Businesses are migrating to Office 365 in huge numbers, and hackers have taken notice. As a result, businesses are being inundated by targeted email attacks, and their existing security solutions are not blocking the threats.

All email systems are targeted by hackers, but cloud-based systems used by businesses, including Office 365, are their preferred target. Although native security solutions are in place to protect Office 365, new, highly sophisticated email threats, including phishing and spear phishing, slip past email filters and land in user inboxes. Below are just six reasons why it’s time to consider adding an additional layer of protection for Office 365.

1. The majority of cyberattacks begin with an email

According to IDC, 80% of cyberattacks begin with an email . While phishing remains the most common type of email attack, it’s not the most well-known to employees. Users tend to be relatively aware of spam emails (everyone receives them) or malware (everyone has heard news stories about malware), but they are much less familiar with phishing. This lack of awareness is due to the fact that a “good” phishing email is hard to spot, and the damages are only visible in the aftermath.

2. Each employee represents a target

Each Office 365 user represents a potential access point to a business’s precious resources, opening the door to bank accounts, trade secrets, and other forms of sensitive information. For a large business, this correlates to thousands of potential targets. Small to mid-sized businesses (SMB) might represent fewer inboxes, but they are equally at risk. According to a 2017 Ponemon report, 61 percent of SMBs reported experiencing a cyberattack in the previous 12 months, and 48 percent experienced a phishing attack. SMBs that were affected by these security breaches spent more than $1 million to recover, while disruptions to normal operations cost more than $1.2 million.   

3. The attacks are becoming sophisticated

Phishing, an impersonal attack that lures users into clicking on a phishing link and divulging credentials and other personal information, is becoming more difficult to detect. Phishing websites are designed to look like exact replicas of legitimate websites, including Office 365 login pages, and the average user is unlikely to know the difference. To avoid being detected by an email filter, hackers include a link to the real Office 365 login page in the email and then later redirect it to a phishing site.

In a spear phishing attack, the email doesn’t include a link, making it even more difficult to detect. It’s also personalized to the victim. Many cybercriminals will analyze the targeted employee’s social profiles to learn about their interests and behavior, and then compose the email in a way they know will get the victim’s attention.

These attacks are progressive and sequenced: the first email typically doesn’t request any information from the victim but is a general inquiry designed to prep the victim and gain their trust. Also known as “CEO fraud,” spear phishing attacks are designed to trick employees into giving hackers access to highly sensitive resources, such as bank accounts. In some spear phishing attacks, cybercriminals trick employees into scheduling wire transfers and even switching payroll direct deposits. Unlike phishing, which is aimed at a larger pool, spear phishing is highly targeted and therefore more likely to succeed.

4. The cost of attacks is underestimated

How much does a spear phishing attack cost? Depending on the nature of the spear phishing email, an attack could cost thousands or even millions of dollars. A 2018 Securities and Exchange Commission (SEC) investigation revealed that of nine companies targeted in a string of spear phishing attacks in 2018, two lost more than $30 million each, while the total loss for all businesses combined was more than $100 million. Recently, high volumes of phishing attacks have been aimed not at reaping such high-dollar payouts but quick rewards. For example, direct deposit and invoice phishing is on the rise. Both scams result in lower rewards than the SEC example, but over time the cost to recover money and breached systems adds up.

Cyberattacks are big news, and businesses often find themselves on the front page for embarrassing breaches resulting from employees clicking on phishing and spear phishing emails. While the cost of repairing a business’s reputation is difficult to gauge, other costs are more concrete:

  • IT costs: Restoring compromised systems requires—and consumes—high value IT resources.
  • Legal costs: Pursuing legal action against hackers combined with defending the company from damages resulting from a breach can result in steep financial costs.
  • Support costs: Responding to customer concerns in the aftermath of a breach is critical to retention, but an increase in call/support center activity can add hundreds of hours of work. 
  • Operational disruption costs: Suspending IT and other critical services is a common response to a breach—operational/productivity loss is cited as the number one impact of breaches for affected businesses.

5. Traditional email security solutions are out of date

Traditional security solutions, such as Secure Email Gateways (SEG), are based on the identification of known threats. They rely on signature-based defenses (to block malware) and IP and domain reputation blacklists to evaluate the trustworthiness of a sender (to block phishing).

Exchange Online Protection (EOP), Microsoft’s native email security filter, is effective against blocking known threats in Office 365. However, attacks that are both more targeted and more sophisticated, including spear phishing, are unknown threats that evade detection from traditional filters like EOP.

6. Microsoft is a top target

According to IDC, Microsoft’s Office 365 is the most adopted enterprise email solution on the market, capturing 54 of the market share and boasting 155 million active users. This makes Microsoft the target of choice for hackers. In the recent Phishers’ Favorites report by Vade Secure, Microsoft was named the number one phished brand for the fourth straight quarter. With data-rich platforms like SharePoint and OneDrive hosting sensitive information for millions of companies and users, Office 365 is a prime target for multiphase attacks that combine phishing and spear phishing.

Protecting Office 365 with complementary solutions and AI

IDC recommends an added layer of protection for Office 365 that complements Microsoft’s native solutions. To improve protection for Office 365, businesses must look beyond traditional solutions that rely on reactive, outdated threat detection methods. Vade Secure’s predictive approach to email security uses machine learning, including natural language processing and unsupervised anomaly detection, to identify unknown threats in real time.