Guard against Whaling with Microsoft 365 E5!
Phishing activity comes in various shapes and sizes and companies need to have the right measures in place to guard against a variety of attacks under the phishing mantle including:-
- Spear phishing
- Whaling attack
- Pharming
- Page hi-jacking
- Watering hole attack
- Clone phishing
- Evil twin attack
- Vishing
- SmishingC
- Calendar phishing
- Quishing
Of particular interest in this blog post is something known as a Whaling attack.
What is a Whaling attack?
A whaling attack, also known as a whaling phishing attack, is a sophisticated type of social engineering that targets Senior Management or as they are sometimes known, C-level executives. The goal is to steal money or information or gain access to the executive’s computer to carry out further cyberattacks. These attacks yield high returns by impersonating a trusted name or group, such as another senior employee, making it easier to deceive the target into taking the desired action.
All social engineering attacks rely on deception, persuading the target to take an action like clicking on a malicious link. Unlike generic phishing attacks, which are broad and non-specific, or spear-phishing attacks, which focus on particular demographics, companies, or industries, whaling attacks employ highly targeted business email compromise (BEC) techniques tailored to each individual attack.
Whaling attacks succeed in deceiving even highly alert individuals due to the extensive research conducted by the attackers. For example, an MD might receive an email that appears to come from the Finance Director, who is known to be on holiday. The email might say, “About to board a plane. Urgently need to pay Vendor X or a critical delivery will be delayed. Can you wire £1m to the following account number…”
The MD knows the Finance Director is traveling, recognises the vendor as legitimate, sees that the writing style matches the Finance Director’s, and the email address looks correct. How does the attacker get this so right?
Scammers employ various techniques, including social engineering, email spoofing, and content spoofing, to create convincing whaling emails – this is enhanced further recently with the use of AI. They thoroughly research both the impersonated individual and the target by exploring social media and other open data sources. They may use phishing attacks as a preliminary step to gain access to a lower-level employee’s computer, allowing them to access HR records and discover when key members of staff/decision makers are on holiday.
Additionally, they might ‘eavesdrop’ on specific email inboxes to gather personal details that make their messages more credible. In some cases, they even engage in physical social engineering, such as frequenting a coffee shop popular with employees of the targeted company.
This may sound like a lot of work, but the significant research conducted by these types of scammers is well worth the effort due to the potentially huge payoffs if they ‘land the Whale’ (a Senior Manager, C-Level Exec) so to speak.
Recognising Whaling Emails
While companies have made significant strides in implementing security awareness training, Senior Management are often less likely to participate. This could be because their gatekeepers decide the training is unnecessary, the training is inconvenient for their schedules, or the training content is not tailored to the needs of Senior Management.
Regardless of how robust anti-whaling measures are, there is always a risk that a whaling email will bypass defences. The best way to protect the enterprise from such scams is to equip executives with security awareness training specifically relevant to their roles.
However, even if senior employees are aware of the threat of business email compromise, they need to recognise that whaling emails are far more sophisticated than phishing or spear-phishing attempts, and even the most vigilant individuals can be deceived. They should be trained to look for: –
Content
The first red flag is the nature of the request. Requests for wire transfers or sensitive data should be scrutinised carefully.
Urgency
If the request is time-sensitive and implies negative consequences for missing the deadline, it should be considered highly suspicious and subjected to a multi-step verification process, including examination by the security team.
Domain
Ensure the domain matches the corporate domain exactly. Be wary of domains with subtle alterations, such as substituting “rn” for “m” or “vv” for “w”.
How can Microsoft 365 E5 negate Whaling?
Microsoft 365 E5 employs several security features to help prevent whaling attacks, which specifically target high-profile individuals within an organisation. Let’s delve into how these features contribute to stopping such attacks: –
Advanced Threat Protection (ATP)
ATP scans emails for malicious links and attachments in real time. By blocking known phishing attempts, it reduces the risk of users interacting with harmful emails. Leveraging machine learning models and impersonation detection algorithms, it provides protection against whaling and spear phishing attacks
Insider Risk Management
This feature detects and prevents insider threats, including compromised accounts or malicious insiders. It monitors user behaviour and identifies anomalies that could indicate a whaling attack. For instance, sudden unusual activity in an executive’s account triggers alerts.
Advanced Compliance Capabilities
Microsoft 365 E5 includes eDiscovery and Insider Risk Management, allowing organisations to search for and investigate suspicious activities related to whaling attacks. These tools help identify patterns, track communication, and assess risks associated with high-profile users.
Extended Identity Protection
With Microsoft Entra ID P2, additional security features such as identity protection and privileged identity management prevent unauthorised access to sensitive accounts, reducing the likelihood of successful whaling attacks.
Data Loss Prevention (DLP)
DLP policies prevent users from sharing sensitive information via email. By blocking or alerting on risky email content, DLP reduces the chances of a successful whaling attack.
Audit Logs and Visibility
Microsoft 365 E5 provides detailed audit logs, including email access logs. These logs allow security teams to track user activity, investigate incidents, and identify potential whaling attempts. The increased default retention period (from 90 to 180 days) ensures relevant logs are available for analysis.
To supplement the above Fusion also recommends the deployment of InTune also including with Microsoft 365 E5.
Microsoft Intune, included in Microsoft 365 E5, plays a crucial role in guarding against whaling activity.
Here’s how it contributes to preventing such attacks:
Account Protection Profiles
Account Protection (preview): This profile focuses on settings for Windows Hello and Credential Guard. Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. Credential Guard helps protect credentials and secrets used with devices.
Local Admin Password Solution (Windows LAPS): Intune allows configuring Windows LAPS (Local Administrator Password Solution) on devices. LAPS manages a single local administrator account per device, enhancing security by specifying which local admin account it applies to.
Local User Group Membership: This profile manages the membership of built-in local groups on Windosws devices. For example, you can edit the Administrators group’s membership to restrict it to exclusively defined members, reducing the risk of unauthorised access.
Endpoint Security Policies
Cross-Platform Endpoint Management: Intune ensures consistent security policies across various platforms, including Windows and macOS.
Built-In Endpoint Security: Intune enhances security by managing local group memberships, enforcing Windows LAPS, and configuring Windows Hello settings.
Mobile Application Management: Intune secures mobile apps and data on devices.
Endpoint Analytics: Provides insights into device performance and security.
Microsoft Configuration Manager: Integrates with Intune for comprehensive endpoint management.
In summary, Microsoft Intune, combined with the other security features in Microsoft 365 E5, helps safeguard against whaling attacks by detecting anomalies, preventing unauthorised access, and providing tools for investigation and response.
Thanks
Richard