In the context of information technology, social engineering is a dangerous form of manipulation. It is often used to get people to divulge confidential information that can range from login credentials to credit card numbers. One of the most prevalent forms of social engineering in the IT world is phishing. No business is immune from being targeted by these malicious attacks, but it seems we’re seeing an increase in Microsoft Office 365 phishing.
Recently, phishers have been sending specialized links to Microsoft Office 365 users. These links take the user to a login page. After the login details are submitted, the page prompts the user to install a malicious application. This malware grants the hacker persistent access to your emails and files.
Specifically, the way this attack is carried out is through an email. The link in the email doesn’t take you to a suspicious website; it takes you to the official Office 365 login page. Once logged in, you might see a legitimate-looking pop up asking for permissions for a known and trusted application—like Sharepoint. If you click approve, the attacker is able to bypass security measures—including multi-factor authentication—because the user gave the phisher permission.
The one thing that makes social engineering so scary is it’s specifically designed to prey on the natural helpfulness of people or exploit their perceived personality weaknesses. This is particularly troubling for businesses as employees can unwittingly undermine security efforts. The strength of your company’s cybersecurity doesn’t mean much when it’s your employees who are compromising your network.
As mentioned earlier, phishing is a form of social engineering. Like in this new story, phishing can easily be used to trick employees into doing the cybercriminal’s dirty work. However, what Office 365 users are experiencing isn’t just simple phishing, it’s a more advanced version of the attack. This type of phishing is known as spear phishing.
You can consider spear phishing as a subsection of phishing. While it uses a similar strategy to phishing, this version of the attack is aimed at a specific individual or group. Before performing this attack, a hacker usually gathers information on the target to make the message more convincing.
Now that you know the danger Microsoft 365 owners face, it’s time to talk about what you can do to protect yourself and your team. The first step to remaining secure is to build awareness around the issue. Explain to your staff why phishing scams are dangerous and that businesses are a prime target for these attacks. From there, you should create a security awareness program that trains your employees on how to spot and avoid cyber risks.
A security awareness program should include four key elements: communication, checklists, content, and controls.
- Communication: Security needs to be an ongoing conversation throughout your organization. Upper management needs to regularly communicate to all employees that cybersecurity is essential to your business.
- Checklists: Checklists serve as a way to ensure that cybersecurity best practices are being followed. With a checklist, your company can stay organized when developing, delivering, and maintaining a security awareness program.
- Content: Security awareness training should be coupled with supporting content. Items like a security handbook, role-based guides, and more can provide a much needed reference for employees who want to brush up on their training.
- Controls: When people make mistakes, you are going to need to be prepared. A control is a guardrail that ensures that an individual and the system they’re using can only do what their roles dictate. If they want to go beyond that, they need the appropriate approval. This allows you to more easily contain incidents when they occur.
The Logic Group is a full-service IT provider that has delivered first-class IT services to a variety of businesses since 1996. We offer a robust cybersecurity solution we call LogiGuard Complete to protect our clients from intrusive cyberthreats. Our service can come a-la-carte or bundled depending on your business needs.
Contact us today to learn more about our LogiGuard Complete solution.