In recent years the number of phishing emails I receive to my Office 365 mailbox reached alarming levels. The problem with most of these emails is that attackers know you are using Office 365 service and they try to lure you to enter your Office 365 credentials on a web page that copies Office 365 login look and feel.
[ngg src=”galleries” ids=”6″ display=”basic_thumbnail”]These attacks got so frequent that even pushed me to deliver a couple of presentations and webinars to teach Office 365 admins how to better secure your Office 365 assets.
The most important thing you can do to prevent these attacks by enabling multi-factor authentication. If you are an Office 365 admin reading this, and you haven’t enabled MFA, stop reading this right now and go enable MFA. This is a must-have!
Over the years Microsoft has been adding more and more security-related features in their Office 365 offering, but I almost missed one gem that was released last year: Attack Simulator in Office 365.
This nice feature helps you simulate an attack within your own company and to check if your users know how to recognize an attack and properly react to it. I just tested this within our own company with a very real-looking payroll notification email :-). Even within an IT company, there were still users that were lured with this simulate phishing attack. You should try it for yourself.
The other two simulators try to brute force the passwords of your users. If you are using a strict password policy this is not going to be relevant to you, but it does not hurt to check in any case.