Surprising Security News from Microsoft: Are You Protected?
Microsoft recently announced some security statistics from 2021, and they’re more than a little eyebrow-raising.
The headline statistic? Microsoft blocked more than 35.7 billion malicious emails from reaching the inboxes of its Microsoft 365 customers. Yes, that’s billion — with a b. That’s nearly 100 million emails a day, or more than 4 million per hour, or almost 68,000 every minute of every day in 2021.
As bad as malicious emails are, imagine how much worse they’d be without the Herculean efforts of cloud providers like Microsoft and others.
We’ll cover other news from Microsoft’s latest security announcement today, plus talk about what steps you should take to make sure your company remains protected.
What Were These Malicious Emails?
“Malicious emails” is a broad term that can include a wide range of attacks. But most of the 35.7 billion were plain old phishing emails. That’s both good and bad news, depending on how you look at it.
It’s good news that Microsoft stopped so many of these emails.
But it’s bad news that scammers continue to send them in such volume — and why.
Scammers keep sending phishing emails because some of them get through, and the ones that do get through remain painfully effective.
Other Notable Security Stats from Microsoft
In addition to the total number of intercepted emails, Microsoft also announced that it stopped 9.6 billion brute force attacks in 2021. These are attacks where the attacker tries to break into an account by guessing at the credentials (often using automated tools that can input millions of guesses in a short span).
Here again, Microsoft has done great work. Their efforts to keep business customers safe are absolutely commendable. (Even if they aren’t absolutely foolproof: Microsoft doesn’t — and can’t —guarantee that zero accounts were accessed using brute force methods.)
Why So Many Brute Force Attacks?
And once more, it’s worth asking the question: why are threat actors trying so many brute force attacks? In the first place?
The reason is the same as for the glut of malicious emails: scammers and hackers do these things because they continue to work. And the main reason they continue to work is bad credential management and password hygiene.
Microsoft Is Working Hard to Keep You Safe, But You Need to Act, Too
As valiant as Microsoft’s efforts are at stopping malicious email and brute force attacks, they’ll never be enough. The same is true for other business email providers, including Google.
That’s because credentials are at the core of nearly every business security challenge. And no matter what measures Microsoft puts in place, they can’t entirely prevent your team members from doing irresponsible things with their credentials.
Many people like to use the same easy-to-guess password across dozens of sites. Doing so is convenient for them, but if one account gets compromised, then they’re all at risk.
Some employees might also write down their passwords on a sticky note next to their workstations or keep an unencrypted file of passwords saved to their desktop.
One Top Security Strategy: Multi-Factor Authentication
One powerful and relatively easy way to drastically increase account security is to enable two-factor or multi-factor authentication (MFA). Most MFA solutions involve sending a temporary code to a secondary device (usually a phone or a dedicated piece of hardware). Hackers may steal a user’s credentials, but without access to that temporary code, they can’t get in.
Other strategies that might make sense for your business include business-grade password managers and even biometric login measures.