Office 365 Phishing Protection

In April 2022, Microsoft reached an impressive total of 200 million monthly active Office 365 users, with the productivity suite now used by over 1 million organizations worldwide. That makes Office 365 users a big target, and they are often targeted in phishing attacks. Office 365 only has basic anti-phishing, anti-spoofing, and anti-malware capabilities, and while the standard defenses can detect 100% of known malware variants and have a spam catch rate of 99%, for many organizations, especially those in healthcare, the default Office 365 phishing protection falls short of requirements.

Healthcare organizations are extensively targeted by cybercriminals and phishing is the leading way that access to networks and patient data is gained, so it is important to ensure that Office 365 phishing protection measures are implemented that can identify and block advanced phishing and malware threats.

Phishing is a Leading Cause of Healthcare Data Breaches

Phishing is one of the leading causes of healthcare data breaches, with compromised email accounts reported to the HHS’ Office for Civil Rights with increasing regularity. Phishing is how many cyberattacks start, as it provides attackers with a foothold into healthcare networks for more extensive compromises, and Office 365 accounts can contain a considerable amount of valuable data. Some of the largest healthcare data breaches started with a phishing email, including the 2015 data breaches at Anthem Inc (78.8 million records) and Premera Blue Cross (10.4 million records).

Phishing attacks doubled in 2020 according to the Anti-Phishing Working Group and more than 90,000 phishing campaigns are now detected each month. In addition to increasing in number, phishing threats are becoming more sophisticated. It is important for cybersecurity solutions to be implemented that are capable of detecting and blocking these sophisticated threats, including targeted phishing attacks, email impersonation attacks, and advanced persistent threats, as the standard Exchange Online Protection (EOP) provided with Office 365 only offers a single layer of protection for filtering out phishing and malware threats.

Improving Office 365 Phishing Protection

The basic security features included with Office 365 are not sufficiently advanced to block zero-day malware and phishing threats. Malware is now heavily obfuscated and new variants are constantly being released. Signature-based detection mechanisms, such as antivirus engines, will not identify and block these threats. To improve protection, behavior-based detection methods are required, such as sandboxing. Attachments that pass the initial inspection are sent to the sandbox for in-depth analysis. Standard Office 365 phishing protection mechanisms lack this capability.

Phishing often involves spoofing, where trusted contacts and businesses are impersonated. Email security solutions should be implemented that have anti-spoofing capabilities, such as SPF, DKIM, DMARC, and use DNS authentication services. Outbound scanning is important for data loss prevention and to identify compromised mailboxes, such as those used to send phishing emails internally and for business email compromise attacks.

More advanced Office 365 phishing protection solutions can significantly improve detection against phishing, even zero-day threats through AI and machine learning algorithms, heuristics, and Bayesian analysis, which can predict new threats based on how they deviate from the standard emails received by an organization.

Phishing emails often include embedded URLs that direct the recipient to a website hosting malware or phishing forms, so link scanning is important to ensure that emails containing links to malicious websites are automatically blocked at the gateway and are not delivered.

Healthcare organizations should augment the standard Office 365 phishing protection features with a more advanced anti-phishing solution that incorporates these features, to ensure that even sophisticated phishing threats can be identified and blocked, but protection should not stop there.

Implement Multi-factor Authentication

In addition to improving the standard Office 365 phishing protection measures, healthcare organizations can take steps to reduce the likelihood of phishing attacks succeeding. One of the most important measures to implement is multi-factor authentication for email accounts. If an employee responds to a phishing email and discloses their credentials, with only single-factor authentication there is nothing to prevent an attacker from accessing the employee’s email account. Multi-factor authentication requires an additional method of authentication before access an email account is granted. According to Microsoft, multi-factor authentication will stop 99% of phishing attacks from succeeding.

Don’t Neglect Security Awareness Training

Technical defenses against phishing are important for blocking threats and preventing them from reaching users’ inboxes, but even with layered defenses against phishing, some threats will be delivered. All it takes is for one employee to respond to a phishing email and disclose their credentials for a costly data breach to occur. It is therefore important to ensure that the workforce is provided with security awareness training, that the risk of phishing attacks is understood, and all members of the workforce are taught how to recognize and avoid phishing threats. Security awareness training has been shown to reduce susceptibility to phishing attacks, especially when training is regularly reinforced, and the effectiveness of the training is assessed using phishing simulations.