I was asked by a business owner recently if we recommend a move to Office 365. My answer is still a careful yes, but there are some things to be aware of before you make the move.
The biggest risk to be aware of is the threat from Phishing attacks.
If you haven't read about Phishing attacks, they are an increasingly common attack wherein someone sends you a fake link and asks you to log into your email account (for whatever made up reason). Once you enter your email address and password - boom! - they now have full access to your account, and you often never knew you were the one who gave it to them in the first place.
An attack on your business's internal email server via Phishing is still very possible, but to the hackers, it's not as attractive of a target as Office 365. For internal Exchange accounts, web-mail addresses (like mail.yourcompany.com) vary from company to company. On Office 365, it's always mail.office365.com, so there is an economy of scale for attacking lots of companies at once.
That said, there are still reasons to move to Office 365.
Microsoft can manage the maintenance and backups of your email server much more cost-effectively than your small or medium-sized company can. It gets you out of the email business, and back to what you do best. Also, Microsoft is making it increasingly difficult to use the latest versions of Office 2016 without a valid O365 license, so it is often easier to just bundle the email licensing through them as well. (Of course this is all very intentional on Microsoft's part).
So how do you manage the additional risk from Phishing attacks on Office 365?
Your best defense is two-fold: Education and using an important technology called Multi Factor Authentication (also called Two Factor to Two Step). This is a lot to digest, so I'm going to explain Two Factor in a separate post. For now, let's start with some:
The best way I know to educate people about Phishing is to show them examples and what to look for in a Phishing email. Every Phishing attack I have ever seen has a number of "tells" that reveals them as fakes. There are three main areas to look for:
- The "From" field.
- The Login Link (This can be in an attachment or the body of the email)
- The URL header (if you are unlucky enough to click the link)
In the above example (a real example from this week I might add), the user received a message that their Office 365 account was about to close. Oh No! But not really. If you look at who it's from, it's not from Microsoft, it's from firstname.lastname@example.org. (see blown up image below).
So if you don't know anyone named Bzkivnsgoffice-bzkivnsg, don't bother reading any further. Just click delete, or better yet - mark as spam.
The second place to look is the login link itself. In this example, they have labeled the link with the text "restart you subscription here."
But if you hover over the link, you will see either in the bottom left corner of your browser, or in a little window in Outlook, the actual destination of the link. In this example it is: stonebuiltchoppers.co.uk/office365.htm.
That is definitely not Microsoft's website, so don't bother clicking.
But if you do click, take one last look at the URL in your browser before you enter your email address and password. The website's location will be displayed at the top of your IE, Firefox or Chrome browser bar (the same place you type Google.com).
Once you see that URL is not where you intended, just close the browser. They still have not gotten your information until you enter your username and password and click submit. By the way, don't be too upset with stonebuiltchoppers.co.uk or wherever you happen to land. Their website was hacked through a similar process and they are already the victims of a Phishing attack themselves.
I hope this is helpful in preventing Phishing attacks at your business. Remember, this can happen with Office 365, Google Apps or any other email provider - Office 365 has other tools to prevent these attacks, but education is the most powerful weapon we have.
If you have any questions, don't hesitate to contact me.