Is your non-profit using Microsoft 365? Phishers may be targeting you

2021 has been a landmark year in stories of cybersecurity and phishing, and Microsoft users have been a top target for attackers. 

We heard stories from several local companies about phishing attacks against their Microsoft 365 users, and there was an interesting link between the organizations: they were all nonprofits.

Why Nonprofits, and why Microsoft 365?

For starters, attackers love targeting nonprofits. They have plenty of valuable data to steal, but fewer resources to protect themselves compared to other industries. On top of that, Microsoft 365 is such a common platform that it’s easy for attackers to hedge their bets on Microsoft users. 

Still, why does that make them a prime target for phishing?

Nonprofits get to take advantage of discounts and special subscription plans from vendors like Microsoft, which is great for the cost-conscious nature of the industry. Unfortunately, though, it’s easy for a non-tech person to miss the fact that Microsoft 365 doesn’t come with all of its security features included at base price. 

Microsoft 365 users do receive some basic defenses from a toolset called Exchange Online Protection, but Microsoft’s strongest features—Microsoft 365 Defender—cost an extra $2 or $5/month per user depending on your subscription plan. (You can view their options here). 

Microsoft Defender add-on for Microsoft 365

Microsoft Defender does a lot of extra lifting to protect users from phishing attempts, spam emails, and it uses more advanced features like scanning links and attachments for hidden threats. Sure enough, of all the companies we’d heard from, none of them were using the Microsoft Defender add-on. 

This isn’t an indictment against Microsoft either, but it means that a company evaluating email platforms might decide to move their team to Microsoft 365 because of the base pricing, without realizing they need the Microsoft Defender add-on to get all the necessary security features. For a nonprofit that works around tight budgets, and may be lagging behind on other forms of security, that oversight could lead to serious consequences.

The Takeaway

No matter what security you have in place, the best protection your team can have is the education to spot a threat before they click. Google’s Jigsaw Phishing Quiz is a great place to start, but our favorite tool for team security training has been Ninjio Cybersecurity Awareness Training, which you can sample for free here. 

If you’d prefer an extra set of eyes on the links you’re clicking, Google Chrome browser comes with built-in phishing detection that can now detect suspicious images and links within 100 milliseconds of seeing them on your screen. 

The other big takeaway is just to take care when you’re looking at a new service for your organization! It can be easy to miss important features like this. If your company is making changes soon, we’d be happy to help you understand what’s out there, and what’s best for your team!