One such threat that has been making waves recently is a class of phishing attacks called business email compromise (BEC). BEC is also proving to be one of the costliest flavors of attacks to organizations—the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) recorded almost 20,000 complaints of business email compromise in 2020 alone, with adjusted losses of over $1.8 billion according to their recent IC3 report. What’s more, BEC attacks continue to increase in scope and sophistication. No wonder then that business email compromise is a top concern for CISOs across the globe, especially in a climate where remote work and collaboration have increased significantly.

We at Microsoft share that concern. And that is why we’ve been working aggressively to protect customers by detecting and blocking such attacks through innovation in our products and by staying ahead of current and future threats through research. Additionally, through the Digital Crimes Unit at Microsoft, we have been working to disrupt and thwart such attack networks in partnership with law enforcement.

What is business email compromise?

The term itself has seen an evolution over the years, but quite simply business email compromise (BEC) is a type of phishing attack that targets organizations with a view to steal money or sensitive information. At its core, it’s a social engineering attack, where the attacker looks to dupe the target into believing that they are interacting with a trusted entity. Once they have deceived their target, the attacker proceeds to coax them to share valuable information or process a payment.

These attacks are sometimes referred to as ‘CxO Fraud’ or ‘vendor compromise,’ taking the name of the entity the attacker is claiming to be.

How are these attacks orchestrated?

BEC attacks are so dangerous and costly that we recently devoted an entire blog series to this topic in an effort to raise visibility and help protect customers. The blog series covers the various types of tactics used in BEC attacks and the different levels of sophistication we see in these attacks. But I’ll summarize some top takeaways here:

Generally, the attacker uses one of the tactics below to dupe a target.

• Look-alike tactics (like domain or user impersonation):
  • For example, the attacker can forge the email properties of an email to make the sender appear to be a trusted entity. They can achieve this by using the same display name, even if using a different address. Or they can choose very subtle changes in the user part or domain part of the email address to make the email appear visually similar to a trusted email address, such as CEO@micros0ft.com (notice the ‘0’ instead of ‘o’—which upon cursory inspection, might not be obvious to the target).
• Exact-domain spoofing:
  • In this case, the attacker forges the email to use the exact same email address as the ‘trusted entity’—but sent from an email infrastructure they own. This is made possible by improperly protected domains (Email domains without domain authentication standards like DMARC enforced).

To learn more about these attacks and how they work, check out the first blog in our recent series.

What is Microsoft doing to combat security threats?

Microsoft has been working on a multi-pronged approach to keep customers safe. One that leverages our massive scale of optics and signals across our service portfolio to drive advancements in three dimensions:

• Product innovation.
• Research focus to keep track of ever-shifting campaigns and strategies.
• Fighting crime and taking down attack networks.

Product innovation in Microsoft Defender for Office 365

Defender for Office 365 offers customers unparalleled protection from business email compromise and other attacks such as credential phishing, whaling, malware, ransomware, and much more that might be orchestrated over email or other collaboration vectors. In an era of ever-increasing cybercrime, protection from such attacks is critical for organizations to safeguard their users.

The massive scale of protection offered means that each month Defender for Office 365 detects and blocks close to 40 million emails containing BEC tactics. We block 100 million emails with malicious credential phishing links each month. And each month, we detect and thwart thousands of user compromise activities.

This level of protection is paired with innovative and comprehensive product capabilities that span the different spheres of protection captured below—blocking and detecting threats, maximizing the efficiency and effectiveness of security teams as they investigate, hunt for and respond to threats, and focusing on capabilities that help raise end-user awareness and preparedness for these social engineering attacks. All of these play a critical role in protecting organizations from BEC attacks. To learn more about these capabilities, check out the second blog from the BEC series.

Figure 1:  Microsoft Defender for Office 365 capabilities

Research powered by human intelligence and artificial intelligence

Across Microsoft’s portfolio of security products, we process trillions of signals every single day. This massive signal base drives constant improvements to the artificial intelligence layers backing our protection and detection systems. We pair that with our top-notch dedicated research teams. This human intelligence layer of the Microsoft 365 Defender Threat Research team leverages these signals to track actors, infrastructure, and techniques used in phishing and BEC attacks to ensure Defender for Office 365 stays ahead of current and future threats.

Our most recent research into BEC provides an investigation of a campaign that uses attacker-created email infrastructure to facilitate monetary theft through gift cards. To learn more about this campaign, read the blog post we published.

Fighting cybercrime—Digital Crimes Unit

Microsoft’s Digital Crimes Unit (DCU) focuses on fighting cybercrime through a combination of technology, forensics, civil actions, and partnerships with law enforcement, often involving criminal case referrals. DCU actively tracks and takes down cybercriminals and the infrastructure they use. A good example of this is how Microsoft took legal action against COVID-19-related cybercrime.

In 2020 alone, DCU’s efforts led to the removal of almost 745,000 phishing URLs and the closure of more than 3,500 malicious email accounts.

Take steps now to protect your organization

Fighting cybercrime and eliminating costly breaches is going to take all of us. At Microsoft, we’ll continue to focus on the pivots we covered above to keep our customers protected. But to supplement that, it’s important that each and every organization take the threat of business email compromise seriously. CISOs need to ask themselves: Do we have the right level of protection against these attacks?

In the third blog of the series, we’ve included a set of recommendations that you can take to protect yourself now. These are important measures to take to protect your users against a possibly expensive breach:

1. Upgrade to an email security solution that provides advanced phishing protection, business email compromise detection, internal email protection, and account compromise detection.
2. Complement email security with user awareness and training.
3. Implement multi-factor authentication to prevent account takeover and disable legacy authentication.
4. Review your protection against domain spoofing.
5. Implement procedures to authenticate requests for financial or data transactions and move high-risk transactions to more authenticated systems.

Learn more

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Business email compromise: How Microsoft is combating this costly threat appeared first on Microsoft Security Blog.

Whether it’s sophisticated nation-state attacks, targeted phishing schemes, business email compromise or a ransomware attacks, such attacks are on the rise at an alarming rate and are also increasing in their sophistication. It is therefore imperative that every organization’s security strategy include a robust email security solution.

So, what should IT and security teams be looking for in a solution to protect all their users, from frontline workers to the C-suite? Here are 6 tips to ensure your organization has a strong email security posture:

You need a rich, adaptive protection solution.

As security solutions evolve, bad actors quickly adapt their methodologies to go undetected. Polymorphic attacks designed to evade common protection solutions are becoming increasingly common. Organizations therefore need solutions that focus on zero-day and targeted attacks in addition to known vectors. Purely standards based or known signature and reputation-based checks will not cut it.

Solutions that include rich detonation capabilities for files and URLs are necessary to catch payload-based attacks. Advanced machine learning models that look at the content and headers of emails as well as sending patterns and communication graphs are important to thwart a wide range of attack vectors including payload-less vectors such as business email compromise. Machine learning capabilities are greatly enhanced when the signal source feeding it is broad and rich; so, solutions that boast of a massive security signal base should be preferred. This also allows the solution to learn and adapt to changing attack strategies quickly which is especially important for a rapidly changing threat landscape.

Complexity breeds challenges. An easy-to-configure-and-maintain system reduces the chances of a breach.

Complicated email flows can introduce moving parts that are difficult to sustain. As an example, complex mail-routing flows to enable protections for internal email configurations can cause compliance and security challenges. Products that require unnecessary configuration bypasses to work can also cause security gaps. As an example, configurations that are put in place to guarantee delivery of certain type of emails (eg: simulation emails), are often poorly crafted and exploited by attackers.

Solutions that protect emails (external and internal emails) and offer value without needing complicated configurations or emails flows are a great benefit to organizations. In addition, look for solutions that offer easy ways to bridge the gap between the security teams and the messaging teams. Messaging teams, motivated by the desire to guarantee mail delivery, might create overly permissive bypass rules that impact security. The sooner these issues are caught the better for overall security. Solutions that offer insights to the security teams when this happens can greatly reduce the time taken to rectify such flaws thereby reducing the chances of a costly breach

A breach isn’t an “If”, it’s a “When.” Make sure you have post-delivery detection and remediation.

No solution is 100% effective on the prevention vector because attackers are always changing their techniques. Be skeptical of any claims that suggest otherwise. Taking an ‘assume breach’ mentality will ensure that the focus is not only on prevention, but on efficient detection and response as well. When an attack does go through the defenses it is important for security teams to quickly detect the breach, comprehensively identify any potential impact and effectively remediate the threat.

Solutions that offer playbooks to automatically investigate alerts, analyze the threat, assess the impact, and take (or recommend) actions for remediations are critical for effective and efficient response. In addition, security teams need a rich investigation and hunting experience to easily search the email corpus for specific indicators of compromise or other entities. Ensure that the solution allows security teams to hunt for threats and remove them easily.
Another critical component of effective response is ensuring that security teams have a good strong signal source into what end users are seeing coming through to their inbox. Having an effortless way for end users to report issues that automatically trigger security playbooks is key.

Your users are the target. You need a continuous model for improving user awareness and readiness.

An informed and aware workforce can dramatically reduce the number of occurrences of compromise from email-based attacks. Any protection strategy is incomplete without a focus on improving the level of awareness of end users.

A core component of this strategy is raising user awareness through Phish simulations, training them on things to look out for in suspicious emails to ensure they don’t fall prey to actual attacks. Another, often overlooked, but equally critical, component of this strategy, is ensuring that the everyday applications that end-users use are helping raise their awareness. Capabilities that offer users relevant cues, effortless ways to verify the validity of URLs and making it easy to report suspicious emails within the application — all without compromising productivity — are very important.

Solutions that offer Phish simulation capabilities are key. Look for deep email-client-application integrations that allow users to view the original URL behind any link regardless of any protection being applied. This helps users make informed decisions. In addition, having the ability to offer hints or tips to raise specific user awareness on a given email or site is also important. And, effortless ways to report suspicious emails that in turn trigger automated response workflows are critical as well.

Attackers meet users where they are. So must your security.

While email is the dominant attack vector, attackers and phishing attacks will go where users collaborate and communicate and keep their sensitive information. As forms of sharing, collaboration and communication other than email, have become popular, attacks that target these vectors are increasing as well. For this reason, it is important to ensure that an organization’s anti-Phish strategy not just focus on email.

Ensure that the solution offers targeted protection capabilities for collaboration services that your organization uses. Capabilities like detonation that scan suspicious documents and links when shared are critical to protect users from targeted attacks. The ability in client applications to verify links at time-of-click offers additional protection regardless of how the content is shared with them. Look for solutions that support this capability.

Attackers don’t think in silos. Neither can the defenses.

Attackers target the weakest link in an organization’s defenses. They look for an initial compromise to get in, and once inside will look for a variety of ways increase the scope and impact of the breach. They typically achieve this by trying to compromise other users, moving laterally within the organization, elevating privileges when possible, and the finally reaching a system or data repository of critical value. As they proliferate through the organization, they will touch different endpoints, identities, mailboxes and services.

Reducing the impact of such attacks requires quick detection and response. And that can only be achieved when the defenses across these systems do not act in silos. This is why it is critical to have an integrated view into security solutions. Look for an email security solution that integrates well across other security solutions such as endpoint protection, CASB, identity protection, etc. Look for richness in integration that goes beyond signal integration, but also in terms of detection and response flows.

The post Top 6 email security best practices to protect against phishing attacks and business email compromise appeared first on Microsoft Security Blog.

This is why I’m excited to announce the general availability of Automated Incident Response in Office 365 Advanced Threat Protection (ATP). Applying these powerful automation capabilities to investigation and response workflows can dramatically improve the effectiveness and efficiency of your organization’s security teams.

A day in the life of a security analyst

To give you an idea of the complexity that security teams deal with in the absence of automation, consider the following typical workflow that these teams go through when investigating alerts:

And as they go through this flow for every single alert—potentially hundreds in a week—it can quickly become overwhelming. In addition, the analysis and investigation often require correlating signals across multiple different systems. This can make effective and timely response very difficult and costly. There are just too many alerts to investigate and signals to correlate for today’s lean security teams.

To address these challenges, earlier this year we announced the preview of powerful automation capabilities to help improve the efficiency of security teams significantly. The security playbooks we introduced address some of the most common threats that security teams investigate in their day-to-day jobs and are modeled on their typical workflows.

This story from Ithaca College reflects some of the feedback we received from customers of the preview of these capabilities, including:

“The incident detection and response capabilities we get with Office 365 ATP give us far more coverage than we’ve had before. This is a really big deal for us.”
—Jason Youngers, Director and Information Security Officer, Ithaca College

Two categories of automation now generally available

Today, we’re announcing the general availability of two categories of automation—automatic and manually triggered investigations:

1. Automatic investigations that are triggered when alerts are raised—Alerts and related playbooks for the following scenarios are now available:
   • User-reported phishing emails—When a user reports what they believe to be a phishing email, an alert is raised triggering an automatic investigation.
   • User clicks a malicious link with changed verdict—An alert is raised when a user clicks a URL, which is wrapped by Office 365 ATP Safe Links, and is determined to be malicious through detonation (change in verdict). Or if the user clicks through the Office 365 ATP Safe Links warning pages an alert is also raised. In both cases, the automated investigation kicks in as soon as the alert is raised.
   • Malware detected post-delivery (Malware Zero-Hour Auto Purge (ZAP))—When Office 365 ATP detects and/or ZAPs an email with malware, an alert triggers an automatic investigation.
   • Phish detected post-delivery (Phish ZAP)—When Office 365 ATP detects and/or ZAPs a phishing email previously delivered to a user’s mailbox, an alert triggers an automatic investigation.
2. Manually triggered investigations that follow an automated playbook—Security teams can trigger automated investigations from within the Threat Explorer at any time for any email and related content (attachment or URLs).

Rich security playbooks

In each of the above cases, the automation follows rich security playbooks. These playbooks are essentially a series of carefully logged steps to comprehensively investigate an alert and offer a set of recommended actions for containment and mitigation. They correlate similar emails sent or received within the organization and any suspicious activities for relevant users. Flagged activities for users might include mail forwarding, mail delegation, Office 365 Data Loss Prevention (DLP) violations, or suspicious email sending patterns.

In addition, aligned with our Microsoft Threat Protection promise, these playbooks also integrate with signals and detections from Microsoft Cloud App Security and Microsoft Defender ATP. For instance, anomalies detected by Microsoft Cloud App Security are ingested as part of these playbooks. And the playbooks also trigger device investigations with Microsoft Defender ATP (for malware playbooks) where appropriate.

Let’s look at each of these automation scenarios in detail:

User reports a phishing email—This represents one of the most common flows investigated today. The alert is raised when a user reports a phish email using the Report message add-in in Outlook or Outlook on the web and triggers an automatic investigation using the User Reported Message playbook.

User clicks on a malicious link—A very common vector used by attackers is to weaponize a link after delivery of an email. With Office 365 ATP Safe Links protection, we can detect such attacks when links are detonated at time-of-click. A user clicking such links and/or overriding the Safe Links warning pages is at risk of compromise. The alert raised when a malicious URL is clicked triggers an automatic investigation using the URL verdict change playbook to correlate any similar emails and any suspicious activities for the relevant users across Office 365.

Email messages containing malware removed after delivery—One of the critical pillars of protection in Office 365 Exchange Online Protection (EOP) and Office 365 ATP is our capability to ZAP malicious emails. Email messages containing malware removed after delivery alert trigger an investigation into similar emails and related user actions in Office 365 for the period when the emails were present in a user’s inbox. In addition, the playbook also triggers an investigation into the relevant devices for the users by leveraging the native integration with Microsoft Defender ATP.

Email messages containing phish removed after delivery—With the rise in phishing attack vectors, Office 365 EOP and Office 365 ATP’s ability to ZAP malicious emails detected after delivery is a critical protection feature. The alert raised triggers an investigation into similar emails and related user actions in Office 365 for the period when the emails were present in a user’s inbox and also evaluates if the user clicked any of the links.

Automated investigation triggered from within the Threat Explorer—As part of existing hunting or security operations workflows, Security teams can also trigger automated investigations on emails (and related URLs and attachments) from within the Threat Explorer. This provides Security Operations (SecOps) a powerful mechanism to gain insights into any threats and related mitigations or containment recommendations from Office 365.

Try out these capabilities

Based on feedback from our public preview of these automation capabilities, we extended the Office 365 ATP events and alerts available in the Office 365 Management API to include links to these automated investigations and related artifacts. This helps security teams integrate these automation capabilities into existing security workflow solutions, such as SIEMs.

These capabilities are available as part of the following offerings. We hope you’ll give it a try.

• Office 365 ATP Plan 2
• Office 365 E5
• Microsoft 365 E5 Security, which includes the full Microsoft Threat Protection experience

Bringing SecOps efficiency by connecting the dots between disparate threat signals is a key promise of Microsoft Threat Protection. The integration across Microsoft Threat Protection helps bring broad and valuable insights that are critical to the incident response process. Get started with a Microsoft Threat Protection trial if you want to experience the comprehensive and integrated protection that Microsoft Threat Protection provides.

The post Automated incident response in Office 365 ATP now generally available appeared first on Microsoft Security Blog.