'Insider spoofing' or faking the CEO's email address to trick the CFO into transferring millions to criminal bank accounts is big business. Now Microsoft is using big data and reputation filters to try and squish the threat.
According to the FBI, between October 2013 and August 2015, 7,066 US businesses have fallen prey to 'business email compromise', netting criminals an estimated $747m.
Non-US victims lost a further $51m over the period, with the FBI estimating a 270 percent increase in identified victims since January 2015, when it first released figures about the threat category.
As Microsoft notes, when a corporate email domain is spoofed, it makes it hard for existing filters to identify the bogus email as malicious.
However, Microsoft reckons it has achieved a 500 percent improvement in counterfeit detection using a blend of big data, strong authentication checks, and reputation filters in Exchange Online Protection for Office 365.
It's also rolling out new phishing and trust notifications to indicate whether an email is from a known sender or if a message is from an untrusted source, and therefore could be a phishing email.
The company is also promising a faster email experience as it vets attachments for malware and new tools to auto-correct messages that are mis-classified as spam. The aim is to boost defences without impairing end-user productivity.
Malicious email attachments remain a popular way for attackers to gain a foothold in an organization and, as RSA's disastrous SecurID breach in 2011 showed, a little social engineering can go a long way to ensuring someone opens it.
Microsoft's new attachment scanner, called Dynamic Delivery of Safe Attachments, looks to reduce delays as it checks attachments for potential threats.
Currently it captures suspicious looking attachments in a sandbox with a 'detonation chamber' where it analyses it for malware in a process takes five to seven minutes.
Microsoft hasn't figured out a faster way to analyse the attachment, but instead of holding up the email as it conducts the scan, it will send the body of the email with a placeholder attachment. If the attachment is deemed safe, it will replace the placeholder and if not, the admin can filter out the attachment.
The feature is part of Microsoft's Office 365 Exchange Online Protection and Advanced Threat Protection services.
The company is also tackling false-positive spam, or legitimate messages that are mis-identified as spam, and vice versa, with a new feature called Zero-hour Auto Purge, which allows admins to "change that verdict".
"If a message is delivered to your inbox and later found to be spam, Zero-hour Auto Purge moves that message from the inbox to the spam folder; the reverse is true for messages misclassified as spam," Microsoft notes.
Microsoft is testing this approach with 50 customers and says it will be rolled out for all Exchange Online Protection global clients in the first quarter of 2016.