Skip navigation
All Places > Office 365 > Blog

Office 365

9 posts
user.0rKmBCppWxw

Good solution

Posted by user.0rKmBCppWxw Jun 8, 2017

Since implementing Mimecast with office365, we've seen a real difference here with spam reduction and confidence in our email solution as a whole. The two have complemented each other well and means we can focus on working rather than managing our systems.

We're quite happily using URL Protect, which is regularly doing what's expected and stopping people getting to places where they shouldn't.

 

As Office 365 users, we're getting used to new features appearing from time to time with out much notification (well, if you very carefully read the announcements feed, you might realise that something's coming, but it won't necessarily be obvious).

 

So imagine my delight when I saw this today. Yes! They're adding warnings to potential phishing messages. Good stuff, extra layers of defence and all that. Shame it was this particular message, though...

 

URL Protect looks Phishy to Microsoft

Dave Hood is the Director of Technical Marketing focused on Office 365, continuity and the Mimecast API. A Mimecaster since 2015, he’s a frequent speaker and commentator on cloud collaboration.

 

Recently, a new attack came to light that shows the importance of using a layered security approach to protect against malicious URLs in emails.

 

We all know email is the preferred vector by many cybercriminals, particularly during the holiday season, as it seems like almost everyone is shopping online and getting bombarded by offers for sales, shipping instructions, and purchase confirmation emails. Attackers take advantage of the flood of this legitimate email as cover, and to catch unsuspecting users when their defenses are down. The particular attack referenced in this blog is, however, new.

 

Security Week reports the attack was directed at Office 365 business users, and exploits a vulnerability in how anti-phishing and Microsoft Safe Links determine if a URL is safe to visit or not. The goal of the attackers was simple – divert Office 365 users to a fake login page to harvest their usernames and passwords. With their login credentials, attackers would have unfettered access to all Office 365 workloads of that user.

 

The steps of the attack are to:

  • Create a fake Office 365 login page.
  • Alter the proper URL of the page using a tool named Punycode. Punycode makes it possible to represent International Domain Names (IDNs) with a limited character set. For those who have used the URL shortener bit.ly, it’s similar in concept.
  • Distribute URLs to Office 365 users using a fake email. In this case, fake FedEx emails were used to maximize opens during this season of giving.
  • Harvest Office 365 credentials as users hit the fake Office 365 page.

 

The key for this attack was the use of the Punycode to get the URLs past Microsoft’s phishing protection (the attacker no doubt tested this method in advance to make sure it worked, in his own instance of O365).

 

These types of URLs are usually blocked, but in this case, the malicious links were left accessible because of the failure of the defenses to interpret the links correctly. You can find more details at Security Week.

 

It’s worth considering these takeaways from this attack:

  1. Defense-in-depth remains a best practice in the cloud, just as it was in an on-premise world. A single code base to protect the over 85M corporate users on Office 365 opens the door to these types of attacks.
  2. It shows what attackers can do when they have easy admin access to Office 365 tenants. In this case, the attackers crafted an email using Punycode that they could test against EOP and ATP, until they were absolutely sure it would work. When they were confident it would get past the defenses, they launched a broader attack.
  3. Armed with malicious URLs hidden from the Office 365 defenses, it’s relatively simple to use MX lookup tools to identify organizations using EOP and Office 365.  Attackers could quickly build a list of organizations to phish.
  4. Attackers are increasingly targeting Office 365 because of its popularity. The article states: “With the growth in Office 365 for corporate email, hackers are shifting their focus. The characteristics of this particular attack disclose the hacker’s intention to deceive Office 365 users into providing their login credentials.”
  5. It’s always worth having defense in place that includes security against email threats such as malicious links (including the type used in this attack), weaponized attachments, and malware-less impersonation attacks.

 

More posts from Dave Hood:

The Growth of Office 365: 85M and Counting 

Mimecast Releases the Data Logging API and Splunk App 

Office 365 Problems Result in Mail Delays - On a Really Critical Day 

It all started far too early this morning. Before taking a sip of my first espresso, I glanced at my company mobile to make sure there were no alerts about things having broken overnight. And ooooh. Two emails at 3:30am apparently from a user inviting me to review the attached PDF. Well, I wouldn't normally expect to receive attachments from this user, and especially not at 3:30am.

 

When I noticed that the footer included the reassuring message

 

Message scanned by Norton Anti-virus and it’s 100% safe

My internal pre-espresso alarm bells became very loud. Not least because we don't use Norton 

 

Logged into the Mimecast Admin console and had a look. Oooooooooooooh joy. Multiple messages sent to numerous internal and external addresses. Digging into the headers showed that they appeared to have been sent using the Office 365 portal (which explains how they came complete with an authentic-looking company signature). They also showed that the originating IP address wasn't, as I'd have expected from the user in question, to be somewhere in northern England, but from Nigeria, where we don't have any staff.

 

I blasted out a message to all staff telling them not to open the message. Only three admitted to opening it on their mobiles (and one of those admitted to thinking it was a bit odd...). Ho hum.

 

Got to the office, instructed user to change password and started digging. Extracted all the addresses the message was sent to and manipulated that into a list which has been used to apologise.

 

But one mystery remained: even after resetting his password, restarting Outlook, uttering the traditional curses against Microsoft and standing on one leg, the user was still not receiving any email. Very strange...

 

Checked in Mimecast - messages were there. Checked on the Office 365 Portal - no messages, which eliminated Outlook (aka The Usual Suspect). Scratched head, opened tickets with Mimecast and Microsoft in case one or other had locked him out for being a spammer. Scratched head some more, then went to make a cup of tea (the coffee here isn't up to the standard of my home espresso). And while the kettle was boiling, I had a thought.

 

Connected to user's mailbox in Office 365. Looked in Rules. Yup. The, err, visitors had helpfully created a "mark all mail as read and delete" rule. Now this is presumably so the victim doesn't see the NDRs and complaints generated by their messages, but does have the drawback that the user might actually notice not getting any email at all. 

 

So, what we think happened was that the user's password was compromised (lifted from somewhere else, similar passwords used for multiple accounts, some other means), attackers used the credentials to blast out numerous messages, set a rule to delete the evidence, then moved on to the next victim.

 

Lessons that can be learned: remind everyone about why passwords really are important, and why you really need different ones for each service. Oh, and look for rules. Rules are important.

Dave Hood is the Director of Technical Marketing focused on Office 365, continuity and the Mimecast API. A Mimecaster since 2015, he’s a frequent speaker and commentator on cloud collaboration.

 

Microsoft announced that Office 365™ now has over 85 million monthly active users during their earnings call on Oct. 20. This is up more than 40% year over year, and made me think it would be interesting to check out past announcements of users and then project what to expect in terms of user growth.

 

First off, on earnings calls, Microsoft usually updates the total commercial users every six months. This started back on the FY15Q3 call and has been consistent through the announcement last month. If you are interested, the earnings call transcripts are in the investor section of the Microsoft website.

 

The chart below shows the growth of Office 365 commercial users and assumes that the 40% growth rate will continue until next October, which would be Microsoft’s first quarter in fiscal year 2018. This is because Microsoft is on a fiscal year that runs from June to June.

 

From the chart, you can see that in Q3 of FY17 (April 2017), Office 365 will have around 100 million users. And by this time next year, I’d expect that there will be close to 120 million active users on Office 365. That’s about 2X growth in two years!

 

 

Actual and Projected Office 365 Commercial Users

 

More validation

And it’s not just Microsoft crowing about the popularity of Office 365. Gartner research also shows that the cloud collaboration service is showing increasing popularity in an updated 2016 survey, finding that 78% of respondents either use Office 365 or plan to use it in the next 6 months. That’s a 13% point jump from the same survey in 2014. 

 

In terms of workloads, the research found the following order of importance:

  1. Exchange Online
  2. OneDrive for Business
  3. Office 365 ProPlus

 

Continued Push Upward

In the last earnings call, Microsoft said that cloud revenue is now over $13 billion, over halfway to their stated goal of $20 billion by 2018. That’s a lot of cloud revenue of which Office 365 and Azure are critical to this strategy.

 

I expect to see a continued focus on Office 365 and more innovation. Of course, with so many commercial users on the service, it’s imperative for each organization to evaluate Office 365 against their own specific requirements, and make sure to add additional layers of security and protect themselves from events that can impact productivity like the slowdown on June 30.

If you are interested in learning more, check out the e-book, Confidently Move Your Email to the Cloud.

The value of data often increases when correlated with other information that was previously isolated in an organization. This is certainly true for security threat information when considering that endpoints, networks, databases and many other types of systems are vulnerable to attack. We know that email is one of the top attack vectors, and combining this data with that from other security solutions is a top priority.

 

Mimecast is pleased to announce the general availability of the Data Logging API and Splunk application for customers and partners. The Data Logging API lets organizations harness key email information and integrate and analyze the information in custom or third-party SIEM solutions. Below are just a few of the use cases for increased data visibility:

  • Who in my organization/what department is being targeted most by whaling (impersonation) attacks?
  • What is the country of origin for rejected mail?
  • Email rejections by type
  • Reporting and monitoring for encrypted email between two domains -- including top recipient and sending domains that use or do not use TLS

For Mimecast customers that already use Splunk, integrating Mimecast data is easy and requires no coding or scripting. Just download the Mimecast app from Splunk, fill out a couple of simple form fields and you’re off and running.


If you aren’t a Splunk customer, you can use the Data Logging API and have access to the same data. Use the Developer Community on Mimecaster Central for sample code and API documentation. As always, Mimecast’s legendary support is here to help every step of the way. Stay tuned for even more API information in the coming months.

No one can deny the Office 365 momentum that continues to build in the industry as more organizations adopt cloud collaboration solutions. A recent survey by Gartner shows that 78% of organizations are either on Office 365 or are planning on using it in the next 6 months. Couple that with Microsoft saying that over 50,000 organizations adopt Office 365 each month and it’s clear that more users than ever rely on Office 365. So it’s logical that any service failure will impact a larger number of users. Given the timing of the June 30th event that caused mail delays, I’m sure the productivity impact on customers was painful.

 

What went wrong?

According to the Microsoft EX71674 Post Incident Report, the event was first noticed by customers at 9:18 am Eastern Time and fully resolved at 7:30 pm Eastern Time. That’s a time frame of approximately 10 hours during which email was delayed both inbound and outbound with external parties. Microsoft states that inter-company or inter-tenant messages were not delayed. It appears that most of the mail was delayed, causing queues to build that ultimately made customers and Microsoft aware of the problem. Microsoft did confirm that some non-Office 365 users received Non Delivery Reports (NDRs) for some messages.

 

Looking at sites like Reddit, you can get a sense for how the queues started to build. One user says, “I'm curious, how many emails does everyone have queued up at their local gateways? I'm at ~200,000.” The reason for the delay in mail flow was a problem with Exchange Online Protection (EOP). EOP is responsible for checking mail for spam and malware and according to Microsoft was recently updated. Unfortunately the update impacted the speed of the EOP message filtering services and messages started to queue. Office 365 engineers addressed the problem by restarting message transport services, routing connectivity to alternate infrastructure, increasing capacity and ultimately making a configuration change to optimize the message filtering services code. The event impacted Office 365 customers across the U.S. but did not impact other regions.

 

What are the takeaways from this event?

As Tony Redmond writes in his article, Exchange Online Protection Falls Over, EOP is potentially a weak component for Office 365. He also rightly points out that this isn’t the first time we’ve seen an incident like this and provides an Azure Active Directory failure as an example. Office 365 is a broad suite that requires a complex set of infrastructure and services to work together. This complexity makes it difficult to pinpoint and diagnose the problem and can result in the end-user being impacted for multiple hours.

 

It’s also clear that all outages have different impacts. An outage at 11 pm can impact some users, but based on the time, it’s likely only a small pool. In the case of the June 30th outage, it was the last day of the month, the last day of the fiscal quarter for many companies and it was during the middle of the work day for U.S. customers. All organizations need to determine how much downtime is acceptable for their unique requirements and business. Then it’s up to them to have the necessary solutions in place to meet them.

 

How did Mimecast Customers Keep Email Running?

The Mimecast Mailbox Continuity solution is designed to spring into action when there is a problem with Office 365 or an on-premise mail server. The Mimecast service can be used by both administrators and employees and in this case we saw organizations that used both methods. Mimecast doesn’t just spool email, it provides the ability for employees to keep sending and receiving mail using Outlook, mobile applications or web portal for remote users to stay connected when Outlook isn’t an option.

 

During the June 30th event, it’s clear that Mimecast customers rely on our solution to keep their businesses running. There were a number of instances where over 50% of the employees at the customer companies used the Mimecast portal to stay connected. There were also instances where hundreds of employees turned to Mimecast as Office 365 failed to deliver messages. In addition to the portal, administrators acted to initiate continuity events allowing employees to keep working right in Outlook. It’s completely transparent to the end user and after the event is over, Mimecast automatically syncs and deletes any duplicate messages so there are no extra steps for employees or admins.

 

It should be noted that Mimecast employees are among the now 70 million Office 365 users. It’s a phenomenal service but as with any cloud provider, it will likely have bad days – just like June 30th, a really bad time to have a bad day. Mimecast helps over 18,000 organizations manage the risks of email, including continuity, each day. We’re proud to help our customers make sure this important communication channel remains protected and available.

WEBINAR: MAJOR LEAGUE BASEBALL TEAM POWERS EMAIL WITH MIMECAST AND OFFICE 365TM

Email is critical to any professional sports team. An important message could come in at any time that could drastically impact the entire organization. This is why Major League Baseball’s San Diego Padres need to ensure their email is always available, secure, and instantly retrievable.

Join Oscar Castro of the San Diego Padres and Microsoft Exchange and Office 365 MVP, J. Peter Bruzzese for a discussion on the benefits of utilizing Mimecast with Office 365.

This 1 hour webinar will cover:
  • The benefits of Mimecast’s protection against service outages
  • Considerations on using Office 365 as a stand-alone product or in conjunction with Mimecast
  • Risk scenarios to consider when planning a move to Office 365
DATE / TIME: THURSDAY, JANUARY 28, 2016 - 1PM EST / 10AM PSTDURATION: 1 HOUR

Click Mimecast to register today!

Please use this area to discuss and collaborate with your peers how you are using Office 365 with Mimecast. Please make sure to click "follow" in the banner to stay up to date with the latest posts