Study Shows Quarter of Phishing Emails Bypass Office 365’s Default Defences

Avanan has released a study indicating that a quarter of all phishing emails bypass Microsoft Office 365’s default anti-phishing protections.

Avanan, a cloud security platform provider, conducted a study of 52 million emails which had been assessed by Office 365 Exchange Online Protection (EOP). They discovered that the software categorised a quarter of phishing emails sent as ‘non-malicious’, and allowed them to arrive in user inboxes. A  further 5.3% of emails were delivered as they had been whitelisted, meaning the phishing emails couldn’t be blocked.

EOP works by scanning emails for malware, signatures of spam, and checking if the sender appears reputable. EOP correctly identified 69.7% of phishing emails either categorising them as spam (49% of total) or phishing emails (20.7% of the total. This indicates that EOP does offer some level of protection against these campaigns. However, the remaining spam emails were not identified by EOP as malicious and evaded detection.

Avanan’s report warns businesses that using the basic default security on email accounts, such as EOP, is not enough to protect against phishing attacks. Hackers can make a great deal of money from a successful phishing campaign, so they create increasingly sophisticated to bypass these defences successfully. 

Although more costly, businesses should consider using solutions such as Advanced Threat Protection (APT) provided by Microsoft or use a third-party anti-phishing solution on top of EOP. Small businesses may prefer to opt for other third-party anti-phishing solutions as they are more likely to be affordable for smaller operations.

Although a significant proportion of the phishing emails made it to user inboxes, it is worth noting that the overall volume of phishing emails sent is small. Just 1.04% of the 52.38 million Office 365 emails that were analysed were phishing emails. The figure was even lower in G Suite, with only 0.5% of the 3.12 million analysed emails being phishing emails. Avanan reports that around 1 in 99 emails are phishing emails.

It should be remembered that even if phishing emails only constitute a small proportion of total emails sent each day, hackers only need one individual to fall for their campaign for it to be successful. Therefore, businesses should take preventative measures to phishing emails from reaching user inboxes in the first place.

Out of the emails that were assessed by Avanan, 50.7% were used to deliver malware, 40.9% were used to harvest credentials, 8% were extortion-related, and 0.4% were spear phishing attacks.

One of the ways that phishing attacks bypass defences is obfuscation. The emails that are displayed to end users are different from how they appear to machine-based security solutions.

Hackers convince end users to trust their emails by impersonating well-known brands. Avanan found Microsoft to be the most impersonated brand, used in 43% of brand impersonation attacks, followed by Amazon with 38%. The impersonation of banks and financial institutions accounted for 9.7% of the total, followed by logistics firms (DHL, FedEx, UPS) on 2.5%. One in 25 branded emails were phishing attempts.

An analysis of the phishing emails showed that one of the most accurate indicators of a phishing email is the inclusion of a crypto wallet address. Nearly all (98%) of emails that contained a crypto wallet address were malicious.