used today. Just as businesses are relying more and more on Software as a Service (SaaS) platforms like Office 365 and SalesForce, cyber criminals are shifting the target of their malware to these same services.
The phishing research firm KnowBe4 recently published a blog post demonstrating a Proof of Concept exploit to install ransomware onto Exchange Online and render all email within the service unreadable.
By sending the phishing email linking to a malicious Office 365 add-in, rather than a direct download of malware, scammers can mimic a legitimate service, such as a new anti-spam app from Microsoft, to request permission to access Office 365 content. In doing so, a user is inviting cybercriminals into your tenant to do as they please.
Despite this, the best defense against this new tactic is the same as with all phishing: user education and assessment! With nearly 90% of breaches caused by user error, your cyber security is only as strong as your least informed employee.
Industry leaders now recommend testing your user’s aptitude by sending test phishing emails to your users and assess how strong your defenses really are. It’s a good idea, as admins can direct future trainings and communications based on the results. Conducting annual or semi-annual tests is ideal, and providing trainings or educational material at the same frequency will put you in the best shape to defend yourself.
Of course, you could always sign up with us and forward us anything that you’re not sure about. We’re here and we’re always happy to help.