Phishing and insider attacks are on the rise, but an even more ominous threat is gaining ground at the same time.  This is the multi-phase attack, which combines phishing with spear phishing and insider attack techniques. Multi-phase attacks are difficult to detect and challenging to prevent, especially in the popular Microsoft Office 365 environment. However, it is not impossible to mitigate this risk and viable solutions are available.

What Is a Multi-Phase Attack?

Cyber-attacks have traditionally involved a single attack vector. Imagine the following: a hacker sends a PayPal phishing email to your inbox and you are tricked into divulging your account login credentials on a phishing page that looks exactly like PayPal’s website. After harvesting your credentials, the hacker empties the balance on your PayPal account and then moves onto their next target. In the case of the multi-phase attack, this initial act of deception is just the beginning.

A multi-phase attack involves the hacker taking advantage of your credentials to ultimately extract money or proprietary information from you or your business. It’s at least two steps. For example, in a multi-phase attack, the hacker might first send an Office 365 phishing email to harvest your email credentials. Then, using your Office 365 account, he or she will send an email to someone in your company who has the power to execute wire transfers.

The email recipient has no reason to suspect that it is not you who sent the email requesting a wire transfer. Indeed, “you” sent it. And, security filters will never catch it. Why would they? The message came from a legitimate user in the Office 365 system.

There are many variants on the multi-phase attack. Armed with a legitimate account, the attacker can conduct multiple accounts laterally within the organization, and also spear phish external business partners and vendors. In one recent case, the SEC revealed that an unnamed American corporation had been fleeced to the tune of $45,000,000 in 14 separate events linked to one multi-phased attack.

The Main Driver of Multi-Phase Attacks

Above all, the rapid adoption of Office 365 is responsible for the rise of multi-phase attacks. With 155 million corporate users and a single point of entry into the entire Office 365 suite, it’s a remarkably fertile environment for malicious behavior. In contrast, before this service was available, each organization had its own email server, and thus had to be hacked individually. Now, Office 365 presents one target: find a way in and hackers potentially have access to 155 million accounts!

The data and file storage functions of Office 365 further expand the attack surface area. Office 365 is much more than just an email service. It’s a complete productivity suite, complete with SharePoint data repositories and OneDrive document repositories. The attacker gains access to rich collections of data once inside the system. Microsoft has indeed been the #1 most impersonated brand on phishing sites for four quarters in a row.

Why is this important? Consider the kind of corporate information a hacker might see if he or she gets into OneDrive. There could be contracts with vendors, bank account information and so forth—all of which makes it that much easier to perpetrate fraud—both internally and with external partners.

How Attackers Get Inside and Avoid Detection

The attacker’s path to their targets within Office 365 is deceptively direct. The strategy is quite straightforward. First, the attacker sends a bogus but realistic-looking notice of account suspension or disablement to the victim. By linking the message to a counterfeit Microsoft login screen, the attacker can capture the user’s Office 365 credentials for later misuse.

The complicated part is the attacker’s evasion of Microsoft’s sophisticated, multi-layered security. Office 365 utilizes fingerprinting and reputation-based defenses. It’s good at identifying known threats and bad senders or IPs. If the attacker sent dozens of similar messages to targets, Office 365 would immediately flag them and disrupt the attack. Therefore, to succeed, the attacker must make each of their attacks individual and unique.

One way to get past the fingerprinting screen is by inserting random or invisible text into the messages. Attackers also us homoglyphs, e.g. substituting the Greek letter Beta for the lower case “b” and so forth. Other techniques include:

  • Randomizing content to obfuscate the provenance of the message
  • Using images that contain text to bypass text analysis filters
  • Bypassing URL domain filtering using shorteners such as
  • Using subdomains
  • Abusing redirection mechanisms

Mitigating the Multi-Phase Attack Risk

Multi-phase attacks require multi-tiered defenses—that is, the stacking up of security layers. In the same way that you might employ more than one type of firewall to improve your odds of stopping a network-based attack, it makes sense to have a few different email security countermeasures at work to block multi-phase attacks.

Microsoft’s embedded Exchange Online Protection (EOP) is good at spam filtering and spotting known threats, but less effective at identifying attackers that have obfuscated their identities. Thus, it is important to layer additional capabilities on top of EOP that are more focused on predicting unknown, highly dynamic threats through behavioral analysis and use of machine learning models.

The challenge to layering, though, may be your existing email architecture. For instance, Secure Email Gateways (SEG) that require an MX record change render EOP’s reputation-based defenses useless. Moreover, because they sit in line in the email flow, SEGs cannot scan inter-organization traffic, and thus fail to protect against the insider email threats.

The perimeter disappears in the world of multi-phased attacks. Any effective defense should assume the attacker is already inside your Office 365 domain. Looking outward will not help you.

Finally, trust what users are reporting. They are seeing the attack emails first hand and in real time. Focus on training them as mistakes arise, e.g. clicking on a phishing URL. They’ll remember that better than once a year training.  Moreover, offer feedback loops that allow users to report suspicious emails.  Beyond manual remediation, make sure that there is a closed loop with the email filter so that the engine learns from this feedback and continually improves.
How hackers combine phishing and spear phishing to target Office 365 users Start the webinar >>>


It is evident that multi-phase attacks are a virulent and ever-expanding threat, especially to Office 365 users. However, by developing solutions that take into account the varied and sophisticated nature of these attacks—as well as the technological developments that fostered this dangerous climate—it is possible to mitigate threat.