Not too long ago, a customer contacted us with alarming news - a C-level executive in their organization had fallen victim to a phishing attack. Since they're using the Paubox Email API, they wanted to know if we had any additional solutions for email security that could help them.
I asked our customer contact if they had access to any emails from the phishing attack they could send us for diagnosis. Minutes later, I got a few. This post explains how we helped them with their phishing problems.
Problems with Microsoft 365 Email Security
As we've seen many times this year, HIPAA organizations (Covered Entities and Business Associates) are submitting HIPAA Email Breach reports to the HHS Wall of Shame because of successful phishing attacks.
An alarming number of those successful phishing attacks are happening to organizations using Microsoft 365 for email.
Although Microsoft 365 does include email security in its offering, it's clearly not enough. In the past 4 months alone, we've seen evidence of that here, here, here, here, and here. As you may have guessed, our customer also used Microsoft 365 for corporate email.
Inspecting the Phishing Attack
When we inspected the phishing attack, we immediately saw that someone in Finance, let's call them CFO, got an email purportedly from their CEO, asking to setup a payment to a vendor.
The "from" email address, although it contained the CEO's name, was actually sent from a domain name called office-secure-ssl-mail-apps-server1099-portal.management.
With names removed, it looked like this: -- From: CEO [email@example.com] Sent: Thursday, June 28, 2018 10:26 AM To: CFO Subject: Payment CFO, Can we setup payment to a vendor today ? -- In larger organizations, it only takes a few minutes of scraping the internet to discover names for the entire C-Suite management team.
Since the attacker already had first and last names of the CFO and CEO, they relied on urgency, notice they used the word today, to exploit the attack.
SEE ALSO: How do I identify my domain host?
DomainAge: An Effective Method to Combat Phishing Attacks
Phishing attacks like this are nothing new, although Microsoft 365's repeated inability to stop them is.
Here's why this Phishing attack evaded Microsoft 365:
- The email came from a domain called office-secure-ssl-mail-apps-server1099-portal.management.
- At the time the email was sent, the domain and the IP behind it were not on any blacklists. In other words, office-secure-ssl-mail-apps-server1099-portal.management had a neutral reputation on the internet.
- Within 4-6 hours, most security providers will catch on this domain and blacklist it.
- But before that happens, the attackers have already registered more domain names and are repeating the same attack under a new, neutral domain name. As an aside, there are domain registrars out there that allow automated domain name registration, which is a topic all unto itself.
- The process repeats over and over again. Using standard detection methods, the good guys can never catch up.
What if however, you thought about things differently? Due to our deep domain expertise in email, we've already built solutions to phishing attacks like these. One of them is a powerful tool we've built in-house called DomainAge.
DomainAge is part of Paubox Email Suite Plus and Premium.
Here's how DomainAge works:
- The same email comes from a domain called office-secure-ssl-mail-apps-server1099-portal.management.
- Paubox does a quick check on the age of the domain.
- Turns out the domain was registered the day before the email was sent.
- Why would anyone be sending email like this from a domain name that was registered yesterday? Paubox immediately Quarantines the email, preventing it from reaching the recipient's inbox.
- Phishing attack stopped in its tracks.
Conclusion: Paubox <> Microsoft 365 Integration
We were able to help our customer with their phishing problems by wrapping our HIPAA compliant email solution around their Microsoft 365 setup. With proper preparation, we could set up Inbound Email security for their organization in under 30 minutes.