Using a fake invoice, attackers are bypassing Microsoft Office 365 email security to compromise users, according to research from Armorblox. (Photo by Sean Gallup/Getty Images)

Researchers reported on an attack in which the threat actor lured victims with a fake invoice that then bypassed Microsoft Office 365 email security with the potential to compromise more than 100,000 users.

In a Dec. 8 blog post, Armorblox researchers said they successfully identified and stopped this fraudulent email invoice attack, which targeted what they describe as “a national institution in the education industry.”

The researchers said the subject header of the email encouraged victims to open the message and read: “Please find invoice attached.” The goal was use this social engineering tactic to instill a sense of urgency in the victims, making it appear like they needed to take action sooner rather than later.

Unfortunately, the most complex social engineering attacks are not being detected by the sizable investments in security gateway technologies, and complex organizations are searching for answers, said Mika Aalto, co-founder and CEO at Hoxhunt. Aalto said the human element continues to feature in the majority of data breaches, a clear signal that traditional approaches are no longer effective.

“New approaches to solve this challenge are increasingly being deployed using AI-based security behavior change platforms that use gamification to dramatically improve engagement to change people’s behaviors and give them the ability to detect and report sophisticated threats,” Aalto said. “Creating these large ‘human detection engines’ is one of the most effective approaches to solving this challenge.”

Darren Guccione, co-founder and CEO at Keeper Security, said high-profile breaches must serve as a wake-up call for organizations to implement a zero-trust architecture, enable MFA, and use strong and unique passwords for each account. However, Guccione said the effectiveness of these measures becomes diminished if users are tricked into divulging credentials via phishing, smishing, or other social-engineering techniques.

“Organizations must consistently train their employees to recognize attacks that seek to install malware into critical systems, prevent user access and steal sensitive information,” said Guccione. “Users are the last line of defense, and it’s important they are educated about recognizing these attack vectors to protect themselves and their organizations.”