We all know the emails: “Dear user, please click the following link to update your credentials. Otherwise your Office 365 account will be disabled.” "Please sign the attached document" or "Please review your payment information." And while many of those emails look legitimate at first glance, it’s always worth taking a closer look, because more often than not emails like the above are phishing attempts. Millions of people fall for these kinds of phishing attempts, especially people who haven’t grown up using the internet.
Phishing is among the most common cyber attacks, targeting both individuals and companies. The consequences of successful phishing attacks can be severe, ranging from loss of confidential information or intellectual property to breach of customer data or ransomware infection. Any of those outcomes can result in financial and reputational damages, which is why any organization should train its employees on the constantly evolving threat landscape.
In recent years, phishing mails have become a lot more sophisticated and some of them are really hard to distinguish from legitimate mails. In many cases, such attacks involve the attacker imitating a well-known company/brand - a practice commonly known as “brand phishing” - in order to exploit the trust and familiarity that users have with certain brands. According to Proofpoint's 2024 State of the Phish report, Microsoft was the most abused brand in 2023, appearing in 68 million malicious messages, with Office 365 alone appearing in 20 million malicious mails. Other often exploited brands include Adobe, DHL and Google, albeit none of them comes close to the volume of fraudulent messages sent in the name of Microsoft.