Phishing is an email scam that impersonates a business to trick recipients into divulging account credentials or clicking on a malware-laden link. In most attacks, phishing involves luring a victim with a link to a fraudulent website or including an email attachment laced with malware.
Phishing attacks impersonate brands to trick users, whereas spear phishing attacks impersonate individuals. Most phishing emails include a
subject line that causes either alarm or intrigue, which encourages victims to act quickly. With the exception of highly targeted attacks, a phishing email is typically a one-off event. Often, hackers will send a single email to multiple recipients—known as a wave—at once to improve the chances of success.
Spear phishing emails do not include links or attachments and are designed to trick a recipient into completing a financial transaction, such as making a wire transfer, purchasing gift cards, or changing direct deposit information.
All phishing emails include one of two components: a link or an attachment. Getting victims to click the link or open the attachment requires a sophisticated set of tools and techniques.Below are some of the most important elements of a phishing email:
Perhaps the most critical element of a phishing email, the subject line is designed to entice, alarm, or frighten the victim the victim into opening the email. Hackers who have done their research write highly targeted subject lines to entice victims into opening emails.
Email spoofing involves creating an email address that looks like that of a trusted business.With display name spoofing, the hacker adds the desired display name in the sender field of the email. In other cases, a hacker will use an email address resembling a legitimate business email as the display name.
Hackers impersonate the brands you trust the most. When attacking businesses, hackers impersonate brands that a business has a relationship with, such as a bank or a software vendor. To create the illusion of legitimacy, phishers use real business and product logos and other visual elements of the brand’s identity.
A link is typically placed in the body of the email, but it can also be placed inside an attachment or inside a legitimate hosted file on a service like OneDrive or SharePoint to avoid detection from email filters scanning for known phishing links. Victims are lured into clicking on the link by the email itself, which directs the user to visit a website to log into an account.
Attachments are included either to conceal the phishing link from an email filter or to deliver malware/ransomware. Often in the form of a Word document, PDF, or .zip file, the attachment appears to be legitimate business correspondence, such as an invoice. The link might lead to a phishing website or result in an automatic download of malware or ransomware.
A phishing page is a fraudulent webpage that impersonates a brand. Unsophisticated pages are easy to spot, but advanced phishers use real CSS from brand webpages to make their webpages identical to the real thing. Phishing pages impersonate login pages where victims enter their username and password to access their account. When they do so, their credentials are stolen.
Urgency is at the essence of all phishing emails. Phishers use a variety of scams to create a sense of concern and even fear to motivate users to click on links and divulge sensitive credentials.
This email alerts a user that they must verify their account or their password must be reset, whether as a matter of routine or because of an issue with an account.
The victim is informed that their current form of payment, typically a credit card, is either not working or must be updated in order to continue receiving a service.
This attack includes an attachment posing as an invoice or other piece of business correspondence. The attachment might include a link to a phishing page, or the attachment might unleash malware/ransomware when opened.
Phony security alerts include phishing emails alerting a victim that their password has been compromised, that there is suspicious activity on an account, or that they recently signed into an account from an unknown device.
Social media phishing involves stealing account credentials for a social media platform through one of the above schemes. Hackers sometimes steal the victim’s personal data and sell it on the black market. In other cases, the hacker will use the compromised account to conduct attacks on the victim’s friends and followers.
Sextortion scams are designed to trick victims into believing a hacker is in possession of compromising information, such as webcam video of the victim watching online pornography. The victim is instructed to pay the hacker in Bitcoin to avoid the information being leaked to the public and to acquaintances.
Phishing was once considered a consumer problem. But as hackers grew more sophisticated, they began targeting businesses. The growth of cloud computing made businesses an even bigger target, with sensitive files and data suddenly up for grabs. As a result, phishers began impersonating high-profile, reputable brands that corporations do business with, including cloud services providers and financial institutions.
With more than 200 million users, Microsoft 365 is the most used business productivity suite in the world, making it the no. 1 corporate target for hackers. The growth of Microsoft 365 has led to an onslaught of phishing attacks aimed at Microsoft 365 business users whose login credentials prove all a hacker needs to access a business’s data.
Microsoft 365 malware email
Outlook phishing email
Users are alerted that their Microsoft 365 account needs attention, such as validating account credentials or changing a password.
Users are warned that there is an issue with their Microsoft 365 payment method and instructed to update their credit card information.
Users receive an email from an Outlook or Microsoft email address alerting that they have received a voicemail and must log in to Microsoft 365 to listen to the message.
Users receive a notification that a colleague has shared a OneDrive or SharePoint file with them. The file typically includes a phishing link but could also be a ransomware-laden.
Users receive a notification that a colleague or associate has shared a OneNote message. The URL in the email leads to a fake OneNote message with an embedded phishing link, which leads to a Microsoft phishing page. With a compromised SharePoint account, hackers can send legitimate notifications.
A multiphase attack begins with phishing and evolves into spear . Starting with any of the phishing scams above, the initial attack gives a hacker access to a user’s Microsoft 365 credentials. With these in hand, the hacker can then send phishing or spear phishing emails from a compromised Microsoft 365 account.
Vade Secure for Microsoft 365 blocks advanced attacks from the first email thanks to machine learning models that perform real-time
behavioral analysis of the entire email, including any URLs and attachments. Leveraging data from more than 600 million inboxes, our AI-based threat detection stops threats before, during, and even after attacks.
Most email filters use fingerprint and reputation-based detection methods, including scanning for blacklisted domains and IPs. This makes it impossible for these types of filters to detect unknown attacks, or malicious emails and pages that have not been previously identified.
Hackers use a number of techniques to bypass fingerprint and reputation-based filters. With a simple MX record lookup, hackers can see which email security solution is in use and create scripts to bypass MX rules or develop techniques to bypass the solution itself. Below are some of the most common and advanced techniques:
The best phishing prevention combines people and technology. With new attacks being launched every day and even sophisticated filters sometimes missing attacks, prevention is an ongoing effort that requires constant diligence and a set of anti-phishing technologies:
As attacks become more sophisticated, users must be continually trained in the latest phishing attacks and techniques. In addition to recurring awareness training, contextual training delivered at the moment a user clicks on a malicious email provides instant feedback on the behavior.
Training content that is personalized for the user based on the brand used in the phishing attempt gives the training context, unlike annual trainings that are typically conducted in a group setting and based on generic emails. Ultimately, the training experience will be more significant, and the phishing attempt more memorable than the simulations used in training sessions.
Equally important to phishing prevention is encouraging users to report suspicious emails. This gives IT the opportunity to warn the company about incoming attacks and gives the security operations team the opportunity to use the phishing email to strengthen the email filter.
Unlike fingerprint and reputation-based technology, artificial intelligence identifies unknown attacks by scanning the content, context, and origin of emails. Supervised machine learning algorithms are trained by data scientists to recognize various features of phishing emails. Unsupervised algorithms do not require a trainer but learn over time to recognize anomalies in emails, or suspicious events that differ from the majority of data.
Trained to detect images and logos from brands, Computer Vision algorithms can detect slight distortions in images, scan text-based images, and extract QR codes that conceal malicious links. Unlike other machine learning algorithms, Computer Vision algorithms interpret and view images as humans do, recognizing known phishing emails that have been distorted to look like new emails.