"Attackers Lure Victims to Click on Fake Invoice to Bypass Microsoft Office 365 Email Security"
Armorblox researchers detailed an attack in which the threat actor tricked victims with a fake invoice before bypassing Microsoft Office 365 email security, potentially compromising over 100,000 users. The researchers discovered and stopped this fraudulent email invoice attack, which targeted "a national institution in the education industry." According to the researchers, the email's subject header encouraged victims to open and read it. The goal was to use this social engineering technique to instill in the victims a sense of urgency, making it appear as if they needed to act sooner rather than later. According to Mika Aalto, co-founder and CEO of Hoxhunt, the most sophisticated social engineering attacks are not being detected by large investments in security gateway technologies, and complex organizations are looking for answers. Aalto emphasizes that the human element is still present in most data breaches, indicating that traditional approaches are no longer effective. According to Aalto, new approaches to addressing this challenge are increasingly being deployed, including Artificial Intelligence (AI)-based security behavior change platforms that use gamification to improve engagement and enable people to detect and report sophisticated threats. One of the most effective approaches to addressing this challenge is to build large 'human detection engines.' Darren Guccione, co-founder and CEO of Keeper Security, says high-profile breaches call on organizations to implement a zero-trust architecture, enable multi-factor authentication (MFA), and use strong and unique passwords for each account. However, Guccione claims that the effectiveness of these measures is diminished when users are duped into handing over credentials through phishing, smishing, and other social-engineering techniques. This article continues to discuss the attack in which victims were lured with a fake invoice that then bypassed Microsoft Office 365 email security.