Breaking: New phishing campaign targets Office 365 customers, masquerades as missed voicemail

Breaking: New phishing campaign targets Office 365 customers, masquerades as missed voicemail

This morning, on October 17th, GreatHorn’s threat response team identified an active, widespread phishing campaign using a range of impersonation techniques to deliver a “voicemail” alert to customers, linking to what appears to be a Verizon-branded PDF, hosted in either SharePoint or on free PDF hosting sites, containing links to credential theft attacks. Currently, the attack appears to be primarily hitting Office 365 customers, targeting multiple users within an organization, and has been found present across multiple industries and organization sizes, using different combinations of sender and subject lines.

Although we currently have only identified it in O365 environments, there is nothing to prevent this scheme from propagating to G Suite and other environments.

The GreatHorn security team is currently monitoring this attack and providing automated support to clients.

Currently, here is what we know about this attack:

  • The initial point of infection is via a phishing email from senders “[email protected]” and “[email protected]”. The email takes a number of different forms, including the example on the right, and  includes a link to a PDF that is currently being hosted on multiple compromised Sharepoint file hosting sites, as well as on free PDF hosting websites such as
  • The destination of the supposed voicemail link is a PDF, branded as a Verizon document, containing a second step URL that leads to a credential theft site designed to look like an Office 365 login:

PDF with Verizon-branded message linked to credential theft website

Credential Theft: Fake Office 365 login page

Our specific recommendations:

We are continuing to monitor for evidence of this attack, and will provide additional information and remediation support as our investigation continues.

As of October 17 at 11:51am EDT, neither the documents, the URLs where they’re hosted, nor the credential theft links themselves are being flagged by threat intelligence blacklists. While threat intelligence is an important part of any email security strategy, they are often ineffective at protecting against zero-day threats and phishing attacks.

If you have any questions or concerns, please feel free to contact the GreatHorn team at [email protected].

LIVE WEBINAR   |   NOV 1   |   2 PM ET / 11 AM PT

The Evolution of Phishing & How We Fight Against It

Join our November 1st webinar at 2pm ET, where dmarcian CEO Tim Draegen, the primary author and advocate of the DMARC standard, and GreatHorn CEO Kevin O’Brien will discuss how phishing tactics have evolved over the years and how email security approaches have had to change to keep up.

Register now!

4 Myths About Email Security

4 Myths About Email Security


There’s no debate that phishing attacks are on the rise. In fact, 90% of data breaches start with a targeted email attack. However, relying on legacy email security tools simply does not work when faced with the trifecta of business email compromise, malicious URL delivery, and malware/ransomware attacks. Modern cloud email platforms require a modern email security solution that can protect against spear phishing and social engineering attacks.

Here are four common misperceptions or “myths” about email security and a brief explanation to dispel them.

1. Microsoft or Google Will Fix It – Two tech giants in charge of billions of corporate mailboxes will surely find a solution to spear phishing, right? Both Microsoft and Google do a tremendous job addressing the security challenges presented by their own infrastructure such as data loss from someone hacking into a server or stealing information from a physical data center.

Think of Microsoft and Google as property management companies for a residential building. They can try to secure the property by installing cameras and modern entry systems but if a tenant gives their keys away and has their condo robbed, there’s not much they can do. Phishing will always be the purview of individual businesses.

2. Our Secure Email Gateway (SEG) Will Protect Us – Email gateways have seen their efficacy erode as enterprise infrastructure has migrated to the cloud. SEGs route mail through their systems, analyze it to see if the emails are “good” or “bad,” and then deliver or block it. By making it a binary decision, these tools allow phishing emails to reach employees at an alarming rate. Cybercriminals craft their attacks with SEGs in mind knowing they have difficulty catching phishing or social engineering attacks.

3. Security Training Will Keep us Safe – Training is certainly a part of compliance but it has not proven to be effective at preventing data breaches. That’s because, according to a recent CSO article, ⅔ of inbound phishing attacks use a company’s own domain name in the ‘From’ field, making them extremely hard to detect. A well-crafted phishing attack delivered to the right person, at the right time will work regardless of the time, resources and effort invested in training them. Employees are soft targets.

4. We Haven’t Been Owned (Yet) – The phishing epidemic will continue — it has proven to be an extremely effective attack vector. And there is no such thing as a company that is too small or inconsequential to be the target of a cyber attack. The Ponemon Institute hammered that point home when they unveiled research that showed there was a 27% probability that a US company will experience a breach in the next 24 months that costs them between $1.1 million and $3.8 million. Just because a cyber criminal hasn’t tested your business’ email security posture yet does not mean you shouldn’t be ready when the time comes.

Learn more about these common misperceptions in our most recent webinar, 4 Reasons Why It’s Time to Rethink Email Security. Also hear GreatHorn CEO Kevin O’Brien explain how targeted phishing attacks work, how they’re evolving and what can be done to protect important assets from business email compromise.

GreatHorn Mentioned in Two Gartner Reports on Email and O365 Security

GreatHorn Mentioned in Two Gartner Reports on Email and O365 Security

When we originally started designing the GreatHorn platform, it was with a foundational premise: as attackers became increasingly sophisticated in their tactics, techniques, and procedures for extracting sensitive data and financial resources from their targets, there would be an ever-widening gap between legacy threat detection capabilities and the sophisticated advanced threats that bypassed them. Solving that problem requires creating a scalable system capable of providing realtime visibility of — and automatic response to — these attacks, before they lead to security incidents.

Throughout our work towards building a product that takes a new approach to protecting against modern threats and attackers, our original premise has been confirmed by the cybersecurity community. From the infosec professionals who have become our customers, to members of the industry media and the analyst community, awareness of the need for an intelligent solution that goes beyond a historically perimeter-based approach is growing.

We are proud and excited to see the recent inclusion of GreatHorn’s Inbound Email Security platform in two reports published by Gartner analysts Mario de Boer and Steve Riley, who mentioned the offering as an effective solution that helps enterprises mitigate highly targeted threats in modern email environments, stop attack types such as spoofing, phishing, and malware, and enhance the security of their Office 365 deployment.

In his report How to Effectively Mitigate Spoofing, Phishing, Malware and Other Email Security Threats, de Boer makes the point that secure email gateways (SEGs) are “the workhorse for any email security architecture.” SEGs from major vendors “typically have multi-AV, anti-spam and even DLP capabilities but don’t always have best-of-breed spear phishing protection.” de Boer warns that adding specialized solutions often comes with added complexity such as the addition of a message transfer agent (MTA) or require the forwarding of traffic through BCC or journaling – a drawback of legacy solutions that we have solved for by natively-integrating with mail platforms directly. GreatHorn is compatible with SEGs, and doesn’t compromise your organization’s existing security and compliance programs by requiring you to change MX records or BCC / copy mail to an untrusted server.

In How to Enhance the Security of Office 365, Riley discusses areas where security and risk management leaders can utilize third-party tools to further enhance the platform’s native cybersecurity capabilities. Traditional security tools, the report goes on to state, don’t adequately protect Office 365 users because they can’t offer visibility and control when enterprises migrate from on-premise to the cloud. Instead, enterprises should look to utilize cloud-native cybersecurity solutions that provide seamless protection from low-volume, highly targeted attacks.

Riley listed GreatHorn as the only company in the SaaS-based “credential protection” category that can help Office 365 companies protect themselves against credential theft via spoofing, phishing and other types of impersonation attacks.  Through realtime analysis of message authenticity –  based on both authentication data such as SPF, DKIM, and DMARC as well as contextual analysis of mail transmission pathways, sender IPs, domain “look-alike” attack vectors, and indicators of message or domain spoofing – GreatHorn’s Policy Engine allows enterprises to automatically identify and remediate potential threats 24/7/365, instantly removing threats from user mailboxes and alerting security staff.

Sick of phishing emails? Of course you are. Try a free trial of GreatHorn!

GreatHorn’s 2017 Spear Phishing Report Shows that 91 Percent of Phishing Attacks are Display Name Spoofs

GreatHorn, the cybersecurity solution for cloud communication platforms, today announced the findings of its annual 2017 Global Spear Phishing Report. The company captured insights into the cybersecurity threats facing today’s enterprises by analyzing more than 56 million emails from 91,500 corporate mailboxes from March to November 2016. The report demonstrates the defensive measures many organizations must adopt to protect themselves in the face of highly-targeted, message-based threats.

New @GreatHorn #spearphishing report shows that 91% of corporate #phishing attacks are display name spoofs.

Tweet this

The data found that display name spoofs are the clear phishing weapon of choice for cybercriminals. Attackers are increasingly relying on highly targeted, non-payload attacks that exploit trust and leverage pressure tactics to trick users into taking action that will put their organizations at risk. Of the more than 537,000 phishing threats GreatHorn detected in its research, 91 percent (490,557) contained characteristics of display name spoofs. Display name spoofs impersonate a person familiar to a business user in order to fool the recipient into thinking that the message came from a trusted source. It’s an extremely effective tactic against a workforce deluged with incoming communications all day, every day. Direct spoofs were the second most popular attack type (8 percent), and domain lookalikes made up less than 1 percent of phishing attacks.

“Stopping spear phishing attacks isn’t as simple as pushing a button; the sheer volume of these attacks, coupled with the size of the attacks surface and security resource constraints, makes it impossible to mitigate risk solely via human intervention, no matter how much you try to train your end users,” said GreatHorn Co-Founder and CEO Kevin O’Brien. “A true defense-in-depth strategy for protecting against these attacks requires unified visibility and control, coupled with risk-appropriate automation, across an organization’s entire communications infrastructure.”

Key findings from the research include:

Enterprises Reluctant to Leverage Automation

  • Data shows that security and IT professionals are often indecisive in how they handle a phishing attempt that has been flagged, as 41 percent take no action and only 33 percent alert an admin.
  • Of those organizations that did act on a flagged communication, 7 percent moved it to a folder, 6 percent added a label (G Suite) or category (Office 365), 2 percent moved to trash and 1 percent quarantined the message.

Email Authentication Frameworks Are an Essential Component of Email Security – But Rarely Fully Used

  • 80 percent of companies had minor authenticity issues, 10 percent had major authenticity issues and 15 percent had no email authentication at all. These last two statistics are troubling because, when combined with a robust data set that spans hundreds of millions of senders and messages, authenticity can be used as a major component of risk identification.
  • Sender Policy Frameworks (SPF) are the most popular as 75 percent of enterprises have it enabled.
  • DKIM (DomainKey Identified Mail) provides cryptographic proof that a messages was sent from a specific sender but is used by a little over half of respondents (53 percent).
  • Finally, DMARC (Domain-based Message Authentication) check for alignment between the apparent sender of a message and its SPF and DKIM headers. Because of its added complexity, it’s only enabled in 21 percent of the enterprises that were analyzed. However, the value of correctly implementing it is clear, as the dataset shows that organizations with correct and complete authentication records receive less than a quarter (23%) of the threats that those without received.

Cybercriminals are a Persistent, Ever-Present Threat

  • GreatHorn found that roughly 1 percent of all emails to business users contained email that contained specific characteristics that were deemed “risky” – a figure may seem low until the volume of emails that workers send and receive is taken into consideration. The Radicati Group’s Email Statistics Report, 2015-2019 shows that the average worker received 122 business emails per day in 2015, and this number is expected to grow through 2019. This means that the average business user faces at least one risky email per day, and it’s safe to assume that executives receive exponentially more attention.

Spear Phishing Tough to Block, Even When Using Automation Tools

A Network World article by Tim Greene discusses findings from our 2017 Spear Phishing Report:

“Trying to filter out phishing emails is tough work, even for organizations trying to find a better way through automation, according to a new study from security software company GreatHorn.

The vast majority of spear phishing attempts (490,557 of just over 500,000 analyzed) change the display name to someone the recipient knows, but leave behind other clues (such as domain names that don’t match) that perhaps the malicious emails are phony, according to the study.

About 45,000 of the attempts used direct spoofs by altering the From, Return Path and other fields to make it seem as if the message was sent from within the recipient’s domain – in other words it looks like it came from a fellow employee.”

Download the original 2017 Spear Phishing Report here:

GreatHorn Announces Partnership with Microsoft

“Microsoft has a commitment to providing our customers with a secure, compliant and innovative set of cloud technologies,” said Tereza Nemessanyi, an entrepreneur-in-residence responsible for Microsoft’s business with startups across the East Coast. “GreatHorn’s combination of world-class security and easy deployment — often taking under 15 minutes to go live — is a natural fit with Office 365 and Azure, and we’re very excited to be working with them to continue to build on the superior security offerings Microsoft provides to its customers.”

Read the full story here: Cybersecurity company GreatHorn brings real-time protection in new partnership with Microsoft