Stop Office 365 Credential Theft with an Artificial Eye

This post originated on Trend Micro
Written by Chris Taylor 



We all know that email remains by far the number one threat vector facing organizations today. Trend Micro blocked more than 20.4 billion threat in the first half of 2018 alone, nearly 83% of which were email borne. But there’s more: corporate email accounts have also become a key target for attackers in their own right. And as Office 365 becomes ever-more popular, its log-in page increasingly represents the frontline in the battle against phishing attacks designed to hijack email accounts. According to Osterman Research, email account takeovers now represent over two-fifths (44%) of enterprise attacks.

That’s why Trend Micro has developed a new layer of defense to add to our formidable range of email security offerings: innovative capabilities leveraging computer vision and AI to block attacks in real-time.

Office 365 email under attack

Why are email accounts so highly prized by attackers today? Because email still largely represents the nexus of an employee’s online profile. With the all-important log-ins to that account, hackers could access highly sensitive information from the inbox itself, or perhaps use the account as a “stepping stone” into other corporate systems. They could, for example, use access to craft a highly convincing phishing email sent to that employee’s colleagues elsewhere in the organization. Poor password management by employees also means that once email log-ins have been phished, an attacker could potentially also crack the victim’s other corporate accounts.

The growing popularity of Office 365 makes these log-ins a prime target for cyber-criminals. Typically a phishing email will be sent to an employee convincing them to click on a link to a website. Classic social engineering tactics are used to convince them to do so: ie, by claiming the mailbox is full; that there is an account issue that needs addressing; or potentially even that there’s an Office document a colleague wants to share.



The fake Office 365 log-in website the user is taken to can look extremely convincing. The form itself looks identical to the real version, with the same Microsoft favicon. Often the site also has a valid SSL sign and sometimes they are even set-up within a legitimate domain — making it extremely difficult for the untrained eye to spot.



Seeing the Fakes with Computer Vision and AI

Trend Micro has always been aware of the huge threat posed by phishing. That’s why we offer multiple layers of protection against malicious sites like these leveraging one of the largest threat intelligence networks on the planet, the Smart Protection Network. Now we’re introducing another tool, which blends computer vision technology with artificial intelligence to “see” fake websites.



We’ve implemented this technology on our API-based Office 365 protection service, Trend Micro Cloud App Security, which provides a second layer of advanced protection to Microsoft Office 365. The additional computer vision technique is applied to suspected phishing emails after Microsoft Exchange Online Protection and after Trend Micro filtering based on sender, content, and URL reputation. The remaining suspected URLs are further analyzed on-the-fly with the computer vision technique. Even after all of these other filtering methods, the Computer Vision + AI technology detected an additional 33,000 Office 365 credential phishing emails last month for a limited number of Cloud App Security customers.



Detecting existing Email Account Takeover Attacks

If an email account has been compromised via other means (malware on device, drive-by download…), Cloud App Security can detect if the account starts sending phishing emails externally or internally within the organization with advanced analysis of the content, URLs, and attachments for maliciousness.

Computer Vision+AI credential phishing detection has been working in the backend for Cloud App Security since April. In the October Cloud App Security release, the logs will start showing which URLs were detected with this new technology as credential phishing sites/emails. You can learn more about Cloud App Security at www.trendmicro.com/office365