Hackers Have It Out for Microsoft Email Defenses

Cybercriminals are focusing more and more on crafting special email attacks that evade Microsoft Defender and Office security.

Laptop with Microsoft Office 365 dashboard open
Source: tofino via Alamy Stock Photo

Increasingly, cyberattackers are laser-focused on crafting attacks that are specialized to bypass Microsoft's default security, researchers say — which is going to require a shift in defense posture for organizations going forward.

"Many hackers think of email and Microsoft 365 as their initial points of compromise, [so they] will test and verify that they are able to bypass Microsoft’s default security," according to a new report from Avanan that flags an uptick in its customer telemetry of malicious emails landing in Microsoft-protected email boxes. "This does not mean that Microsoft's security got worse. It means that the hackers got better, faster, and learned more methods to obfuscate and bypass the default security."

Some of the eye-catching numbers in the report, gleaned from analyzing 3 million corporate emails in the past year, include:

  • About 19% of phishing emails observed by Avanan bypassed Microsoft Exchange Online Protection (EOP) and Defender.

  • Since 2020, Defender's missed phishing rates among Avanan's customers have increased by 74%.

  • On average, Defender sends only 7% of phishing messages received by Avanan customers to the Junk folder.

  • In good news: Microsoft flagged and blocked 93% of business email compromise attempts.

  • Microsoft catches 90% of emails booby-trapped with malware-laden attachments.

Again, the numbers speak to the evolution of phishing and the fact that attackers are increasingly using tactics like leveraging legitimate services to avoid including obviously malicious links in emails, using masking techniques like vanity URLs, and avoiding attachments altogether.

To defend themselves against these custom-built attacks, organizations can go to basic defense-in-depth approaches with four main prongs, according to Roger Grimes, data-driven defense evangelist at KnowBe4.

Those prongs include: A better focus on preventing social engineering, using a best defense-in-depth combination of policies, technical defenses, and education; patch software and firmware, especially any that are listed on CISA's Known Exploited Vulnerability Catalog; use phishing-resistant multifactor authentication (MFA); and using different, secure, passwords for every site and service where MFA cannot be used.

"There are no other defenses, besides these four, that would have the most impact on decreasing cybersecurity risk," Grimes says. "It is the world's lack of focus on these four defenses that has made hackers and malware so successful for so long."

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights