Collaboration tools such as Office 365, SharePoint and G-Suite are often a business’ best friend, allowing colleagues to quickly share, edit and review documents on the go. However, the growth in popularity of these tools has also sparked an upsurge in cyber criminals targeting these platforms – particularly Office 365. With Business Email Compromise (BEC) attacks on the rise, Office 365 users are, in fact among the most heavily targeted. According to the FBI, BEC attacks were responsible for more than $5.3 billion in losses between 2013 and 2016.
Now, with Microsoft’s acquisition of the world’s biggest professional networking site, LinkedIn, it seems that there will be even more avenues for email fraudsters to take when targeting businesses and their employees using BEC methods.
Soon, Office 365 users will be able to co-edit documents from within LinkedIn. While the rollout date is to be confirmed, the plan was announced recently at Microsoft’s Ignite Conference on September 24. The linking of the platform with Office 365 is set to be one of the deepest integrations since the acquisition completed in 2016, with O365 users’ company directories and LinkedIn contacts being integrated into a single, collaborative experience.
While such integration might be welcomed, there’s reason to believe the move could raise what is an already heightened threat from phishing and other advanced email attacks against the platform’s users and their companies.
Does security have its head in the clouds?
According to ThreatPost, organisations using O365, including many Fortune 500 companies, were among the hardest hit by BEC attacks in the last year—with an average of $2 million in losses. Will this O365-LinkedIn mashup make this worrying situation even worse?
That depends. These days, the attraction of cloud-based platforms such as G-Suite, O365 and others is undeniable; they can help reduce operations and management overhead for the business and offer a stable email experience with all the security features most businesses use today.
The problem: The security defences offered by these tools aren’t nearly enough. While most cloud platforms can protect your organisation against spam and known viruses and malware, for instance, most fall short against the advanced forms of email fraud that have cost businesses more than $12.5 billion over the last five years.
For example, a BEC variant called a PhishPoint attack has seen scammers setting up O365 accounts to place documents within SharePoint. Posing as colleagues, they then send invitations to targets, offering to allow them to edit the file. As it is a legitimate SharePoint request it makes it through the malware scans and most other security barriers, leaving it up to the target to determine its true nature – not an easy ask when these fake requests are so well crafted.
Once the file is opened the viewer is presented with what looks like a legitimate OneDrive file. In fact, it leads to a fake OneDrive login screen, which allows the fraudsters to steal their login credentials.
This kind of attack is so effective because it uses social engineering tactics to perpetrate fraud not against computer systems, but against the weakest link in any organisation’s cyber-defenses - human beings. Quite simply, victims are much more likely to be fooled into taking a particular action if they believe they’re responding to a trusted executive, colleague or business partner.
Unfortunately, the cybercriminals behind these attacks seem to have found cloud platforms can be an absolute goldmine. That’s because O365 isn’t just a cloud-based email platform. It’s an ecosystem. Once the fraudsters have access to user credentials a whole world of opportunities opens up, with various avenues to exploit from emails, sensitive documents, contacts and more.
Once a fraudster has got in they can launch a “chain phishing attack,” using executive impersonation scams, requesting fraudulent wire transfers, stealing valuable IP or sensitive information, or redirecting employee paychecks.
Those same credentials can also grant access to other O365-connected services, from SharePoint, to Skype, to Yammer, to Azure and—soon—LinkedIn. From there, fraudsters can wage new attacks on outside contacts by take advantage of the legitimacy offered by using the legitimate email address of an employee, at a trusted business.
Human fallibility meets machine learning
Combatting this issue is no easy ask. While security awareness and phishing training can help, employees—especially in IT—are among the most susceptible to BEC attacks. In the face of this, some organisations will attempt to toughen up existing security solutions, and we will likely see them lobbying Microsoft to do the same.
For others they will find they need to augment O365 with modern, machine learning-based solutions with advanced modelling and behavioural analytics capabilities that can assess not just who’s sending what from where. But also, the ability to determine whether their behaviour makes sense given the context of the message and the relationship between sender and recipient.
A well-trained machine learning solution goes beyond charting general user behaviour to map specific individuals and their interactions with others. From here, it is possible to map what ‘good’ behaviour looks like. This is important, as mapping the ‘bad’ assumes that criminals will continue using tried methods. We know they don’t – they adapt to shifting trends and to circumvent new defences.
However, by making models of good behaviour has this can help to spot anomalous behaviour and weed out the ‘bad’.
Machine learning provides the best chance of defending against these ever-subtler threats, with ever greater integrations. As such, machine learning’s ability to analyse vast data sets and create highly accurate behaviour models is an incredibly valuable security asset.
These same technologies are used by some of the world’s most prominent financial institutions, social media platforms, and government agencies to block BEC cons and stay ahead of cybercriminals. As greater integration provides criminals with more avenues of exploitation it will be interesting to see how long it will take organisations to cotton on to the power of machine learning to combat these threats to collaboration.
Paul Chavez, Product Manager, Agari
Image Credit: Dennizn / Shutterstock