When hackers go after you with phishing emails, you’ll never guess which brand they impersonate the most. Microsoft. “Given the ubiquity of Windows and Office, as well as other services including the Outlook.com webmail service and Xbox Live, Microsoft’s position at the top of the list should come as no surprise.”

You’ll never guess which popular Calendar app was used to phish Gmail users earlier this year. Google Calendar. For a long time now, Google Calendar has had a major flaw. If someone sends an event request to your Gmail account, it automatically assumes you want to go and adds it to your calendar. It does so even if the event request is an attempt to phish you.

Microsoft and Google. Two big brands frequently used by hackers to phish victims. It should come as no surprise then that hackers have figured out a way to use both companies in their latest phishing exploit.

“A new phishing campaign uses Google search query redirects to send potential victims to a phishing landing page designed to collect Microsoft Office 365 credentials via encoded URLs,” according to Bleeping Computer.

“The phishers behind these attacks use URL encoding, a technique that makes it possible to convert ASCII characters in URLs with % signs followed by two hexadecimal digits. This allows the threat actors to hide the phishing page URL from secure email gateways (SEG) that scan emails for malicious links and content to block potentially dangerous messages.”

This is a challenging exploit because the first line of defense against phishing attacks is URL and domain checking. Any defense you intend to use will have to go beyond just basic URL and domain checking and will actually have to evaluate the phishing page itself to be effective.

To protect yourself and your employees from exploits like this, you’re going to need a cloud-based email security service with real-time link click protection. A service that not only checks the linked-to website when the email arrives, but checks it every time the link is clicked.

To protect yourself and your employees from exploits like this, you’re going to need Phish Protection. In addition to real-time link click protection, Phish Protection comes with Smart Quarantine Protection, display name spoofing protection, domain name spoofing protection and malicious attachment blocking.

Phish Protection only costs pennies a day per employee, sets up in 10 minutes and comes with live 24/7 customer support. Get let Microsoft and Google team up to take you down.