As we’ve written about many times before, Microsoft Office 365’s native security does not do a very good job of protecting you from phishing attacks which makes Office 365 extremely vulnerable to them. Now comes news of a targeted email phishing attack specifically designed to bypass the already vulnerable Office 365 security.

“The attack is a variant of ‘PerSwaysion’, a recent spate of credential phishing attacks that utilize compromised accounts and leverage Microsoft file-sharing services to lull victims into a false sense of security.”

The culprit here is Microsoft’s file hosting service OneDrive, which is used as the main conduit for the phishing attack. “By using OneNote to host the final OneDrive phishing link the people behind the attack hope to convince victims to hand over their credentials. The attackers also created a new domain for the link in this attack, so it got past any filters that were created to block known bad links. The link in the email led to multiple web pages that were painstakingly made to resemble legitimate Microsoft pages.”

This is a classic example of why Microsoft is such a big target and why they are so vulnerable to phishing attacks. Microsoft’s attack surface is so large, hackers only have to replicate a small portion of it, leaving the remainder intact. Since only a “portion” is malicious, while the rest is legitimate, it’s almost impossible for users, and apparently Microsoft’s own security, to detect it and therefore the phishing emails get through. It’s also why, if you use Office 365 and you really want to protect yourself from phishing attacks, you’re going to have to go outside the Microsoft family to do so.

The best way to augment Office 365’s native security is with cloud-based email security like that available from Phish Protection. What makes Phish Protection so effective in protecting Office 365 is that it’s outside Microsoft’s attack surface. It can therefore objectively analyze all emails regardless of where the linked-to page resides and evaluate it on its own merits. By analyzing emails before they cross the Microsoft “threshold,” Phish Protection provides the security Microsoft can’t seem to.

Phish Protection requires no hardware, software or maintenance. It sets up in 10 minutes, works with all the major email providers including Office 365 and only costs pennies per user per month.

If you’re already committed to Office 365 and you don’t want to be a statistic, try Phish Protection free for 60 days.