Recently, Microsoft posted an article here that goes over some improvements to email protection. While it is a great initiative, let’s take a look at some of the claims and add our own grain of salt to them.
Attackers Are Still Emailing — Who Knew?
Most small and medium sized businesses are leveraging Microsoft E5 licensing just to keep their technology all on the same stack, which comes with Microsoft Defender for Office 365 (MDO). MDO has a nice console for exploring and inspecting your email posture. So nice in fact, that you can likely just throw your “technology guy” on it if you don’t have a “cyber guy”.
In the article mentioned previously, Microsoft points out that attackers have increased their sophistication when it comes to their campaigns. We haven’t seen the “Nigerian Prince” scams in awhile (well, ones that get past spam), and Microsoft is also correct on the fact that Business Email Compromise (BEC) has been quite effective. How other businesses get their email compromised is a number of issues for a different article. Without going too deep, these BEC emails will usually introduce themselves in the middle of an email thread to deliver a final payload. This payload is usually wire instructions of some Adversary-In-The-Middle (AITM) link. If you were emailing a construction company about a contract, they will watch and wait until you start talking about payment, and then they’ll throw their bogus bank details in. The problem with this attack is the fact it is very contextual.
Microsoft points out its level of data ingestion, and states that its AI was able to detect “99.995%” of “attacker intent” and was able to reach soaring heights of “140K BEC emails blocked daily”.
Fantastic numbers right? A key metric is missing, but could easily be lumped into the “accuracy” metric. How many false positives were there? While the AI might be able to discern simple spam or an attacker throwing random wire numbers in — how might it actually be different from a real individual? Before you say “but, but….the AI figures that out!”, just remember AI also labels your Golang development binary on your developer’s workstation as malicious thanks to Microsoft Defender for Endpoint (MDE). Microsoft states in the article that attackers as well are leveraging AI to deliver emails, so it likely wouldn’t take much effort to make sure that final payload delivery isn’t ridiculous looking. We have no doubt the detection is great, but we must be careful about integrating such solutions as this could introduce alert-fatigue at an otherwise concise platform that MDO is.
Right now, we predict that this solution will be rapidly iterated upon, and the first few renditions will build an aura of over-confidence or a headache of alert fatigue. Use your best judgement — and if your organization only has a single technology guy…have him read up on some phishing cases first (here is a good example).
Not try to be saucy Microsoft! Just temper your expectations instead of giving numbers that might give false insight.
English