During the past 12 months, email-borne threats were a top concern with nine out of ten organizations reportedly suffering at least one successful breach through email. Major inbound threats like ransomware were not handled well by email security solutions, researchers said.
Email-Borne Threats, Ransomware, Phishing, and BEC Persist in 2022
The persistence of phishing, business email compromise (BEC), and ransomware attacks has been notable during the past year, while email threats in general in 2022 waste time and create security vulnerabilities, the report says. Also, less than half of the surveyed organizations can successfully block the delivery of email threats. Furthermore, nine out of ten (89%) of organizations experienced at least one successful email breach during the past 12 months, eclipsing the results from 2019, the report states. With the number of email breaches almost doubling since 2019, the most frequently experienced method of compromise is Microsoft 365 credential compromise. “The mix of breaches attributed to email attacks is changing. In comparison to our previous survey, ransomware attacks increased by 71%, Microsoft 365 credential compromise attacks increased by 49%, and phishing attacks increased by 44%,” the report says.
Email Client Plug-ins, Employee Training Spike
Due to the number of suspicious email messages continuing to target organizations, half of the organizations surveyed are now using automated email client plug-ins for users to report suspicious activity, up 37% from 2019. Security operations center analysts (SOCs), email administrators as well as third-party security vendors are groups that receive the majority of user-submitted suspicious activity reports. Employee training about email threats is now offered to over 99% of organizations on an annual basis at the very least, the report says. One in seven organizations offers email threat training monthly, or even more frequently. The organization that offers this more frequently reduces the risk of phishing, BEC, and ransomware threats targeting employees and organizations, the report says. “More frequent training is also positively correlated with more messages being reported as suspicious,” and this has helped uncover more suspicious activity, the report says. On the other hand, only 22% of organizations analyze every reported message, instead opting to analyze just more than half.
Ineffective Defenses Persist
All the organizations surveyed have at least one additional security tool supplementing “basic” email protections offered by Microsoft 365, the report says. This includes Microsoft 365 Defender, security awareness training technology, third-party email gateways, or third-party anti-phishing add-ons, the report says. Another major vulnerability for organizations is “immature incident response workflows,” which ultimately increase costs. These costs include post-incident remediation, the need for more manual removal work, and time wasted on triaging messages flagged as suspicious. Furthermore, organizations can also face other costs such as alert fatigue, regulatory fines, loss of customer trust, and cybersecurity analyst turnover, the report says.
Organizations Need to Invest in a Layered Approach
A layered approach to detecting and neutralizing incoming threats but leveraging capabilities offered by a combination of Microsoft 365 and third-party defenses — along with employee training “in the art of detecting threats” — is the way forward, the report says. The second area of focus needs to be optimizing incident response processes that will reduce ongoing costs and ultimately the frequency of successful email attacks. Almost 80% of organizations surveyed do not have satisfactory measures in place, particularly not scrutinizing every user-reported suspicious message, which increases the likelihood of a successful breach, the report concluded.
