Skip to main content

25 Percent of Phishing Emails Get Past Office 365 Security

25 percent of phishing emails get past microsoft office security

A recent analysis of over 55 million emails sent through the Office 365 cloud platform found that out of those messages with confirmed phishing attempts, 25 percent were marked as clean by the Exchange Online Protection (EOP) service. Of the almost 550,000 phishing emails recorded going to Office accounts, only 20 percent were labeled as malicious and just under half were sent to spam folders.

Phishing Email Categories

Just over half of the phishing messages contained malware, while most of the rest were credential harvesting attempts along with a few extortion and spearphishing attempts. Malware phishing emails (which deliver the infamous “trojan viruses”) use the message as both the vector and a form of concealment as security systems do not register the email itself as malicious.

Credential harvesting attacks provoke the victim into providing access to non-public personal information (NPI), and most often imitate trusted brands. According to the report, one out of every 25 branded emails is in fact a spoofed phishing message. The most common disguise is Microsoft itself, with Amazon following close behind – except in holiday seasons, where it becomes the dominant brand used for phishing attempts.

Office 365 – A Major Phishing Target

Office 365 remains one of the most popular enterprise applications and consequently was one of the most phished brands in 2018. The 365 platform presents an expanded target of opportunity for credential harvesting due to the networked storage and connected apps, as well as the Azure cloud. Though EOP is designed to deliver native cloud-hosted mailbox protection, sophisticated cybercriminals have been able to bypass this safeguard by exploiting a serious gap inherent in the system.

microsoft windows phishing



A technique termed “obfuscation” allows scammers employing malware to trick Office 365’s security layers by camouflaging URLs and html code using methods EOP does not pick up on. Placing zero-width spaces within links and other loopholes confuse the email parsing system, which is not equipped to detect the altered characters and layout styles, or attached documents. This strategy can even fool human users if they are not prudent or are unfamiliar with the signs of a phishing attempt.

Do Not Rely on Your Email Provider Alone Against Phishing

Phishing is not going away any time soon and cybercriminals will continue to look for new ways to fool both systems and people into ignoring the obvious signs of a spoofed email. Basic security applications in popular email platforms will not be enough to combat the sophisticated methods employed by phishing attacks – only human diligence provides the best, most sustainable phishing defense.

Sign up for SWK’s Phishing Defender solution to receive the latest in educational and training resources to prepare yourself for the next spoofed email.

FormCraft - WordPress form builder