Last Thursday I meet with one of Microsofts Trusted Security Advisor’s and we got into a discussion about phishing. I mentioned that I have seen quite a lot of phishing attempts on customers in Sweden, using the Office 365 community.
Microsoft is well aware of this extensive targeting. It’s not something new, not for me, us or them. But it’s new for many of the customers and users apparently. And that’s a fact for two reasons:
- Users do click on the link in that phishing e-mail
- Office 365 customer organisations haven’t activated MFA
Consider that Microsoft has reported that they see 180-200 millions phishing attempts. To the Office 365 community. Per month. I don’t understand at all why MFA isn’t in effect when organisations claims that security is important to them. Activating MFA should be one of the first things to do when starting to use Office 365. Aside from activating ATP, of course.