Microsoft Defender struggles to live up to name as cyber crooks get smarter


Microsoft’s in-house protection program Defender is taking a pounding from increasingly targeted phishing campaigns – and with just under one in five bogus emails getting through, it isn’t always up to the task of shielding its users.

Those are the findings of Check Point cybersecurity subsidiary Avanan in its latest report, which analyzed three million emails in one week to find that 18.8% of social engineering emails bypassed Defender.

Avanan believes this is more due to cybercriminals upping their game than any inherent defects in Microsoft, which it claims is still “one of the most secure services on the market.”

“Before unleashing an attack, hackers will test and verify that they are able to bypass Microsoft’s default security,” it said. “In other words, they are crafting attacks that are specifically designed to take advantage of getting around Microsoft and landing in the user’s inbox.”

Citing this as the most probable reason why it had observed more cyberattacks circumventing Defender, Avanan added: “In this context, when our analysis demonstrates that a higher percentage of attacks are bypassing Microsoft’s security, it’s important to note that this does not mean that it got worse. It means that the hackers got better, faster, and learned more methods to obfuscate and bypass the default security.”

Screenshot of scam email sent spoofing BestBuy
Screenshot by Avanan of scam email sent spoofing BestBuy. Note the bizarre address, which features the words "mouse in the house"

COVID connection?

Avanan also suggests that an observed increase in cyberattacks against Microsoft may have been fuelled by COVID – since it last ran checks on the tech giant before the pandemic, these have nearly doubled, “with a particular focus on sophisticated phishing campaigns that bypass in-built security.”

Similarly, since 2020, Defender’s rate of overlooked phishing emails has risen by 74%, while on average it is only consigning 7% of these to the junk folder where they belong.

“Thus, the higher number of bypassed emails reflects a concrete, focused effort by hackers the world over to develop tools that will get in front of Microsoft users,” it added. “The emails that bypass Microsoft are incredibly sophisticated and evasive.”

These included one email that claimed to be from retail giant BestBuy, but was in fact sent from a rather dubious-sounding email address featuring the words “mouse in the house”; another sent by the “Pay-Pal_Store”; and a spoofed Microsoft login page featuring the URL “stitch-aware-lime.glitch.me”.

The social engineering campaigns themselves tend to focus on bogus giveaways, fake notices of purchases made that lure victims into clicking on dodgy links to claim ‘refunds’, and phony solicitations for quotes regarding business proposals.

The wide variety of such scams seems to bear out Avanan’s assertion that cybercriminal fraudsters are becoming increasingly nuanced in their efforts to extract money from the unwary.

Screenshot of fake email sent by criminals pretending to be PayPal
Another screenshot of fake email sent by criminals, this time pretending to be PayPal offering refunds on transactions that never took place

Working hours wasted

This deluge of unchecked phishing is having other negative impacts on target businesses, with Avanan finding that “managing email problems” took up 23% of staff working hours among the firms it surveyed. In one outlying case, an organization claimed it had spent 104 working days in a year “just reviewing suspicious email reports.”

“That time drainage leads to other priorities being overlooked and massive burnout among IT and engineering staff,” said Avanan. “With users reporting both actual and imagined phishing emails, [businesses are] spending far too much time sifting through the smoke, unable to locate the fire.”