https://venturebeat.com/wp-content/uploads/2019/12/feat.jpg?fit=578%2C336&strip=all — Above: Phishing campaign example from Office 365 Advanced Threat Protection (ATP)

Microsoft adds ‘campaign views’ phishing intel to Office 365 Advanced Threat Protection

09 Dec 2019, 17:01 by Paul Sawers

Microsoft is rolling out a new email security feature designed to give businesses greater insights into phishing campaigns targeted at their workforce.

Phishing, for the uninitiated, is where a cyber attacker pretends to be someone that they are not in an email message, with a view toward tricking the recipient (e.g., a company employee) into carrying out an action such as clicking on a malicious link or giving over confidential information. Phishing attacks are among the biggest security headaches that companies face today, with a recent U.K. government report noting that “phishing emails [are] becoming more believable, and therefore harder to detect.”

And it’s against that backdrop that Microsoft revealed today that it’s launching “campaign views” as part of its Office 365 Advance Threat Protection (ATP) security suite. Microsoft launched Office 365 ATP back in 2015 to help protect organizations against malicious email messages. In addition to the existing security features Microsoft already offered against malware, viruses, and spam, ATP ushered in additional smarts including protection against unknown malware and viruses with no known signature.

With campaign views thrown into the mix, companies can now garner great context and visibility into email phishing campaigns, including how attackers are targeting them and which users within the organization are most vulnerable. So if an attack is successful, and an employee clicks on a malicious link contained within an email, for example, security teams can take steps to contain the breach and minimize the impact. More broadly, campaigns views can also help highlight inherent weaknesses in companies’ security so they can take corrective action in the future.

How it looks

Through campaign views, security teams can see an overview about a specific phishing campaign, including a timeline of the sending pattern. It also shows a full list of IP addresses and senders, which messages were blocked, quarantined, delivered to the junk folder, or landed in the inbox and — crucially — which specific users were compromised.

https://venturebeat.com/wp-content/uploads/2019/12/Campaign-view-example.jpg?resize=702%2C747&strip=all — Above: Campaign view example

One of the ways email phishers evade automated security systems is through making slight tweaks to each email, which may include changing the URL of a malicious link, using multiple IP addresses, employing different domains, and altering the hosting infrastructure. This polymorphous approach makes it harder for security software to spot campaigns. But by gathering all this attacker-specific intelligence and making it visible to security teams, campaign views can better enable security teams to improve their proactive defenses at a later date.

Gone phishing

The increasing sophistication of phishing attacks has helped numerous tech startups attract venture capital (VC) funding — in the past six months alone, Valimail, Vade, and Ironscale collectively raised around $140 million for various automated technology products designed to protect companies from phishing attacks.

The campaign views feature was announced earlier this year, but it’s rolling out from today in public preview, and it should be visible to most users in the coming days and weeks.

The timing of the campaign views launch is also particularly notable, since the holiday season is typically ripe for phishing attacks as attackers bombard inboxes with malicious emails masquerading as special offers and fantastic deals.