Best practices for defending against insider email threats

Register now

Research done by Intel revealed that an astonishing 97 percent of computer users cannot identify phishing emails. When the phishing attack comes from a trusted coworker, users are often defenseless on their own. Protecting against insider email threats presents a significant challenge for security operations (SecOps) teams, and the increasing popularity of Microsoft Office 365 has deepened cyber vulnerability, due to the architectural limitations of traditional cloud email security gateway products.

Phishers know their audience—predatory emails tend to look like any other email a user might receive. As researchers at Carnegie Mellon University noted in a recent study, “Users who share similar interests belong to a specific user segment and are susceptible to a specific type of attack.”

Thus, the web marketer will receive a phishing email offering an amazing deal on search engine optimization and the attorney will be tempted by an app that matches her with new clients. If the attacker is perceived to be a coworker or organizational superior, the risk is even greater. Behind the guise of a trusted source or a familiar subject, phishers lurk.

A vivid example of the danger of phishing attacks took place during a study at the US Military Academy in 2004. Five-hundred cadets received an email from Colonel Robert Melville requesting that they click on a link. 80 percent of them did so, despite the fact that no one by the name of Robert Melville worked at the Academy and that the link was potentially dangerous. Trained to obey orders, the cadets dropped their guard and did something they had been instructed to do. The episode demonstrated how vulnerable even a disciplined organization can be to social engineering attacks.

Insider threats are an unfortunate reality in today’s workplace. Though relatively rare, they can be quite damaging. Insider attacks take many different forms—rogue employees may access unauthorized data or improperly override security controls for personal financial gain. Luckily, when attacks come from the inside, there are HR policies and laws that protect the organization. This is not the case when external hackers pretend to be insider employees.

Faux insiders have the power to wreak havoc and cause financial losses and are an overall more complex threat to counter. For example, in a CEO fraud, an attacker posing as a senior executive, commands an underling to execute a bank transfer to a “vendor” on a rushed basis. Such was the case at a startup in the UK, where a hacker pretending to be the firm’s CEO was able to direct £16,000 to an offshore bank account controlled by criminals.

The Office 365 Vulnerability

Organizations that use cloud-based email solutions like the increasingly popular Office 365 email are especially vulnerable to faux insider phishing attacks. The problems begin in the very architecture of the cloud-based email system. Gateway-based solutions, whether they are hosted on-premises or in the cloud, sit in line in the SMTP mail flow.

Gateway types of solutions, whether they are hosted, on premises or cloud-based email security services, sit in line in the SMTP mail flow. As a result, they can only scan the incoming and outgoing email flows. In the process, as the emails pass through the gateway, they inherit the IP of the cloud service. This masks the original sender, rendering Exchange Online Protection’s (EOP’s) reputation-based defenses useless. With this architecture, there is no filtering of internal emails at all. Even Microsoft Advanced Threat Protection (ATP) does not filter internal emails.

Imagine that a user’s Office 365 account is compromised, perhaps by way of a convincing but fake Microsoft Login web page. The risks are severe in this scenario. With an actual Office 365 credential in hand, the attacker can take over the user’s email account and send emails to “colleagues” that look 100% authentic… because they are. He or she can send attack emails from a real account. They are legitimate emails from one coworker to another on the actual email system.

The Microsoft vulnerability is manifesting itself in a striking set of statistics. Vade Secure research shows that fake Microsoft sites comprised the #1 phishing URL hit in the second quarter of 2018. That’s more than PayPal! Indeed, Microsoft-based phishing attacks have more than quadrupled since the start of the year.

Is your organization worried about and taking actions to protect against insider threats and Office 365 vulnerabilities?

For reprint and licensing requests for this article, click here.