With 60% of corporate knowledge workers reporting that email remains their most commonly used mode of communication, email continues to be the backbone of enterprise communications and could be considered the most critical infrastructure for daily operations.1 Cloud-delivered email services are rapidly becoming the preferred implementation approach by IT organizations. With over 155 million users already running on Office 365,2 organizations are realizing significant benefits over on-prem solutions, including reduced management costs, regulatory compliance, and the accounting shift from CapEx to OpEx.
Moving email infrastructure to cloud-based delivery replaces the acquisition and management of hardware resources, software updates, and overall system management, but may not provide the security and resilience levels that are common with on-prem implementations. With phishing at epidemic levels, representing 95% of successful attacks,3 email security needs to be a top priority for security teams. While most email system providers offer some level of security and resilience, they fall short of what many security and IT teams would consider adequate. In part, because they’re widely used, homogenous security systems are typically easier for an attacker to bypass compared with heterogenous, or multi-layered defenses. Third-party email security and resilience solutions exist to fill this void. Organizations that are planning to move to cloud-based email systems, including Microsoft Office 365, should strongly consider the use of third-party solutions to ensure critical email infrastructure and data are adequately secured, backed up, and kept 100% available.
Planning the Move to Cloud-delivered Email Solutions
As organizations move core operating infrastructure to the cloud, enterprise email is ripe for transformation. Significant numbers of organizations have already migrated their inboxes to popular cloud email solutions, with Microsoft Office 365 leading the pack. Benefits for transitioning email to the cloud align to the same, well-known benefits of the cloud, including the reduction of operating infrastructure management cost and the move from CapEx to OpEx. Email infrastructure is pure overhead to most organizations and provides no differentiation, so outsourcing makes sense, just like in many other areas of IT.
But these cloud-based solutions aren’t a panacea. Not surprisingly given the fundamental change, new risks emerge with the use of a new approach to email infrastructure. Moving on-prem solutions to the cloud replace the operational infrastructure but doesn’t necessarily replace security controls or guarantee resiliency. While moving to Office 365 basically lifts the on-prem Exchange infrastructure and moves it to the Microsoft cloud, existing/additional security controls or other complimentary services don’t move with it. Just like the days of on-premises email, organizations need to plan for how to ensure the security and resilience of their email. Moving to the cloud does not inherently address security or resilience.
Most cloud-delivered email platforms offer basic security controls but lack many of the controls that today’s security teams require. At 96%, email is the most common attack vector, and the one used most often to introduce malware.4 As part of moving to cloud-managed email, security teams need to play a key role in ensuring the necessary levels of security against malware, ransomware, phishing, and data exfiltration are in place.
The Evolution and Persistence of Phishing Attacks
Phishing attacks continue unabated. The ongoing high incident rate of email phishing is a reminder that cyber adversaries will default to those methods that have proven effective while also leveraging them in new ways to execute attacks. According to the Mimecast State of Email Security Report 2019, 94% of respondents experienced phishing attacks in 2018, with 55% of organizations reporting increases in phishing attacks over the past 12 months.
Yet, not all phishing attacks are reported. Duped users may not be aware they were phished or may be embarrassed that they were and not report the incident. This is partly why so many stolen but valid credentials are available for sale on the black market. In either case, such situations increase dwell time and the potential for the spread of malware, data loss, or both. While Office 365 offers anti-phishing capabilities through its Advanced Threat Protection (ATP) offering, organizations should consider using additional third-party solutions to increase protection.
Business Email Compromise (BEC) Attacks
In fairness to end-users, cybercriminals are increasingly employing socially engineered, targeted attacks that are hard for many knowledge workers to identify (as they are so timely and accurate). Such attacks are new ways for cybercriminals to monetize phishing attacks, including pretexting or business email compromise (BEC) attacks. This type of fraud is perpetrated via spoofed emails that fool users into taking action other than clicking on a malicious link or opening malicious files. Instead, the recipient is very often instructed to make a payment based on the direction to do so from a fake executive or vendor email. Office 365 itself has become a major target for attackers, and it’s easy for attackers to target. Organizations that use Office 365 publicly broadcast their use through their DNS MX records. BEC attacks aren’t limited to spoofing internal employees, as 88% of companies have seen email-based spoofing of business partners or vendors.
Credential Theft
Phishing attacks can also be the first step in a lengthier campaign, as is the case with those that are designed to steal login credentials, often by exploiting the collaboration capability of cloud services. For example, because the use of file-sharing services such as Box, Dropbox, OneDrive, and others is common, users are accustomed to receiving emails from others to access files. This creates the perfect opportunity for bogus emails to lead a user to a bogus login page as a means of capturing credentials that are then used in the next step of an attack campaign. And Office 365 credentials are highly prized as they can give the attackers direct access to emails where they can monitor the organization and understand the best way and time to launch the next step in their attack.
Successful credential phishing attacks can lead to email account takeovers that allow cybercriminals to log in as legitimate insiders. Credential theft extends well beyond email, as Active Directory credentials provide attackers access to other applications and data. Bogus emails instructing a subordinate to transfer monies, click on a malicious link, or open an attachment is even more believable because of the legitimacy of the sender’s email address.
Ransomware
Even after several years of well-understood attack approaches, ransomware continues to disrupt organizations, with attacks reportedly up 26% year over year.7 The average downtime from a ransomware attack is three days, so these attacks continue to cause significant business impact. Endpoint security vendors have made great progress in stopping ransomware, even when it makes it through email systems, but organizations continue to be affected. Office 365 email users are still falling prey to ransomware, with Microsoft offering specific instructions on how to recover affected files for up to thirty days. So, while many email solutions claim they provide robust prevention against ransomware, ESG recommends the use of additional email security solutions, as this is consistent with well-known best practices of using multiple layers of security.
Office 365 Email Reliability
How reliable is Office 365 as a service? While generally reliable, Office 365 has experienced multiple outages in the past 18 months. When users lose access to the corporate-sanctioned email system, they don’t stop working. Instead, they continue working using personal email tools, which lack the same security controls. This opens a window for attacks and the storage of proprietary information in unsecured, public email environments.
How reliable is Office 365 as a service? While generally reliable, Office 365 has experienced multiple outages in the past 18 months. When users lose access to the corporate-sanctioned email system, they don’t stop working. Instead, they continue working using personal email tools, which lack the same security controls. This opens a window for attacks and the storage of proprietary information in unsecured, public email environments.
Backup and Recovery
While Office 365 offers a way to “hold” data, which is often perceived as an archive/backup, Office 365 does not provide a persistent backup/recovery of email data. Instead, it holds email data and disallows deletion. But if that data is corrupted or lost due to technical failure, how would it be recovered? IT organizations, therefore, need to develop plans for backup, archiving, security, failover, and user/mobile access, as Office 365 does not provide a persistent backup/recovery of email data.
Secure Email Gateway – An Opportunity to Mitigate the Most Successful Attack Vector
A secure email gateway (SEG) adds a filter for inbound, outbound, and internal email on top of the core email service. This service has the ability to take a deep look at all characteristics of each email, including sending domains, attachments, links, and the actual text in the subject and body of the email. An SEG can protect against email-borne threats including spear phishing, malware delivered as a malicious attachment, spam, ransomware attacks, and zero-day attacks. This includes outbound and internal email traffic as well, monitoring exfiltration or the internal movement of key data using email as the transport.
The Bigger Truth
Organizations that are relying on cloud-based email providers to secure their email systems and data should strongly consider adding a secure email gateway. Too many organizations are confusing the existence of security features with the efficacy of those features. While moving enterprise email to the cloud has significant benefits to the organization, multiple risks need to be mitigated before making the move. Sixty-one percent of respondents believe it’s likely or inevitable they’ll suffer a negative business impact from an email-borne attack.8 So clearly more investment and effort are needed. Security, business continuity, and data governance teams need to get involved early in the process and must play a role in the selection and implementation process to ensure enterprise communications and data are adequately protected. Third-party solutions can mitigate risks by providing both additional security and resilience. These solutions can also ensure security controls are in place when a cloud email provider experiences an outage. Microsoft Office 365 is the dominant cloud email solution for businesses in use today, with over 155 million active users and with 29% year-over-year seat growth.9 While offering a strong solution, Office 365 still lacks security controls and the backup and resiliency that many organizations require, therefore requiring supplemental security and resilience solutions from other providers. Adding an SEG to an Office 365 implementation can provide organizations with better control of email security and resiliency while ensuring data and systems stay safe, even when email services experience downtime. Whether in the planning stage, implementation stage, or post-implementation, third-party email security, and resilience services should be considered with all cloud-delivered email solutions.
Sources:
1 ESG Master Survey Results, Mobile Knowledge Worker Behavior, March 2018.
2 Microsoft, First Quarter Fiscal Year 2019 Results, October 2018.
3 Verizon Research Report, 2019 Data Breach Investigations Report.
4 Verizon Research Report, 2018 Data Breach Investigations Report.
5 Mimecast Research Report, The State of Email Security: 2019 Report, May 2019.
6 FBI Public Service Announcement, BUSINESS E-MAIL COMPROMISE THE 12 BILLION DOLLAR SCAM, July 2018.
7 Mimecast Research Report, The State of Email Security: 2019 Report, May 2019.
8 Mimecast Research Report, The State of Email Security: 2019 Report, May 2019.
9 Microsoft, First Quarter Fiscal Year 2019 Results, October 2018.
