Microsoft’s Recommendations on Protecting Against Spear Phishing Attacks

Many cybercriminals still send phishing emails at random hoping to solicit some responses. However, it is more lucrative to conduct targeted attacks, which are also called spear phishing. Microsoft claims that spear phishing attacks increased twofold last year. From September 2018 to September 2019, spear phishing attacks have gone up from 0.31% to 0.62% of email volume.

The number might be low, however, these spear phishing campaigns are very effective because they are laser-focused on distinct employees. Security-conscious employees find it hard to recognize emails. A lot of executives, IT and cybersecurity personnel become victims of these campaigns. The emails are customized to a particular person or small group of people in a firm, they are frequently addressed to a person by name, seem to originate from a trusted person, and usually do not present any signs of a phishing email.

These spear phishing attacks are far more lucrative since certain credentials have more value compared to others. Spear phishing campaigns frequently target individuals who are Office 365 admins because access to their accounts enables an attacker to access the whole email system and massive volumes of sensitive information. New accounts could be created on a domain having admin credentials and employed to send more phishing emails. The attacker is the only one who uses the new accounts, so there’s a lesser possibility that the malicious email activities would be discovered.

Spear phishers likewise look for the credentials of executives, because they could be employed in business email compromise attacks and employees having access to the company’s bank accounts can be fooled into doing fraudulent wire transfers. The attacker can make fraudulent wire transfers of countless amounts of money, install malware, or access sizeable amounts of highly sensitive information.

Spear phishers research their targets through social media platforms and company websites. They know about their relationships with employees and the various departments and assume the character of other people in the firm. They may also engage in a whaling attack where they have compromised more than one company email accounts in previous phishing campaigns prior to taking on the big phish in the company. Spear phishing emails are usually professional, reputable, and are hard to recognize by end-users.

Though it is difficult to spot these spear phishing emails, there are ways that healthcare companies could lower risk.

The first is employee education. Every person in the company who uses email should have security awareness training. A lot of these spear phishing attacks begin with a more common phishing campaign to access the email system.

The CEO and officers should likewise be trained since they’re the big fish targeted by the spear phishing campaigns. Any person having access to company bank accounts or highly sensitive data must have more training, in particular, role-specific training and addressing the threats likely to be encountered.

Employees ought to be trained not only to verify the real sender of an email message but particularly check the email address to make sure nothing is wrong. Phishing emails typically have an impression of urgency and normally a “threat” when no action is done (for example, the account is going to be closed/suspended).

They frequently include out-of-band demands that break company policy like fast-tracking payments, sending strange data through email, or skipping typical verifications or processes. The messages usually consist of strange language or inconsistent phrasing.

If receiving suspicious email messages, there must be a quick reporting system to the security teams like a one-click email add-on. Spear phishing campaigns are frequently directed to important people in a department all at the same time, so talking with peers about such messages is beneficial. There must be policies that necessitate verifications before making any sizeable bank transfers. It must be a company policy to validate atypical requests through phone, for example.

There must be technical controls to identify and prevent attacks. A sophisticated spam filtering solution is necessary. Don’t depend on Exchange Online Protection with Office 365. Advanced Threat Protection from Microsoft. For better security, use a third-party solution for Office 365, which includes sandboxing, malicious URL analysis and DMARC.

Multi-factor authentication is likewise important. MFA stops over 99.9% of email account compromise attacks. When credentials are exposed in an attack, MFA could stop the attacker from using the credentials.

Cybercriminals use spear phishing to attack companies and it normally provides them the foothold to attack the company further. Spear phishing is a very serious danger. It is thus important for organizations to take the necessary steps to fight attacks.