{"id":86056,"date":"2018-10-17T09:00:01","date_gmt":"2018-10-17T16:00:01","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=86056"},"modified":"2023-05-15T23:03:14","modified_gmt":"2023-05-16T06:03:14","slug":"how-office-365-learned-to-reel-in-phish","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/10\/17\/how-office-365-learned-to-reel-in-phish\/","title":{"rendered":"How Office 365 learned to reel in phish"},"content":{"rendered":"

Today’s post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Jason Rogers, Principal Group Program Manager at Microsoft.<\/em><\/p>\n

We recently reported how we measure catch rates of malicious emails<\/a> for Office 365 Exchange Online Protection (EOP) (available with any Office 365 subscription) and Advanced Threat Protection (ATP) (available as a standalone service or with Office 365 E5).<\/p>\n

Today, we’re sharing the results from the enhancements we made to anti-phish capabilities for Office 365 to address impersonation<\/a>, spoof<\/a>, and phish content and internal phish emails<\/a> sent from compromised accounts. Over the last year, Microsoft\u2019s threat analysts discovered threat actors pivoting from malware to sophisticated, often targeted phishing campaigns. The scale of these attacks and how quickly users click through on malicious links is shown in Figure 1.<\/p>\n

\"\"<\/p>\n

Figure 1. Phish email statistics from Office 365 from January 2018 to September 2018.<\/em><\/p>\n

Understanding the phish landscape<\/h3>\n

To develop solutions mitigating these modern phishing campaigns, our engineers rigorously analyzed phish emails in Office 365, uncovering a general pattern of phish campaigns following the path shown in Figure 2.<\/p>\n

\"\"<\/p>\n

Figure 2. Phish email campaign pathway from initial reconnaissance to data exfiltration.<\/em><\/p>\n

Additionally, since Office 365 is one of the world\u2019s largest email service providers, Microsoft gains visibility and experience across most\u2014if not all\u2014types of cyber threats. Every day, Microsoft analyzes 6.5 trillion <\/em><\/strong>signals, and each month we analyze 400 billion<\/em><\/strong> emails while also detonating 1 billion <\/em><\/strong>items in our sandbox. This telemetry helps us understand the full spectrum of phish attacks and the sophisticated and varied methods used by attackers, summarized in Figure 3. With this understanding of the phish landscape, our engineers not only designed new capabilities, but also enhanced existing capabilities to address the phishing emails being launched at customers.<\/p>\n

\"\"<\/p>\n

Figure 3. Phish emails attack spectrum and variety of attack methods.<\/em><\/p>\n

Understanding the situation<\/h3>\n

When we began our journey of enhancing our anti-phish capabilities, we admittedly were not best of breed at mitigating phish. As we alluded to previously<\/a>, transparency with customers is a core priority at Microsoft. Figure 4 shows the number of phish emails that Microsoft (Office 365) missed in comparison to several other vendors also protecting email for customers within Office 365.<\/p>\n

From November 2017 to January 2018, you see that Office 365 (orange bar in Figure 4) was not the best solution at phish catch. (We previously discussed how we measure phish catch<\/a>.) The values are based on normalized email volume. As the inset plot shows, the scale of mail volume in Office 365 far exceeds the mail volume of third-party vendors. Fundamentally, this scale is one our differentiators and strengths as it offers us much greater depth and breadth into the threat landscape.<\/p>\n

\"\"<\/p>\n

Figure 4. Normalized phish email miss from November 2017 to January 2018 in Office 365 email traffic. Inset shows actual mail flow volume.<\/em><\/p>\n

Solving the problem with our technology, operations, and partnerships<\/h3>\n

Leveraging our signal from mail flow, the expertise of 3,500 in-house security professionals<\/a>, and our annual $1 billion investment in cybersecurity<\/a>, we strategically addressed the growing wave of phishing campaigns. Our engineers determined four categories of phish emails and designed capabilities addressing each type. Figure 5 summarizes the enhancements made to the anti-phish capabilities in Office 365.<\/p>\n

\"\"<\/p>\n

Figure 5. Phish email categories and anti-phish enhancements made in Office 365 to address the categories.<\/em><\/p>\n

Details on all the anti-phish updates for Office 365 are available in the following posts:<\/p>\n