Security Awareness Trainings in Focus

In the most recent attacks against Microsoft365, attackers are again betting on phishing or electronically delivered social engineering, this time demonstrating speed and innovation. For that reason, security awareness campaigns within organizations have never been more important.

In a first example, Microsoft is detailing an attack where the target user receives a Microsoft Teams message request from an external user masquerading as technical support staff. If the target user accepts the message request, the user then receives a Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on their mobile device. If the targeted user does as requested, the threat actor is granted a token to authenticate as the targeted user - effectively account takeover.

The novelty in this phishing attempt is that threat actors are bypassing relatively recent "number matching" multifactor authentication mechanism introduced by Microsoft precisely to mitigate phishing attempts.

In a second instance, attackers are exploiting a recent zero-day (CVE-2023-36884) which offers attackers an opportunity to bypass defenses in Microsoft Office designed to prevent execution of unverified attachments (Mark of the Web or MOTW). Again, the attack is deployed via phishing techniques, this time an email message luring victims to open a Word attachment (see below).

Both attacks above illustrate phishing techniques will always evolve and catch up with existing technical protections deployed within organizations - reminding many how important are continuous security awareness trainings (SAT) aimed at all employees.

Regulators are also catching up: for example, the upcoming NIS2 directive is explicitly mandating cybersecurity trainings as part of minimum risk management measures (see here). That is not surprising: employees are increasingly seen as the last line of defense against cyberattacks.

Increasing employee capacity to withstand attacks by deploying SATs is therefore rapidly becoming a key tool in the cybersecurity arsenal. However, SATs are usually performed as a "side gig" with the following shortcomings:

• implemented "manually" as one-off exercises which typically miss new evolving threats or newly hired employees (as soon as they join the organization);

• not integrated with the most common phishing line of attack: e-mail communications;

• not automated i.e. no ability to run fake phishing attempts (simulations with clickable lures), measuring the workforce ability to withstand phishing attacks over time;

• not pervasive and continuous i.e. frequent enough, but at the same time non-intrusive so employees are not overly burdened (everybody is busy, remember!)

In fact, SATs can be delivered at scale with the aid of specialized software, making it an ideal addition to existing partner service offerings (for ex. in MSSP scenarios). At the same time, customers can get a continuous service that addresses the typical problems with SATs outlined above.