We've just raised $4m to measure and mitigate human cyber security risk... Find out more

3rd December 2020

Microsoft: phishing fools even savvy tech professionals

Everything Else

Microsoft's report can be found here.

For those of us who remember the Microsoft of the late 90s and early 2000s, it’s still a little hard to put Microsoft and security in the same favourable sentence, but here goes: Microsoft’s annual Digital Defence Report sums up as a sort of "state of computer security 2020"...and it's worth a read.

Times change and so do companies, and Microsoft isn’t the same, stumbling security foal that it was two decades ago. These days it’s serious about cybersecurity and its enormous global footprint gives it a lot of insight into the way that threats are evolving (a point made in the report with the slightly chilling boast that it receives "8 trillion security signals per day").

Which is why we were delighted that its 2020 Digital Defence report reads like a ringing endorsement for the thinking and technology behind CultureAI.

Rightly, the report puts a significant focus on the big-ticket threats of BEC (Business Email Compromise), ransomware and banking trojans. Banking trojans like Emotet and Trickbot don’t generate the same news headlines as ransomware but they are highly sophisticated and just as dangerous (and often a vector for delivering ransomware anyway).

Any one of these attacks can cost your business millions and the criminals behind them are experts at finding and exploiting the weakest links in an organisation’s security.

For BEC and banking trojans, and to a lesser extent ransomware, finding the weakest link typically involves rapidly evolving and increasingly sophisticated phishing attacks. Attacks that Microsoft says are good enough to fool almost anyone (my emphasis):

“Email phishing in the enterprise context continues to grow and has become a dominant vector … the criminals behind these attacks are now spending significant time, money, and effort to develop scams that are sufficiently sophisticated to victimize even savvy professionals.”

The old trope of phishing emails being poorly written, badly-spelled knock-offs is well and truly put to bed:

“A phishing email can be a massive campaign targeting millions of users or a single, targeted email that represents a socially engineered marvel many months in the making.“

One of the reasons that phishing emails work is because they look like emails people are expecting to receive. In the case of BEC that might be an email from the CEO or CFO. For attacks that steal usernames and passwords, it increasingly means imitating well known, global brands. Microsoft reports that the top five spoofed brands seen by users of Office365 are Microsoft, UPS, Amazon, Apple, and Zoom, for example.

So what can be done to prevent it?

Well, it’s not news (we hope) that you need to train users to spot phishing emails, but as Microsoft points out, criminals are relying on phishing more than they used to, not less, which doesn’t say much for the general state of training.

In the Digital Defence Report, Microsoft uses its own approach to training as model of what other companies can do, saying that it’s:

”...shifting away from general awareness content and a one-size-fits-all approach toward a more tailored and data-driven strategy.“

We agree. Tailored and data-driven education is exactly what CultureAI delivers, to solve exactly the problems highlighted in the report. Traditional phishing simulation campaigns can’t keep up with the pace of phishing evolution, and they can’t mimic an attacker’s ability to zero-in on each individual employee’s weak spot.

Effective phishing simulation needs to run, and evolve, continuously and it needs to be personalised for every. single. user.

And, as Microsoft also points out, while phishing is vitally important, phishing training on its own only gets you so far (my emphasis).

“Phishing is, of course, just one element of an overall security awareness program. Organizations should establish an awareness program that takes a holistic approach, utilizing multiple levers with data and telemetry at its center.”

At this point we feel like Microsoft is literally writing our brochure for us.

So, Microsoft of 2020 isn’t the Microsoft of 2002 and its Digital Defence Report is well worth a read. But if we have one small criticism, it’s this: all of this was true two years ago. It’s the reason we started CultureAI, it’s why we built a scalable platform that simulates phishing continuously and automatically, and it’s why that phishing simulator isn’t the end of the story but one (admittedly very important) part of an integrated Security Culture Management System.

Enter your email address to get full access

James Moore, CultureAI
James Moore
Trusted by

Get started now with 30 days free, instant access

Build a security culture where people prevent breaches.