With 180 million active users it's no wonder that Microsoft Office 365 has caught the attention of online criminals.
According to Microsoft, one in five business workers are now using an Office 365 cloud-based service, with adoption particularly popular in the financial services and manufacturing sectors.
And these industries, of course, can provide rich pickings for cybercriminals.
So, it's no surprise to me to learn that phishing attacks targeting Office 365 users outstrip the attacks seen against the likes of Netflix and PayPal, or online banks.
What makes phishing attacks against Office 365 more threatening, of course, is that they're not just after a user's login credentials.
Instead, attackers frequently want to exploit their unauthorised access to an Office 365 account by sending messages from the legitimate account to the victim's business partners or colleagues. A stolen Office 365 password may only raise a tiny amount of money if sold on an underground cybercrime forum compared to the fortunes that can be made through a Business Email Compromise (BEC) attack that requests money be wired to an overseas bank account.
Alternatively, a hacker might be keen to trawl through a compromised email archive for company secrets, and threaten to make them public unless a ransom is paid.
Microsoft has multiple recommendations on how businesses of different sizes can better harden the security of Office 365, but some of the most important steps in my mind include:
(Of course, Microsoft hasn't done the promotion of multi-factor authentication any favours after suffering an outage last November which locked users out of their Office 365 accounts for a period of time.)
Every day there are news stories about organisations being phished, data being lost to hackers, and damage being done to a company's brand.
Often the details of what email system the organisation was using aren't detailed in the media reports, but with the growing uptake of Office 365 it's likely that a fair proportion of them do involve Microsoft's cloud-based services.
Earlier this month, for instance, Missouri Southern State University admitted that it had suffered a data breach after several employees fell victim to a phishing attack back in January 2019.
The breach meant that remote hackers could have potentially accessed emails and attachments containing names, dates of births, home addresses, email addresses, telephone numbers, and social security numbers.
According to the university, it was directed to delay notifying potentially affected individuals while law enforcement completed its investigation, but it wisely immediately reset all employees' Office 365 passwords, and put into process a plan to enhance its IT systems to reduce the chances of future attacks.
Whatever email system you're using inside your business it makes sense to strengthen your defences against the increasingly sophisticated tricks being used by online criminals.
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.View all posts
June 02, 2023
Don’t miss out on exclusive content and exciting announcements!