Even as new modes of messaging and collaboration proliferate, email remains the most common and effective form of corporate communication, and cloud-based email is on the rise, according to IDC. Spending on cloud email has grown from 22.9 percent in 2013 to 68.4 percent in 2018 (80.4 percent in the U.S. and 59.6 percent in Western Europe), with Office 365 and Gmail being the largest providers. The increase in cloud adoption, however, comes with an increase in the volume and sophistication of email-borne threats.
In the IDC Analyst Connection “Email Security: Maintaining a High Bar When Moving to Office 365,” Konstantin Rychkov, research manager at IDC European Security Solutions, discusses how cloud email adoption is changing the email threat landscape. To defend Office 365 email accounts, Rychkov says, new countermeasures are emerging that augment Microsoft’s built-in security safeguards.
Phishing Expands to the Cloud
Email attacks comprise the number one cyber threat vector. IDC estimates that more than 80 percent of attacks start with an email. This includes phishing, which remains the most pervasive type of attack. The growth of cloud email has expanded the attack surface area. With Office 365, for example, once an attacker has penetrated one account, he or she could access millions of other accounts, and it doesn’t stop at email. Office 365 is a pathway to data-rich file repositories like SharePoint and OneDrive, which often hold sensitive information.
Attacks that use email impersonations are increasing. As our own phishing report reveals, Microsoft has been the most impersonated brand in phishing attacks for four straight quarters. With flawless copies of Microsoft web pages, phishers can steal Office 365 login credentials. So armed, they can then perpetrate multi-phased attacks, including impersonating executives and requesting fund transfers to offshore banks. According to the SEC, one American company recently lost $45 million through this kind of fraud.
Augmenting Native Office 365 Security
Microsoft has made substantial investments in Office 365 security. Its Exchange Online Protection (EOP) is designed to filter out spam and stop known malware. Some editions of Office 365 have anti-spoofing capability through Composite Authentication (combined SPF, DKIM, and DMARK protocols).
Such native security solutions are effective against known threats, but increasingly sophisticated attacks like spear phishing and social engineering require augmenting Office 365 with an added layer of messaging protection.
Existing Secure Email Gateways No Match for Hackers
Many enterprises rely on a Secure Email Gateway (SEG) to block email threats. In IDC’s view, rapid cloud adoption challenges the prevailing good/bad model used by SEGs. With the cloud, SEG controls can be either insufficient or excessively tight, resulting in too many false positives.
SEG requires an MX (Mail Exchange) record change. Because it cannot layer effectively with native Office 365 security, reputation-based defenses like EOP are ineffective. Additionally, SEGs can’t scan inter-organization email traffic. SEG is also typically visible publicly through an MX lookup, which allows hackers to bypass the SEG vendor’s known characteristics.
Protecting a Non-perimeter
Moving email to the cloud shifts the traditional perimeter of the organization so far that one could argue there is no longer a perimeter. Yet, Security Operations (SecOps) teams are burdened with providing protection. Visibility is essential, as is continuous email protection and security automation.
Automation is relevant in the perimeterless environment because it can expedite incident response and threat remediation. It can also facilitate dynamic ruleset updates. Traditional email security solutions haven’t been good at remediation, says Rychkov. False-negatives, for example, are common and require added detection and response capabilities that integrate with the full security stack. For example, they might integrate with Security Operations Center (SOC) or SIEM tools and workflows. That way, when threats are detected, they can be included in updated incident response processes.
Raising the Bar
The move to cloud-hosted email puts pressure on IT managers to keep the bar high for email security, especially for Office 365. Inventive attackers are constantly devising new ways to infiltrate organizations using techniques like spear phishing and social engineering.
Once inside, they can execute fraud and other forms of mischief that are nearly impossible to detect using traditional security countermeasures. Raising the bar for email security means adding layers of protection on top of existing, profile-based EOP. Through diligence and integration with broader threat detection and response workflows, it’s possible to provide a strong defense of cloud-based email accounts.