Microsoft Issues Advice on Defending Against Spear Phishing Attacks
Cybercriminals conduct phishing attacks by sending millions of messages randomly in the hope of getting a few responses, but more targeted attacks can be far more profitable.
There has been an increase in these targeted attacks, which are often referred to as spear phishing. Spear phishing attacks have doubled in the past year according to figures from Microsoft. Between September 2018 and September 2019, spear phishing attacks increased from 0.31% of email volume to 0.62%.
The volume may seem low, but these campaigns are laser-focused on specific employees and they are often very affective. The emails are difficult even for security conscious employees to recognize and many executives, and even IT and cybersecurity staff, fall for these campaigns. The emails are tailored to a specific individual or small group of individuals in a company, they are often addressed to that individual by name, appear to come from a trusted individual, and often lack the signs of a phishing emails present in more general phishing campaigns.
These attacks are more profitable as some credentials are more valuable than others. Spear phishing campaigns often target Office 365 admins. Their accounts can allow an attacker to gain access to the entire email system and huge quantities of sensitive data. New accounts can be set up on a domain with admin credentials, and those accounts can be used to send further phishing emails. New accounts are only used by the attacker, so there is a lower chance of the malicious email activities being discovered.
Spear phishers also seek the credentials of executives, as they can be used in business email compromise attacks in which employees with access to company bank accounts to tricked into making fraudulent wire transfers. Fraudulent wire transfers of tens of thousands, hundreds of thousands, or even millions may be made, malware can be installed, or the attacker can gain access to large quantities of highly sensitive data.
Spear phishers spend time researching their targets on social media networks and corporate websites. They learn about relationships between employees and different departments and impersonate other individuals in the company. They may even already have compromised one or more company email accounts in past phishing campaigns before going for the big phish on a big fish in the company. This is often referred to as a whaling attack. Spear phishing emails are often professional, credible, and are difficult to identify by end users.
As difficult as these spear phishing emails are to spot, there are steps that healthcare organizations can take to reduce risk. Many of these measures are the same as the steps that need to be taken to detect and block more general phishing campaigns.
The best place to start is with employee education. Security awareness training should be provided to everyone in the organization who uses email. Many of these spear phishing attacks start with a more general phishing campaign to gain a foothold in the email system.
The CEO and executives must also be trained, as they are the big fish that the spear phishing campaigns most commonly target. Any individual with access to corporate bank accounts or highly sensitive information should be given more training, and the training should be role-specific and cover the threats they are most likely to encounter.
Employees should be taught not just to check the true sender of an email, but specifically look at the email address to see if something is not quite right. Phishing emails usually have a sense of urgency and usually a “threat” if no action is taken (account will be closed/suspended).
They often contain out-of-band requests that go against company policy such as fast-tracking payments, sending unusual data via email, or bypassing usual checks or procedures. The messages often contain unusual language or inconsistent wording.
When suspicious emails are received, there should be an easy mechanism for employees to report them to their security teams. A one-click email add-on for reporting messages is useful. Spear phishing campaigns are often sent to key people in a department simultaneously, so speaking to peers about messages is also useful. Policies should also be implemented that require checks to be performed before any large bank transfers are made. It should be company policy to double check atypical requests by phone, for instance.
Technical measures should also be introduced to detect and block attacks. An advanced spam filtering solution is a must. Do not rely on Exchange Online Protection with Office 365. Advanced Threat Protection from Microsoft or a third-party solution for Office 365 should be implemented for greater protection, one which incorporates sandboxing, DMARC, and malicious URL analysis will provide greater protection.
Multi-factor authentication is also essential. MFA blocks more than 99.9% of email account compromise attacks. If credentials are compromised in an attack, MFA can prevent them from being used by the attacker.
Spear phishing is the principle way that cybercriminals attack organizations and it often gives them the foothold they need for more extensive attacks on the organization. Spear phishing is a very real threat. It is therefore critical that organizations take these and other steps to combat attacks.