Do you know if your organization is under attack? Short answer is yes, even if you don’t know about it. If there is a potential monetary gain from your organization, there is a bad actor out there targeting you, most likely indirectly. One of the most prevalent ways today to target organizations is phishing attacks. Phishing simply refers to email-based attacks that aim to steal sensitive information, such as user credentials. If a bad actor obtains that information, they can they perform Spear phishing style attacks, which are phishing attacks specifically targeted at certain recipients (such as Executives or Finance) with focused and customized content aimed at tricking recipients in providing further information or eventually monetary requests.
Additional noticeable trends today include:
- Identity Attacks (Iterate through known account names with most common passwords)
- Password Spray
- Brute Force
- Password re-use
- App and Data Layer Attacks
- Social Engineering via Spear Phishing
- Delegation and forwarding rule attacks
- PowerShell scripts in attacks
- Cloud focused pivot from on-premises
Part of the Zero Trust model is to always assume breach. Phishing and other identity attacks are most common because they are extremely cheap. A bad actor can send out millions of emails for pennies on the dollar. One goal of Zero Trust is to increase the cost of the attack. Administrators can put countless security measures in place to prevent these attacks; however, the best protection is the front door, or the end user. If users can be thoroughly education on the tactics and strategies bad actors use so they can easily identify phishing emails and verify valid emails, most phishing attacks would fail. A great way to provide this education is to attack your own users with constant phishing simulations to evaluate who is susceptible.
Microsoft Attack Simulator is part of Office 365 Advanced Threat Protection Plan 2. It allows you to run realistic attack scenarios in your organization to identify vulnerabilities and battle against the noticeable trends mentioned above. Administrators need to me a member of Organization Management or Security Administrator role groups (Global Administrator includes these roles) as well as have Multi-Factor Authentication enabled to configure these simulations. Microsoft Attack Simulator has four different types of attack simulations including:
- Spear Phishing (Credential Harvest): Crafted email with a URL aimed for users to click the link and provide credentials
- Spear Phishing (Attachment): Crafted email with an attachment aimed for users to open the attachment
- Brute Force Password (Dictionary Attack): Trial and error tactic that uses many passwords (up to 10K) against a few targeted accounts. Note that this attack will not trigger any account lockouts
- Password Spray Attack: Trial and error tactic that uses a single (or small amount) password against many or all accounts.
Both Password Spray and Brute Force attacks are straightforward to create. Simply have a list of users and password to enter. You can upload a password list file of up to 10k passwords for Brute force attacks. For the Spear Phishing emails, you need to create the email. You can use a simple text editor or HTML code to craft your email. Templates can be used or created for future use. If you do fool the user into providing their credentials, they will be redirected to an informational page informing them of their actions. This page can be customize using your own hosted web site.
Anyone that is susceptible to these simulations will be available in a report after the simulation has completed. This report will be based on the attack type and show statistics shown below as well as the actual users that were compromised.
Let us investigate what we can do with Attack Simulator Spear Phishing and some guidance to educate users on what to look for. Here is an example of a typical Microsoft Stream recording created from a Teams Meeting:
When creating an attack, you can select up to 10K recipients. You can select individual users or groups directly from Azure AD or import a list from a CSV file.
Next you can provide details regarding the email From and Subject. This can be spoofed to all email addresses, internally or externally, without being blocked or failed. If using URL based attack, you will have to pick from a predefined list of URLs. Some services, including Microsoft Defender ATP, may block these URLs so you may need to add exclusions to have valid simulations. If using Attachment based attack, you will have to chose either DOCX or PDF extension and set a name for the attachment.
Here is an example of an attempted fake email created in Attack Simulator using the previous email as the bait. I have highlighted specific areas of the email and listed them out below.
Bad actors will do their best to make their phishing emails perfect. However, there are usually always some flaws. Whether it is a well-crafted, socially engineered email, or a quick, concise message, the goal is to trick the user into not thinking twice about the actions they are going to perform.
When using Attack Simulator (or another product) to phish your own users, initially you will want to craft emails with intentional mistakes to educate end users what to watch out for. Here is a list of typical tactics and intentional mistakes made in the phishing example:
- Trust, but verify. Even if the email is sent from an internal source.
- Check the Links. Hover over to verify that the link presented is as displayed in the body of the email
- Check the From Display Name for consistencies and malformed characters. In this example, stream is not using a capital “S”.
- Check the From Address for consistencies and malformed characters. For example, this email from Microsoft Stream typically comes from no-reply, opposed to noreply.
- Check the TO field. If a message like this was meant for the entire company or specific group, but only shows your individual user, this may have been a targeted Phishing attempt. It is rare to have 1-to-1 emails like this.
- Look for inconsistent or malformed pictures or other formatting errors.
- Same as above, look for formatting errors.
- Other tips to look for can include:
- Check signature. Dynamic signatures are hard to mimic. Some formatting differences are noticeable such as coloring, size, and font.
- Socially engineered emails tend to follow trends to make it a thoughtless process. Check for consistencies in reoccurring emails and newsletters.
- Pictures in signatures are cached locally and load instantaneously. The pictures in this email are publicly hosted so they must be downloaded when accessing the email so they may not show immediately
- Images in signatures may not be correct. This image can be stretched or misshaped in some way.
- Even if a user clicks on a link, that does not mean they are completely fooled at that point. You can configure Azure AD Company Branding (requires AAD Premium P1) and educate your users only to authenticate if they see your logo and custom sign in page.
Trust, but verify even if coming from internal coworker. Especially verify if the communication is dealing with sensitive data or monetary requests. A simple follow up email or phone call can never hurt anything. Educate your user base to look for subtle details to identify false emails. It may sound counterproductive to phish your own users, but it is an incredible learning exercise for not only users, but administrators as well. This can help organizations identify where additional investments in end user security training and education are needed.
Enabling Technologies has three new complimentary security offers, including a phishing simulation exercise and a dark web scan. These are to help provide a baseline on where your organization stands and how you can begin improving your security posture. Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment. You can check out more in the Security section of our website.