A new feature in Microsoft’s Office 365 Advanced Threat Protection service promises to fill in the gaps of traditional anti-phishing defenses.
Phishing attacks made against organizations are nothing new; there have been real-world examples of these attacks since as far back as the ’90s. Even so, enterprise IT has never had what I would consider to be a truly effective way of dealing with phishing attacks.
Don’t get me wrong — I’m not saying that IT has been negligent in trying to stop phishing attacks, but rather that the methods used so far have only been marginally effective.
The Holes in Anti-Phishing Defenses
Phishing attack defenses have traditionally revolved around a filter that tries to identify phishing messages. Depending on which anti-phishing product is being used, a suspected phishing message might be deleted, stripped of attachments and links, or perhaps sent to a user’s spam folder.
There are several reasons why I consider this approach to be ineffective. The most obvious is that some phishing messages will inevitably slip through the filter. At the same time, there is also a potential for false positives to occur.
In my opinion, though, the biggest reason why our current defenses against phishing attacks are ineffective is that there is usually an administrative blind spot.
Imagine that your organization is targeted by a zero-day phishing attack. As an administrator, you notice some of the phishing messages showing up in your spam filter. The presence of these messages in your spam filter confirms that your anti-phishing defenses have been at least partially successful, but there are a few key pieces of information that you do not know.
For starters, you have no way of knowing if any of the phishing messages actually made it into a user’s inbox. While there are security and auditing tools that can be used to perform an organization-wide search for specific types of messages, those who perform phishing attacks typically designed the attacks in a way that prevents messages from being identical to one another. This makes it difficult to look for a specific message.
The other key piece of information that an administrator typically does not know is whether any of their users fell victim to the phishing attack. Unfortunately, there isn’t a great way to tell if anyone clicked on a malicious link or opened the malicious attachment. In some cases, it might be possible to review router logs to see if anyone has accessed a particular URL, but again, phishing messages are often constructed so that the destination URL varies from one message to the next.
Enter Office 365’s ‘Campaign View’
Recently, Microsoft introduced a new tool called “campaign view” for its Office 365 Advanced Threat Protection (ATP) service. To be clear, campaign view is not a new tool for detecting phishing attacks. The detection process is still handled by the underlying ATP software. Instead, campaign view is designed to provide administrators with new insight into phishing attacks made against their organization.
Campaign view works by organizing phishing attacks into campaigns. The software does this by looking at the characteristics of the phishing messages that have been detected, and then using that information to determine whether a message is likely to be a part of a known phishing attack or if it marks the beginning of a new phishing attack.
Because campaign view is able to identify the individual phishing campaigns that have been launched against an organization, it can use what it knows about the campaign to give the administrative staff detailed information. Administrators can see a timeline of the campaign showing when it started, when it ended and the total number of messages that were associated with the campaign.
More importantly, administrators will be able to see how many of those messages made it into users’ inboxes, and how many (and which) users clicked on a URL within the message. Campaign view not only identifies who clicked on the links, but it also tells administrators the URL associated with the link, when the user clicked on the link and whether or not Office 365 stopped the action.
I am still waiting for Microsoft to provide me with access to campaign view, so I haven’t had a chance to try it out yet. Based on the screen captures that I have seen so far, though, I think that campaign view promises to be an extremely useful tool that can help administrators effectively cope with the aftermath of a phishing attack.
Although the new campaign view feature is not yet available to Office 365 customers, Microsoft has recently opened a public preview. This means that qualified organizations can beta test the feature in advance of its eventual release.