Last month, Microsoft’s Security Intelligence team alerted Microsoft 365 users and administrators about a clever new phishing attempt. This campaign uses spoofed sender addresses and names, supposed file share requests in SharePoint, and even approximations of Microsoft logos to try and slip through cybersecurity defenses.
As with most phishing attempts, the goal is to convince unsuspecting users to click a legitimate-looking URL, which instead redirects to a compromised site that steals user credentials and can even download malicious software onto a user’s computer—or, worse, an entire office’s connected network.
In a statement, Microsoft said, “An active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters.” The tech giant quickly moved to stifle the phishing attempt targeting its estimated 50 million+ users of Microsoft 365.
But if cybersecurity trends in 2021 are any indication, attempts like this will continue to increase in both frequency and sophistication. The focus on “file share request” links in spoofed emails is common, but security experts say the use of Microsoft logos and barely noticeable domains (think email@example.com instead of firstname.lastname@example.org) is particularly worrisome.
Deploying different methods of cyber defenses is critical—that way, if one falters, another can step up to block the vulnerability. Many cybersecurity strategies place this step last. But in the case of this latest Microsoft phishing campaign, security awareness training is paramount because it empowers users to identify ways that cybercriminals will try to trick them. The tactical goal is to make users stop, read, and think carefully before responding to or clicking on any links in an email, even when it looks legitimate. This type of ongoing education can serve as the first line of defense against fraud, ransomware, data breaches, and other cybersecurity issues.
These are crucial components of step one, but because of their importance, it’s useful to break them down:
- Don’t open unknown attachments. Hackers get more and more creative each day, changing the file format and appearance of illicit attachments to see what works. Unless you’re expecting a specific file from a specific, trusted colleague, don’t click it. Verify the authenticity of the attachment face-to-face if you can. All it takes is one click on one of these infected files to wreak widespread havoc.
- Review the sender’s email address and display name carefully. This seems like second nature, but it can be easy to overlook it—especially when we’re busy. Does the display name match the email domain? Is everything spelled correctly or are characters out of order? Close inspection can often reveal clear clues to a phishing email’s true intentions, particularly when you see other small mistakes or strange phrasings in the subject line or body copy.
- Double-check links to make sure they’re valid. Before you click any links in an unknown email, place your mouse over it and hover to make sure it’s legitimate. If the text says https://www1.cmitsolutions.com/e/660363/2021-08-16/77n3ny/951875288?h=tKR0sTN8ok9zIBM3LJ8cXT6kYsBV79EjIRsuHYqJxKM, the preview link (or yellow box that pops up above it) should also read https://www1.cmitsolutions.com/e/660363/2021-08-16/77n3ny/951875288?h=tKR0sTN8ok9zIBM3LJ8cXT6kYsBV79EjIRsuHYqJxKM. Beware of long strings of nonsensical characters or any major differences between the link in the email copy and the preview link that shows up when you hover over it.
Company-wide Internet filtering and traffic analysis can stop some unauthorized phishing attempts, while sandboxes that isolate attachments before delivering them to your inbox can add another tactic to your IT toolbox. In addition, employers should take extra precautions to alert their employees when and from whom any critical communications will arrive so they can separate real emails from fake ones. Notifying IT support staff—whether internal or external—when obvious phishing attempts do land in your inbox can also cut down on the future threat of fraud or infection. Even the best technology requires smart, savvy human beings whose insight and intelligence can help systems work properly.
At CMIT Solutions, we help thousands of businesses spot and stop phishing emails before they have a chance to infiltrate IT systems or steal valuable data. We’ve helped thousands of businesses operating in countless industries across North America to strengthen their cyber defenses and enhance email security.
If you’re worried about phishing campaigns or have identified illicit messages making it into your inbox, contact CMIT Solutions today. We defend your domain and your data while empowering your employees to take email security more seriously.