CyberheistNews Vol 12 #42 [Heads Up] Almost 19% of Phishing Emails Bypass Microsoft Defender

Cyberheist News

CyberheistNews Vol 12 #42  |   October 18th, 2022

[Heads Up] Almost 19% of Phishing Emails Bypass Microsoft DefenderStu Sjouwerman SACP

Check Point Software is one of the world's best-known and largest infosec companies. In September 2021 they acquired email security company Avanan and recently they updated Check Point's initial 2020 research about the email security effectiveness of Microsoft 365 and Defender.

The report is very good and strikes the right tone. They start out by saying: "In general, Microsoft 365 is a very secure service. That is a result of a massive and continuous investment from Microsoft. In fact, it is one of the most secure SaaS services on the market." This report does not indicate otherwise.

What this report does note is the challenge that Microsoft has. As the default security for most organizations, many hackers think of email and Microsoft 365 as their initial points of compromise. A good example of how hackers focus on Microsoft 365 comes in a series of blogs from Microsoft that details the attempts of a state-sponsored group to compromise their services.

Hackers have stepped up their game

Microsoft is the most used and most targeted email service in the world. After a thorough analysis of nearly three million emails, Check Point found that at the moment Microsoft Defender misses 18.8% of phishing emails.

Their previous 2020 analysis showed 10.8% of phishing emails reaching inboxes, so Defender's missed phishing rates have increased by 74%. This represents not a decline in Microsoft effectiveness, but rather an increase in targeted attacks designed directly to bypass Microsoft. Hackers, in other words, have stepped up their game.

Another interesting finding in the report showed that Defender sends 7% of phishing messages to the Junk folder, so they can still be accessed by the user and possibly clicked on.

It's not all bad news though

There are several areas where Defender does quite well. For example it catches 90% of unknown malware, and it's also good at spotting attacks that spoof DMARC. Only 2.5% of those make it through to inboxes. It also does quite well with Business Email Compromise, with only 2% getting through.


When financial-based phishing attacks have been specifically crafted to bypass Defender it missed 4% of them. This category includes things like fake invoices and bitcoin transfers. Brand impersonation is another popular method hackers choose to bypass Defender and 22% of these emails get through. 21% of credential harvesting attacks also get through to users' inboxes.

Missed phishing rate higher in larger organizations

The missed phishing rate is also higher in larger organizations, reaching between 50 and 70% . This is despite security operations center staff in large businesses devoting a large percentage of their time to email issues. One large company studied saw 910 reported phishing emails within one week, yet the IT team could only remediate 59 of these or less than 7%.

Defender vs. Secure Email Gateways

In another study analyzing 300 million emails, Check Point found that Microsoft is in the middle of the pack compared to the rest of the competition, in this case, Secure Email Gateways. Per every 100,000 emails, Microsoft's catch rate of phishing emails is better than some Secure Email Gateways and worse than others. The report compares Avanan, Mimecast, Google, Proofpoint and Barracuda.

SEG's are only part of the picture

It is important to keep in mind that none of these SEG stop the phishes using any other medium beyond email (and maybe web-based social engineering using content filtering). They don't catch SMS phishes, voice-call phishes, social media phishes, WhatsApp phishes, tailgating, and so on.

Even if some magic solution came into being that solved the email phishing issue (highly unlikely), all organizations would still have to manage the ongoing social engineering problem. That's why KnowBe4 trains your users about social engineering in general as the overall threat and how to defeat it REGARDLESS of the medium.

It is super important to improve your overall organization's security culture. Start by getting the 2022 Phishing Industry Benchmarking Report and see how you score against your industry peers.

Blog post with links and screenshots:

[New PhishER Feature] Turn the Tables on the Cybercriminals with PhishFlip

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately "flip" a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature that automatically replaces active phishing threats with a new defanged look-alike back into your users' mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us TOMORROW, Wednesday, October 19 @ 2:00 PM (ET) for a live 30-minute demonstration of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software. With PhishER you can:

  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user's inbox.
  • Easily search, find and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and Google Workspace
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4's email add-in button, Phish Alert, or forwarding to a mailbox works too!

Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, Wednesday, October 19 @ 2:00 PM (ET)

Save My Spot!

[Head Scratcher] The Cyber Insurance Market Is Badly Broken. But Why Exactly?

Greg Noone at the Techmonitor site covered this problem in early October 2022, starting with a horror story.

A company had taken cyber coverage for the past year with no claims, but during a routine scan a software vulnerability was discovered. They did not fix it in time. A new policy was proposed that would not cover ransomware. They signed it. Guess what happened a week after? Right. Here is a short extract and further below a link to the site.

"I would be disingenuous if I told you that ransomware wasn't a key factor in some of the headwinds that we've seen in the market with regards to pricing," explains Bob Parisi, head of cyber solutions in North America for German reinsurance company Munich Re.

Cyber Insurance Has Shot Up 102% In First Quarter

The first half of this year saw one cybersecurity vendor block 63 billion threats, a year-on-year rise of 50%, while cyber insurance costs shot up by 102% in the first quarter. Terms and conditions for coverage have also been tightened. Lloyds of London, for example, went as far as to eliminate coverage for breaches that arose directly from state-sponsored attacks, a sizeable portion of the overall damages accrued from ransomware.

Its reasoning, according to the firm's underwriting director Tony Chaudhry, was that policies shouldn't "expose the market to systemic risks that syndicates could struggle to manage."

Cyber insurance does not have a long history. The market itself, explains Mario Vitale, chief executive of cyber insurance provider Resilience, has only been around for about 15 years. "I have to say we are still within the infancy stage," he says, a term that's also relevant when describing the segment's size.

"I think the insurers are still figuring out, 'How confident are we in our ability to estimate and predict this risk?" says Josephine Wolff, a professor in cybersecurity policy at Tufts University and an expert in the cyber insurance market. Over time, adds the professor, this has led to a "less stable market… and also just a lot of uncertainty in which people aren't confident about what their cyber insurance will cover."

Ongoing volatility is making reinsurers nervous

Ongoing volatility in the cyber insurance market has also made reinsurers nervous about increasing their exposure to the space. These behemoths, explains Vitale, help to keep many of the frontline providers afloat. In recent years, however, they "have cut back on their coverage terms and conditions, just like these [cyber] insurers have done to their clients", he says.

Resilience's answer to this problem, explains Vitale, has been to double down on closely liaising with clients to minimize their vulnerability to breaches as far as is humanly possible.

The process of drawing up cyber insurance policies is rigorous. It begins with an assessment of how well-equipped the client is to deal with a cybersecurity threat from a governance standpoint, explains Parisi. After that, he continues, providers typically drill down into the mundanities of cyber defense: whether multi-factor authentication is in place on corporate devices, how data is uploaded to the cloud, and the extent of security awareness training among staff.

[CONTINUED] At the KnowBe4 blog:

Does Your Domain Have an Evil Twin?

Since look-alike domains are a dangerous vector for phishing and other social engineering attacks, it's a top priority that you monitor for potentially harmful domains that can spoof your domain.

Our Domain Doppelgänger tool makes it easy for you to identify your potential "evil domain twins" and combines the search, discovery, reporting, and risk indicators, so you can take action now. Better yet, with these results, you can now generate a real-world online assessment test to see what your users are able to recognize as "safe" domains for your organization.

With Domain Doppelgänger, you can:

  • Search for existing and potential look-alike domains
  • Get a summary report that identifies the highest to lowest risk attack potentials
  • Generate a real-world "domain safety" quiz based on the results for your end users

Domain Doppelgänger helps you find the threat before it is used against you.

Find out now!

Could 100% of Phishing Be Eliminated One Day?

By Roger A. Grimes.

Occasionally you will hear people or organizations claiming that they are on the verge of eliminating all social engineering from reaching end-users. Could it be true? Could it happen one day? Could some product or service be created that prevented all social engineering and phishing from reaching end-users?

It would be nice if it were possible. Social engineering and phishing have been the number one method used by attackers and malware to exploit computer devices and their users since the beginning of computers. And year after year, it seems not only that social engineering and phishing continue unabated but so far it is ever increasing. Every new year breaks records for the amount of social engineering and phishing sent and for the increasing number of victims.

People often wonder will automated technical system defenses (e.g., content filtering, anti-spam/anti-phishing, antivirus, etc.) ever get good enough so that no social engineering or phishing gets to an end-user?


Imagining a world in which no social engineering and phishing gets to end-users is like imagining a world where all real-world crime is gone. It's like trying to prevent all sin. It's essentially the same argument. It’s impossible. Even just trying to significantly minimize it to the smallest reasonable amount we could all live with would take draconian measures that would severely hamper legitimate business.

There's a tired canard in computer security that goes something like this, "The only truly secure computer is one that is powered down and sealed in concrete inside of a locked closet." It's secure, but no one can use it. "Perfectly secure" systems immune to social engineering and phishing would be extremely hard to create without significantly limiting the usefulness of those same devices.

Instead, we all knowingly or unknowingly allow some percentage of risk to occur to use our computers. Why is it so hard to automatically detect and prevent all social engineering and phishing?

[CONTINUED] At the KnowBe4 blog:

Got (Bad) Email? IT Pros Are Loving This Tool: Mailserver Security Assessment

With email still a top attack vector, do you know if hackers can get through your mail filters? Spoofed domains, malicious attachments and executables to name a few...

Email filters have an average 7-10% failure rate where enterprise email security systems missed spam, phishing and malware attachments.

KnowBe4's Mailserver Security Assessment (MSA) is a complimentary tool that tests your mailserver configuration by sending 40 different types of email message tests that check the effectiveness of your mail filtering rules.

Here's how it works:

  • 100% non-malicious packages sent
  • Select from 40 automated email message types to test against
  • Saves you time! No more manual testing of individual email messages with MSA's automated send, test, and result status
  • Validate that your current filtering rules work as expected
  • Results in an hour or less!

Find out now if your mailserver is configured correctly, many are not!

Cyberattacks Are the Biggest Risk to the UK Financial System – Bank of England Research

Cyberattacks are the biggest risk to the UK financial system, according to new research from the Bank of England.

However, financial institutions remain confident in their ability to fend off attacks, and believe they are more likely to suffer from the impact of rising inflation.

The Bank's H2 systemic risk survey polled 65 executives in the UK financial sector, and shows that 74% of respondents deemed a cyberattack to be the highest risk to the financial sector in both the short and long term, followed closely by inflation or a geo-political incident.

The number of respondents who believe their company is at high risk of attack grew rapidly this year, from 31% in the first half of the year to 62% in the second. Those considering the threat to be low has decreased by 20%, to just 3%. What's more, 83% believe that cyber risk in the financial sector has increased in the past year.

Blog post with links:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [BUDGET AMMO] 5 Tips to Gain Compliance on Your Compliance Training by Yours Truly:

PPS: "This is World War III" Counterintelligence Expert Says of China Threat:

Quotes of the Week  
"Those who forget history are doomed to repeat it."
- George Santayana - Philosopher (1863 – 1952)

"Reality is created by the mind, we can change our reality by changing our mind."
- Plato - Philosopher (427-347 B.C.)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

A New Phishing-as-a-Service Kit Called Caffeine

Researchers at Mandiant have published an analysis of a phishing-as-a-service kit called "Caffeine," which further lowers the bar for inexperienced cybercriminals by offering a publicly available, easy-to-use phishing service.

"Unlike most PhaaS platforms Mandiant encounters, Caffeine is somewhat unique in that it features an entirely open registration process, allowing just about anyone with an email to register for their services instead of working directly through narrow communication channels (such as underground forums or encrypted messaging services) or requiring an endorsement or referral through an existing user," the researchers write.

"Additionally, to seemingly maximize support for a variety of clientele, Caffeine also provides phishing email templates earmarked for use against Chinese and Russian targets; a generally uncommon and noteworthy feature of the platform."

The phishing kit also offers a customer support service for inexperienced users, along with a simple user interface.

"Once registered, a new Caffeine user is then directed to the service's main index page to begin their phishing voyages," the researchers write. "It is worth noting that over the course of its investigation into the Caffeine platform, Managed Defense observed Caffeine's administrators announce several key platform improvements via the Caffeine news feed, including feature updates and expansions of their accepted cryptocurrencies."

The phishing kit also facilitates finding hosting services for phishing campaigns.

"For most traditional phishing campaigns, phishermen generally employ two main mechanisms to host their malicious content," Mandiant says. "They will typically leverage purpose-built web infrastructure set up for the sole purpose of facilitating their phishing voyages, use legitimate third-party sites and infrastructure compromised by attackers to host their content, or some combination of both."

New-school security awareness training enables your employees to recognize phishing and other social engineering attacks.

Blog post with links:

Small Business Grants as Phishbait

INKY has published a report on the use of small business grants as phishing lures. Scammers are impersonating the U.S. Small Business Administration (SBA) to distribute phony grant applications hosted on Google Forms.

"Unbeknownst to many, the SBA recently stopped accepting applications to their COVID-19 relief loan and grant programs," INKY says. "Still, [the phishing email] includes an enticing offer for any unknowing small business owner: Simply fill out the form and find out if you're qualified to receive the funds.

"Clicking on 'Apply Now' takes recipients to a survey on Google Forms.... Any small business owner who had previously applied for legitimate loans and grants could be easily fooled by the form itself. The top of the form appears to be a cut-and-paste of a genuine COVID-19 grant message and the questions which follow are very similar to those the SBA asks applicants in legitimate circumstances."

The Google Form asks the user to submit their personal and financial info, including their social security number, driver's license details and bank account information.

The researchers note that there are several red flags that could have alerted observant users, including typos and grammatical errors in the phishing email.

"There is something else that a more discerning eye might have noticed," the researchers write. "Because this cybercriminal used a legitimate Google Forms survey to harvest credentials there is a line populated just under the 'Submit' button that says, 'Never submit passwords through Google Forms.'

"It's not a good lesson to learn the hard way. Ironically, if you look a little further, beneath the 'Submit' button you'll also see Google's 'Report Abuse'   button. It's not an option you see too often in phishing scams, and could easily be ignored by anxious small business owners who fall for this threat."

New-school security awareness training teaches your employees to follow security best practices so they can avoid falling for social engineering attacks.

Blog post with links:

What KnowBe4 Customers Say

"Stu, Good afternoon. Thanks for checking in with me. I'm very happy with KnowBe4 thus far, and I plan to continue using the platform long into the future.

"Everyone I have worked with at KnowBe4 has been helpful and knowledgeable, but I'd specifically like to thank Morgan P. and Kim G., who were both incredibly patient and helpful during the sales process and our initial launch.

"Thanks again for reaching out to me directly - that is very much appreciated!"

- B.M. IT Director

"Stu, Thanks for reaching out. Honestly from the sales engagement with Jamie and working with Sonja it has been a really great experience. Instead of just 'here's the portal, good luck!', your team took the time to help get things set up so we can get a successful baseline and monthly training program.

"The materials are relevant and informative, and I've had some good responses from the user-base. I'm happy to see KnowBe4 become a part of our culture and increase the awareness of our employees.

"I look forward to setting up the steps for next month's training, and simulated phishing to see how well the first round of training took hold. The console's features, especially with the 'copy' option is really a nice touch. Keep up the good work."

- W.R., Director of Information Technology

The 10 Interesting News Items This Week
  1. Phishing campaigns could turn elections, analyst warns:

  2. U.S. Airport Websites Knocked Offline by Pro-Russia Hackers:

  3. Cybersecurity Survey of State CISOs Identifies Many Positive Trends:

  4. Internet disruptions, cyberattacks hit Ukraine following Russian missile strikes:

  5. U.K. Spy Chief: "Confronting China’s tech ambitions is "the national security issue that will define our future":

  6. Chinese Cybercriminal Gangs Collude on Ransomware:

  7. The Russian SpyAgent – a Decade Later and RAT Tools Remain at Risk:

  8. Android security warning: These crooks phone you and trick you into downloading malware:

  9. Budworm: Espionage Group Returns to Targeting U.S. Organizations:

  10. [GULLIBLE?] Woman Scammed by 'Russian Astronaut' Who Claimed to Need 35K to Return to Earth:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews