Yesterday, the FBI Cyber Division released a Private Industry Notification bulletin regarding cyber criminal behavior focused on cloud-based email services such as Microsoft Office 365 and Google G Suite. The focus of these cyber criminals is to mimic these prominent cloud-based email services through phishing messages and fake websites in an attempt to collect legitimate business email accounts and misdirect end user transactions with these services. These are legitimate threats that need to be considered and warrant proper planning and adequate compensating IT security controls.
It is very important to point out that neither Microsoft Office 365 nor Google G Suite have been directly compromised by cyber criminals and all customer data managed and controlled by these organizations remains secure and intact within those respective cloud infrastructures. This FBI notification is drawing our attention to the fact that as the two largest cloud-based email services, Microsoft and Google are rightfully drawing the attention of cyber criminals and have become the subject of phishing scams and criminal misdirection attempts. A similar comparison can be drawn between virus attacks and PC operating systems. More viruses exist to attack Microsoft Windows simply because Windows is the most prevalent desktop operating system in use by businesses around the world.
This FBI notification contains several sound recommendations for mitigating these threats from cyber criminals and Burk IT implements many of these controls for our Microsoft Office 365 hosted email customers. Other controls are configured for our customers on a case by case depending upon their business needs and internal processes.
All Burk IT Office 365 customers have a Barracuda Security Gateway in place to properly review all inbound and outbound emails to ensure proper security rules are followed. Automatic SPAM and malicious message quarantine controls are in place. Logs for all messaging are retained and available for periodic review and forensic investigation. Anti-phishing and anti-spoofing policies are in place. Sender Policy Framework (SPF) configurations are implemented and legacy email protocols are restricted wherever relevant and appropriate. Burk IT also configures all customer-managed firewalls to restrict access and traffic from foreign sources.
Other controls are available and can be configured if relevant for the organization including multi-factor authentication, banners identifying all external email messages, DKIM & DMARC protocols, and several other controls.
The most important control any organization can put in place to mitigate phishing attacks and other cyber crime associated with email is to properly and frequently train its employees. This includes awareness training and periodic phishing exercises. Burk IT can provide both automated computer-based training as well as in-person awareness training for customers upon request. We can also provide a variety of topical and relevant phishing exercises for our customers including detailed reports for employee follow-up.
At the end of the day, this notification from the FBI is not net new information. The threat of phishing and misdirection has been and remains a serious threat. But if your organization is a user of Microsoft Office 365 or Google G Suite, be aware that the volume of attacks targeting your users are going to go up. Take precautions - educate your users and have conversations with your account managers concerning additional technical controls.