What do you do to beef up spam filtering for O365?

[YeOldeStonecat]

The targeting phishing scams are often rather scary. Had a client who got so close to pulling the trigger on wiring a very large sum of money before even contacting me to see if something was up.

Yeah the "CEO Fraud" e-mails are getting very..very frequent. Just yesterday a foundation client of mine forwarded an e-mail, she got 3x replies into it before she started suspecting something..and she forwarded it to me.

Scammer, appearing to come from the boss lady, sends an e-mail to her (the head finance lady)."You there?"

She replies back "Yup"

Scammer replies "I need you to wire $29,000something to a...."... and you know the rest of the drill....

She got 3x replies in..the scammers last reply was the bank numbers, some place in Texas....til she wised up and decided to check.

And another one for a military alumni org we handle....the e-mail appearing to come from the head honcho there...had the exact signature...fancy graphics, logo...all of it. So they got a hold of one of the bosses e-mails at one point..and moved in after that.

They're getting good. They pick a company...surprisingly quite often a non-profit...and study the staff, picking the boss, and the head $ person...and go in from there.

It's about user education now. I'm going to give a class for one of my larger clients...gotta go to one of the "all staff meetings" they have early one morning..stand up in front of ~125 user and do a projector based talk/class on e-mail and fraud and ransom-ware via e-mail.

 

[fencepost]

I think doing that kind of on-site training is going to become one of the big "value adds" for MSP clients.

That and being able to go in and sit down with the decisionmakers and saying "[Ransomware|Malware|Phishing|Viruses] is going to happen. We're going to take all sorts of steps to prevent it from happening and that's going to cut way down on how much it's going to happen, but I will not promise that we can completely prevent it and anyone who does is lying to you. What we need to go over now is what we and you can do to make it not matter when it happens, so let's talk redundancy, failover, backups, acceptable downtime/recovery levels and how much things will cost."

Right now spearphishing seems mostly aimed at money people for the clients that most of us are dealing with, but at some point it's going to expand to spearphishing for infection or remote access.

 

[thecomputerguy]

So I ended up offering them a couple of spam filter options and they were basically unwilling to check the spam reports for emails they actually wanted ... so I said then you're out of luck ... almost all of them work by sending spam reports of junk mail to see if anything was missed... Only one person in the company is actually capable of identifying emails that aren't spam, and she wasn't willing to review spam reports for all of their users.

Basically it came down to, continue to get spammed or get spammed by spam reports that require manual intervention if an email should have been delivered, and deliver spam reports either daily, and possibly miss a time sensitive email or have spam reports deliver every couple hours and get spammed by spam reports from all of the users.

The opted to do nothing but continue to be careful with what they open.

 

[nlinecomputers]

So did you not make changes in the O365 spam settings?

 

[fencepost]

Did anything have relative scoring? e.g. obvious spam never gets delivered at all, questionable stuff gets marked with a revised subject.

I'm not sure if having everyone taking an approach of "be wary about what you open" is better or worse than having users trust that everything that reaches them is safe (because the spam filter will have caught it), but the danger of unfiltered email coming in to everyone would also scare me.

 

[YeOldeStonecat]

Have you taken any steps to tweak up the default O365 system yet?