Over the last few years, Microsoft 365 has significantly enhanced its native security capabilities. Today, it offers a solid foundation of protection from advanced attacks, making it a popular choice for organizations.
However, security threats are advancing rapidly, and Microsoft 365 still has some points of weakness that are leaving users vulnerable.
Cybersecurity experts' views on email risk within Microsoft 365 is our most recent report identifying the security risks its users face. We spoke with three experts to gain insights into how organizations can reduce inbound and outbound email risk within their Microsoft 365 deployment.
In this article, we have featured some key quotes from the report from Lisa Forte, Co-founder, Red Goat Cyber Security LLP; Robin Bell, CISO, Egress Software Technologies; and Jack Chapman, VP of Threat Intelligence, Egress Software Technologies.
Phishing attacks are as prevalent as ever
Phishing attacks are still a major unsolved problem. Our 2022 report, Fighting phishing: the IT leader's view, reveals that 84% of organizations were phishing victims over the past 12 months. Meanwhile, 59% of organizations were hit by ransomware, and 42% of organizations had credentials stolen.
Robin Bell explains that Microsoft 365 users are not exempt from these threats: "The main cyberthreats Microsoft 365 users are at risk of are phishing emails and credential compromise." He explains, "Microsoft 365 has really good malware scanning, but advanced phishing emails can still end up in users' inboxes. If a single user in an organization is compromised, then internal emails from a genuine user's account can help phishing attacks propagate very quickly."
Attackers are increasingly setting their sights on larger, more complex digital systems, and organizations dealing with sensitive information have become prime targets. In June, a hacked Kaiser Permanente employee's emails led to a breach of 70,000 patient records – including patient names, dates of service, medical record numbers, and lab test result information. It is suspected that this breach resulted from either credential stuffing or phishing.
Microsoft 365's manual settings and customizations are difficult to manage
Microsoft consistently ranks as one of the most comprehensive secure email gateways (SEGs) for organizations. Jack Chapman points out, "Microsoft has done a really good job of winning the 'SEG battle', where they offer excellent compliance and email management, as well as some strong protection in place for things like spam and attachment scanning."
Despite this, Chapman admits, "There are quite a lot of substantial gaps still." He says, "The biggest weakness inherent with the platform is how many settings and customizations there are. Almost everything is manual, and this can be a nightmare to manage. The other big issue is one that a lot of SEGs are facing: how to deal with more sophisticated and challenging attacks and user behavior."
Email is still the easiest pathway for attackers
One thing is clear: email is still the easiest pathway for attackers to target organizations using Microsoft 365. Once an attacker determines how to compromise a user's email account – often without their knowledge – it is relatively easy to convince friends and colleagues that they are that person.
People assume the emails sent from an account they recognize are from a trusted sender, so they typically scrutinize them less. That makes it easier for attackers to access sensitive information. As a result of this, email security has become a significant worry for organizations. Our 2021 Data loss prevention report revealed that 95% of IT leaders say that client and company data is still at risk over email.
"Most of the organizations I speak to are particularly concerned with three areas: credential theft, leakage of sensitive or regulated data, and ransomware. All three are very closely linked to phishing attacks – it's not the only vector seen, but it's still the most popular," explains Lisa Forte.
For a while, multi-factor authentication (MFA) has been considered the most effective security method. However, Forte points out that hackers are getting better at penetrating these tools.
"I have recently seen several examples of phishing emails not only navigating the user to a malicious URL and harvesting the username and password but also requesting the MFA app code too. In my opinion, email still remains the easiest pathway for attackers."
To reduce the chance of falling victim to these attacks, many organizations choose to augment their Microsoft 365 defenses to protect against both inbound and outbound risks.