Contributed by George Mack, Content Marketing Manager, Check Point Software.
Every day, hackers send 3 billion phishing e-mails in an attempt to steal login credentials. When threat actors compromise employee accounts, the victim organization can suffer serious consequences. Hijacked accounts can lead to data breaches, network outages, IP theft, ransomware takeover, and more — causing severe reputational and financial damages.
Unfortunately, most organizations aren’t prepared to defend against phishing attacks.
According to a recent Microsoft report, only 22% of customers who use Azure Active Directory (AAD) implemented strong authentication, which includes multi-factor authentication and passwordless solutions. As a result, 78% of AAD clients without strong authentication are exposed to phishing-related attacks, making them vulnerable to a breach.
Implement multi-factor authentication
The importance of MFA cannot be overstated. When multi-factor authentication is enabled, hackers can only log in to an account with a stolen password if they also have access to the authentication device, like a user’s smartphone.
With MFA enabled, you’re guaranteed protection from the majority of phishing-related threats, such as account compromise and data breaches. According to Microsoft engineers, MFA can block over 99.9 percent of account compromise attacks.
However, hackers recently discovered a way to circumvent MFA through the use of phishing kits, which enable hackers to man-in-the-middle (MitM) a browser session to steal credentials and session cookies in real-time. These kits present the legitimate website to the victim, portraying the illusion that the login is secure. The MitM session steals not only the user’s credentials, but also the session cookies that allow the hacker to access the account without the need for a login, password, or MFA tokens.
This doesn’t mean you should stop using MFA; it’s still useful in cases where phishing kits are not present. But there is another technique that will bolster your account security.
Stop using passwords
The second method for protecting your account involves simply eliminating your passwords.
Here’s the problem with passwords. People set bad passwords because they want something that is simple and easy to remember. However, this puts you at risk of a password spray attack, in which hackers brute force their way into your account using a list of common passwords in the hopes that your account is using one of them.
If you want to stop using passwords, then implement passwordless authentication. This solution natively verifies users, simplifying the login experience and vastly reducing your exposure to attack.
For the strongest protection, Microsoft recommends combining MFA and passwordless protection.
Prevention is key
The two security methods above have one thing in common: prevention. When hackers compromise your network using a phished account, it’s too late. It’s much easier and more cost-effective to stop the problem from ever occurring in the first place.
“From a protection perspective, the number one thing you must do is aim to prevent an identity from being stolen, abused, or misused. Preventing this from happening in the first place is critical,” says Principal Threat Intelligence Lead at MSTIC Christopher Glyer.
More phishing prevention tips:
- Audit account privileges.
If an account with elevated privileges gets hijacked, then hackers can gain unfettered access to critical systems and resources. Follow the principle of least-privilege access, and frequently review if employee accounts need certain clearances.
- Review, harden, and monitor all tenant administrator accounts.
Disable or remove administrative privileges that aren’t being used. Also, verify the authenticity of users or accounts that have these administrative privileges.
- Establish and enforce a security baseline to reduce risk.
Don’t delay your security-hardening initiatives due to limited budgets or resources. Nation-state actors will continue to develop new attacks and eventually find a weakness in your network if you don’t set a baseline. Implement zero-trust practices such as MFA and passwordless. Begin by applying these principles to privileged accounts, which are the most valuable to protect, and then expand to other accounts in incremental phases.
Do you want complete protection for your Microsoft 365, Google Workspace, and all of your collaboration and file-sharing apps? Harmony E-mail & Collaboration is an API-based solution that catches what everyone else misses — including ransomware, account takeover, BEC supply chain attacks, and more. To learn more, watch a product tour of Harmony Email & Collaboration here.
Further reading:
Is Cyber Security Hard to Learn?