Hacking is hard work. That may explain why so many would-be cybercriminals turn to phishing. It’s easy, you can hit lots of people at once, and even one response in a thousand could net you a huge return.
Security firm Wombat reports (registration required) that 76.5% of infosec professionals said they had to deal with phishing fallout in 2016–that’s a lot of people letting a lot of credentials fall into the wrong hands.
Phishing, by its definition, involves sending emails, most of which contain links to malicious sites that either directly install malware or mimic the login pages of reputable and well-known sites.
Hackers aren’t going to stop phishing anytime soon, so infosec professionals need to take matters into their own hands. The best way to do that is by either blocking phishing emails from getting through or by disabling hyperlinks in emails.
Here are a few steps to do just that in Outlook and Office 365.
Option 1: Rely on Microsoft’s junk mail filter
Outlook’s junk mail filter is reportedly able to distinguish between spam, phishing, and legitimate emails and filter them accordingly, even disabling hyperlinks and the ability to reply to a message.
See: 17 tips for protecting Windows computers and Macs from ransomware (free PDF) (TechRepublic)
While this is a great feature in both the 2013 and 2016 version of Outlook it still has its holes, just like any automated filter. The best way to make it effective is to specify junk mail criteria at the Exchange server level and push those rules out using Cached Exchange Mode or via PSTs stored server-side.
Setting junk mail filters at the server level will allow administrators to specify any specific senders, any top-level domains, or even text encoding to block. Emails blocked by the junk mail filter in this way will be sent to the Exchange server’s junk mail folder and users won’t even see them.
Using the junk mail filter will never be foolproof, so use this method alone at your own risk.
Option 2: Disable email hyperlinks using group policy
The most effective method of eliminating phishing attempts is also the most heavy handed: Killing all email hyperlinks. By disabling any links in emails you’re completely cutting off an attacker’s ability to accomplish their goal: burying a false URL behind a bit of text or a legitimate looking website won’t do much if it shows up in plain text.
Keep in mind this will also kill legitimate links as well–users will have to either paste full URLs into email to be copied and pasted or simply share links in another way. Anyone doing this should be sure they get the okay from C-level decision makers: It’s a huge change that may be great for security but a hassle for users.
SEE: iOS users beware: You’re the biggest target for mobile phishing attacks (TechRepublic)
Microsoft’s website contains lots of information on how to do this for Office 2013, but not for 2016. You can download Office administrative templates for both Office 2013 and Office 2016 using similar formats and instructions but I was unable to find definitive steps for 2016.
Unless Microsoft has drastically changed the locations of Office group policy objects and registry keys, the image below, which represents the location of the object and key for Office 2013, should be similar in 2016.
Option 3: Enable Advanced Threat Protection safe links for Office 365
Managing Office 365 is a bit different from managing a typical Office installation–and that includes enabling reliable spam and phishing filtering.
Microsoft offers what it calls Advanced Threat Protection (ATP) as an upgrade to an Office 365 subscription. One of the components of ATP is safe links, a series of filters that are applied to a message before it is sent to the recipient’s inbox and after it is opened.
ATP safe links is essentially a souped-up, cloud-based version of Outlook’s junk mail filter, and rules can be applied at the individual, group, or organizational level.
When applied, ATP safe links runs incoming emails (when they contain hyperlinks) through IP and envelope filters, signature-based anti-malware scans, and anti-spam filters. If found to be safe the message is sent on to the recipient.
SEE: Certified Information Systems Security Professional (TechRepublic Academy)
Once opened, safe links runs a check on links in the body to see if they match organizationally blocked URLs or known bad sites. It also scans any files that are downloaded via email links.
Don’t forget to educate your users
For every weapon developed to counter spammers, hackers, and phishers, one of them comes up with a way to circumvent it. That said, it’s entirely possible–if not probable–that a phishing attempt will make it past your filters someday.
The best filters and software are no match for good user education. Never miss an opportunity for teachable moments and it’s not a bad idea to send out regularly scheduled security newsletters company wide that hit on important tips and things to watch out for.
- Warning, Windows 10 users! Tech support scammers have a new method for phishing attacks (TechRepublic)
- Phishing-as-a-service is making it easier than ever for hackers to steal your data (ZDNET)
- Report: 22% of SMBs hit by ransomware cease operation (TechRepublic)
- Google Chrome under attack: Have you used one of these hijacked extensions? (ZDNET)
- How to build a successful career in cybersecurity (free PDF) (TechRepublic)
- Security awareness and training policy (Tech Pro Research)