Cybercriminals have perfected their ability to craft special email phishing attacks to bypass Microsoft email defenses, according to a study by Avanan, a Check Point company.
Considering Microsoft 365 as a crucial initial entry point for many organizations, attackers design and test each phishing attack to ensure it bypasses Microsoft’s default security defenses.
Avanan clarified that Microsoft’s failure to stop email threats was not because its email security features had deteriorated but because hackers had become better and faster at designing evasive attacks.
The email security platform analyzed three million emails received by its customers who use the tool as the last line of defense against threats that bypass Microsoft’s default security tools.
More email phishing attacks bypass Microsoft Exchange Online Protection (EOP) and Defender.
Avanan found that Microsoft email security tools allowed nearly a fifth (18.8%) of phishing messages to reach their targets.
According to the study, Microsoft Exchange Online Protection (EOP) and Defender’s ability to stop email phishing attacks dropped by 74% from 2020, when the failure rate was just 10.8%.
However, the miss rate increased to 42% when cybercriminals crafted special email phishing attacks against the targets’ finances, for example, fake invoices and Bitcoin transfers.
Microsoft Defender also missed 22% of brand impersonation attacks, 21% of credential harvesting attempts, and 12% of social engineering attacks.
Microsoft’s detection rate further decreased for larger organizations, with 50-70% of phishing emails reaching their targets’ inboxes. Conversely, Avanan’s previous research had found that the detection rate did not correlate with the organization’s size in 2020, with some larger companies recording a miss rate of 2.6%.
Avanan highlighted one large organization with over 53,000 employees where the IT staff mitigated just 59 of 910 phishing messages, representing a meager 7%. The company said it requires 16 full-time employees to address user-reported email phishing attacks. Avanan also found that manually responding to security issues takes 23% of the staff’s time.
Additionally, the researchers found an organization spending 2,500 hours or 104 days responding to user-reported phishing attempts. Subsequently, the time drain undermined other priorities and caused tech and security employees’ burnout.
Dumpster diving leads to successful email phishing attacks
The study by the email security platform found that Microsoft Defender sends 7% of phishing emails to the Junk folder.
Sending detections to the Junk folder risks employees accessing them through “dumpster diving.” Many organizations preferred sending flagged messages to the junk folder to avoid blocking legitimate emails.
“End-users become accustomed to dumpster diving in the Junk folder for legitimate messages.” the researchers said. “Users may act on a phishing email by mistake with many emails to root through in the junk folder with no distinction between treasure and trash.”
Microsoft excels in blocking BEC attacks and malware attachments
However, Microsoft succeeded in other areas, such as stopping business email compromise (BEC) messages at 93% and malware attachments at the rate of 90%.
The researchers stated that most email phishing attacks targeted Microsoft. Although the tech giant was losing the fight in some areas, the reduced effectiveness was not a referendum on its security practices.
“This represents not a decline in Microsoft effectiveness but rather an increase in targeted attacks designed directly to bypass Microsoft. Hackers, in other words, have stepped up their game.”
Hackers use tactics such as avoiding malicious link sources by leveraging legitimate services, masking URLs, and avoiding attachments to bypass anti-phishing defenses.
Avanan researchers predicted that attackers would continue inventing ways to bypass default email security features and additional layers.