Email security crisis... What email security crisis?
Let them eat phish
In late August, Microsoft announced a free service that arguably reveals more about the future of the email business and its struggles with security than several years' worth of earnest press releases.
Called AccountGuard, it's Microsoft's answer to the phenomenon of Russian phishing meddling with the US elections and the candidates who stand in them. The idea is simple: a lot of candidates and their helpers get their email provision through Office 365, Outlook.com, or what used to be called Hotmail.com, but these lack the security needed to keep the bad guys out. AccountGuard, ostensibly, will be that extra defence.
At its core, the service is a monitored version of Office 365 email that draws on information from the company's Microsoft Threat Intelligence Center, or MSTIC.
"Microsoft AccountGuard will provide notification about cyberthreats, including attacks by known nation-state actors, in a unified way across both email systems run by organizations and the personal accounts of these organizations' leaders and staff who opt in," according to the launch blurb, which insists it's "protecting democracy", penned by corporate vice president of customer security and trust Tom Burt.
Who's using 2FA? Sweet FA. Less than 10% of Gmail users enable two-factor authenticationREAD MORE
At first this sounds a bit like Google's Advanced Protection Program (APP) launched earlier in 2018, but Microsoft's service is only for candidates standing in elections, whereas Google's is open to anyone. AccountGuard is full service, coming with free email and phone support.
APP, basically, mandates that Gmail users log in with hardware authentication keys (see Google's new Titan key), lock out third-party app access, and puts up with onerous account resets in the event they lose their key.
This provides rules users must follow but is essentially passive. AccountGuard, by contrast, is oriented around telling candidates when Microsoft has detected a phishing campaign that might be targeting them. They can also opt to receive training.
Election-sensitive customers? Anyone?
The differences sound subtle but it's a huge step up in terms of hand-holding for a service that, let's not forget, costs nothing. The "free" thing was such a big deal that Microsoft even got its lawyers to send the Federal Election Commission (FEC) a letter (PDF) asking for clarification that AccountGuard wouldn't breach rules on campaign contributions in kind, which corporations are forbidden from making under US law.
Don't fear 1337 exploits. Sloppy mobile, phishing defenses a much bigger corp IT security threatREAD MORE
This offered a rare insight into Microsoft's thinking when it came up with the concept of AccountGuard, including that the lofty marketing pitch about defending democracy from the orcs of chaos might turn out to be good business.
"Microsoft believes its AccountGuard service will help maintain and expand its market share among election-sensitive customers, assist in the company's product development through the threat intelligence gained from participants in the program, and protect the company's brand reputation," wrote the legals.
The letter reveals that Microsoft plans to expand the scope of AccountGuard to include national and state political party committees, campaign tech vendors, think tanks, advocacy non-profits and – in dovetailing perhaps aimed at Google's APP – journalists.
Intriguingly, the letter went on to mention that "Microsoft may wish to eventually expand its AccountGuard program to include partnering companies, such as Facebook, Twitter, etc., although there are no agreements with such companies at this time," an ambition that seems to envision AccountGuard as the cornerstone protecting political VIPs' entire online profile.
The email God that failed
Whatever the deeper thinking at work here, there is a tacit acknowledgment from both companies that web email security is a bird with broken wings. The industry got busy with initiatives such as SPF, DKIM, and DMARC in an attempt to impose sanity on the problem of email validation and authentication, but these haven't, and probably never will, stop phishing crims from slipping through the cracks.
There are plenty of ideas as to how things could be improved, starting with an authentication overhaul. Google admits almost nobody on Gmail uses its two-step verification security but mucking around with tokens and one-time codes was only ever going to get security so far. What email needs is easier authentication, not more authentication, which is why emerging standards such as WebAuthn look promising.
More advanced account monitoring is the next must-have, which is why Google's APP and Microsoft's AccountGuard look significant. The latter is not for everyone yet, but perhaps when bundled in a Office 365 sub, it might be the type of thing no self-respecting email user would be without. ®
Sponsored: Becoming a Pragmatic Security Leader