Office 365 comes with email security native to the application, but it must not be very good. How else can you explain the effort hackers put into exploiting Office 365 users AND the success they’ve had doing it?

According to CPO Magazine, “A new phishing attack is being used to steal user credentials from Microsoft SharePoint and OneDrive users. The attack method is reportedly designed to resemble an ordinary Office 365 permissions page [and] takes on the appearance of a credible Office 365 Add-In.”

With this approach, hackers can make requests look completely legitimate, which makes them almost impossible to detect by users, no matter how well trained they are. “Using this tactic, the hackers are able to use the official Office 365 login page, login.microsoftonline.com, as the staging ground for their phishing attack.” This gets everyone to let their guard down.

Once the add-in receives the requested permissions, “the hackers will then be able to fully access to the user’s Office 365 account.

Interestingly, this same type of attack targeted over one million Google Docs users back in 2017, but Google’s response was impressive. “The company managed to protect its users and halt the attack within the space of only one hour by effectively locating and removing the accounts responsible.”

How did Microsoft do in this area? “In the case of the attack against Office 365 apps, the response does not appear to have been quite as decisively coordinated as it was in Google’s case.” So, Office 365 is more vulnerable but Microsoft’s response is worse.

The worst part of this exploit is that, because of the email security native to Office 365, most users think they’re protected. Nothing could be further from the truth.

If you’re using Office 365 and all you have to protect you is their native email security, you’re a sitting duck. You need additional, third party email security to really protect yourself and your company.

Cloud-based Phish Protection is the perfect complement to Office 355 for email security. It requires no hardware, no software, no maintenance and requires only 10 minutes to set up. It works seamlessly with Office 365 or any other email platform.

Phish Protection includes real-time link click protection, smart quarantine, malicious attachment blocking, display name spoofing protection and domain name spoofing protection. And the best part is, it costs only pennies per user per month.

Don’t be fooled into thinking you’re safe with Office 365. You’re not. Don’t learn the hard way how inexpensive Phish Protection insurance would have been for your company. Get Phish Protection and sleep well at night.