Instead of fixing flaws in the Outlook apps, Microsoft keeps telling Microsoft 365 admins to block individual malicious emails. Microsoft can’t see the phishing forest for the trees.
The problem is that Microsoft programs Outlook to use the Display Name or friendly name instead of displaying the actual email sender address. Hackers send malicious emails from phish@evil.com but display as Your Boss in desktop, web and mobile version of Outlook. Most busy workers see Boss in the display and act according to that, not the actual email sender address. The mobile app user cannot see that the email has been sent from phish@evil.com at all.
If you’re not familiar with the term, see What is Phishing?
Microsoft can’t see the phishing forest for the trees
When you contact Microsoft 365 support their response is to just mark the phishing email as junk (or block the whole domain, i.e. @evil.com). Hackers simply move on to the next hacked email to use the same tactic again. This time you get the malicious email from phish@veryevil.com with the display name Your Boss. Microsoft can’t see the phishing forest for the trees.
When you point out the problem is with the Display Name feature, Microsoft recommends you purchase Microsoft Defender for Endpoint at a cost of $3.30 per user per month PLUS all the set up and admin monitoring costs.
Microsoft wants to profiteer on a security problem with their own products. It’s immoral. It’s outrageous. Security for the rich, phishing for everyone else.
Further IT admins who have forked over the dollars for Defender for Endpoint report that it still doesn’t fix the Display Name problem. The display name still overwrites seeing the actual sender email address.
Simple Solution
Way back when the From field in Outlook actually showed the sender email address. Microsoft needs to bring that back as the default setting for all Microsoft 365 customers in all version of the apps. Then the receiver can see the sender email address at first glance. They can make an informed decision about how to process the email from there.
Display name or friendly name should only display when it is internal (employee1@yoursmb.ca to employee2@yoursmb.ca). Bonus points if Microsoft could add the feature that the Display name field shows when the external sender is in your Contacts.
Is it simple? Yes. Think of your email as a big database (tables like Email, Contacts, Calendar with links). You can change how you display the information by choosing Fields. In this case Microsoft needs to change the label From to show email sender address instead of Display Name.
Fix the mobile app to show sender email address
Microsoft needs to fix the Outlook mobile app to show sender email address.
Below is an example of a scam email I received as seen from the Outlook mobile app.
Sender just shows as Microsoft. The To field shows as someone else’s email address not my own. By going deep into message properties we can see it was actually forwarded to my email address. Hackers successfully manipulated Outlook display settings to hide that it was forwarded.
Microsoft response: block the sender. Except the sender is shown as Microsoft in desktop version.
Fix Outlook display setting so hackers can’t fool folks
I have another example of hackers manipulating Outlook display settings to fool the receiving employee. In this case the hackers successfully hide the sender email address from displaying in the desktop version of Outlook. This email also fails SPF and DKIM record check but Microsoft sent it directly to the inbox.
Microsoft response: block the sender. I spent hours trying to get Microsoft engineers to acknowledge that the sender email address did not display at all in Outlook desktop and web version. And gosh, golly, this might be a problem. Finally gave up after all their responses were a variation of block the sender. And even better, get the end user to go through the message properties. The text of the average message properties fills up pages of Word and most of it is goobledegook for a regular office worker.
When you request support from Microsoft, now there is a long email containing the phrase “Professional Support does not include the provision of root cause analysis”.
My last encounter with Microsoft 365 support, the first technician couldn’t speak clear English. Even with my phone volume cranked it was impossible to make out his words. He couldn’t even be bothered to draw arrows on the screen properly to indicate where we needed to be on the screen. And he kept wanting to get into internal settings for what was clearly stated to be a problem with external senders. Massive waste of time. Followed by a phone call from a second technician saying we need expensive upgrade to Microsoft Defender for Endpoint which other IT admins report doesn’t fix the problem.
They’re not interested in fixing problems.
Microsoft can’t see the phishing forest for the trees.