Office 365 is undoubtedly one of the most popular business tools on planet Earth, in a level above even products like Zoho or Xero. It is the go-to email provider for business on Planet Earth, even HMRC use it, although they definitely need some training in how to secure their emails.
The simple truth though, is that by signing up to Office 365 you are sending all of the most vital information your company relies upon into a group of computes that you have no idea as to the location of or the security under which they are kept.
Do not believe that Microsoft will save you if you lose everything either, they will have protected themselves from every possible legal threat and probably have more money than he UK anyway and so would just ignore us if there was a huge loss of data.
What is the Most Common Attack to Office 365?
Data loss is not the greatest threat to UK businesses using MS Office 365, security is. The number of phishing attacks we see every day sent to clients all over the world would truly make your jaw drop. I can say this without any question of doubt, as I have been the person they call for nearly three decades now, and I have learned a great deal in that time.
The biggest threat to your business from using online services is one of trust. If one of your big clients winds up paying a fake invoice sent by phishing attack scammers then it can mean the end of a vital contract. This can be the difference between a small company surviving or being laid out to rest. This may sound like something that cannot happen to you and your staff but it is extremely common and very easy to perpetrate.
How Do Phishing Scams Work?
There are a few variants of the most common phishing attacks, but most are directed at the person who deals with your invoicing and are intended to gain their credentials for logging in to Office 365.
There are two main ingredients to most successful scams and two main methods. The first ingredient is money and the second is panic. Now I do not mean all-out frantic panic, just mild panic. That is the first method to get someone to react to a lure without thinking, the other is method hypnotic repetition. In the case of phishing attacks they tend to use money with panic to get you to enter your credentials into a fake Office 365 screen. Because you are in a panic, you are not thinking as you enter your credentials, and then they forward you to Office 365 where your browser auto-logs you in so everything appears normal. It seems as if you simply logged into your email/office screen as normal as you typed in your credentials and you found your email screen. The important thing is that you're in a hurry so you don't notice.
Now the reason you've entered this state of panic is that you have been told that a bill has not been paid and that service is about to be ceased for something. It might be the internet or the phone and you need to pay £15 to keep the service going. They may make the amount small so that you will enter your credentials without thinking about it. The important thing is that the internet does not get ceased after all. The problem is that your password just got sent to the scammers.
How Do The Scammers Use Phishing Attacks?
Now that they have your login they watch. They watch and read and find out who pays the largest invoices, and they concoct a plan. The plan is that they will employ mailbox rules to sweep or ignore any messages from that client so that you are not aware of what is happening. They will be replying to that client instead of you so that they can propose a special arrangement for the payment of the next invoice, which will be to them.
Now the links to these fake email logins arrive in various ways. The phishing attack scammers like to make a fake login inside of an HTML attachment using Javascript which you open and immediately see your email address filled-in and just requesting the password. They have already identified you and have made up a specific attack for you. This is a very common way of attacking someone, to use a custom HTML attachment for each recipient. This is why all HTML attachments must be blocked from all users on Office 365. You do not have to block them utterly, just be sure that your IT person screens all HTML attachments as they arrive before they go to the intended recipient. We will look at how to do this shortly.
PDF Document Link Phishing Attacks
Another method of attack is the PDF with a link. The problem with this method for the scammer is that the PDF might not resemble what you are used to seeing. If they are trying to scan your emails, getting a whole PDF file might be difficult and it would mean they have to especially make one up for a single attack when scammers prefer to attack lots of people at one with a single pane - less work for each successful scam -.
The PDF is an easy way of getting a link into the business as nearly all financial documents are on PDF or Excel, and they can have hyperlinks inserted into them relatively easily. If you ever see a supplier invoice from a company you do not recognise, there is a good chance that it is a scam. The link will be to an Office 365 clone site or a clone of your bank.
Make sure you have your PDF reader applications set to warn people following links on a PDF. Most reputable senders do not use links on PDFs. I have never seen a bank use one. This is an important part of keeping yourselves safe online. Warn staff from following links on PDFs.
Blocking HTML Attachments in Office 365 and Exchange Server
Now let's see how to block HTML files entering your tenancy as this is one of the most common ways your credentials can be hijacked. Here is a quick video explaining how to block HTML attachments in the admin section of Office 6365. You will need to login as an Office 365 tenancy admin to be able to change this:
As you can see it is fairly simple process. You can choose to divert the messages to your admin instead, the option is two above the one chosen in the video at 01:07 forward the message for approval where you can have it forward a copy to the admin who can then approve or reject the message.
This is a good option if you do have a client or supplier that regularly sends unzipped HTML, otherwise blocking them with a message similar to the one in the video is the best option. The sender will know you do not accept HTML files that way, and will take action to send the email in an alternate format.