Business Email is the #1 Attack Vector

Email phishing is a common practice for bad actors trying to trick users to manually enter personal information or to lead to a malicious website. Despite how skilled bad actors have become at the psychological manipulation component of phishing, there are still tell-tale signs you can look for to avoid clicking through a phishing message.

These emails will still be sent out most likely company wide even if not shown in the “To” section.

Having a level of distrust and don’t blindly click a link to log into important accounts without verifying the URL is correct. A popular tactic is asking users to “verify your account,” so you click through a link and enter your username and password, delivering the goods right to the wrong people. If there is no MFA configured on your account, the attacker now has full-access to your inbox and can make lateral moves to other employees, reset passwords to cloud services tied to your organization’s email, or attempt more malicious acts such as fraudulent wire requests.

What can I do to stay safe?

• Implement and Enforce Multi Factor Authentication.
• Monitor employee sign-in attempts through Azure Sign-Ins, or mark users as Risky.
• Implement Conditional Access to prevent login attempts from no-authorized machines or locations.
• Implement a strong spam filtering product and train employees to not blindly click links.