Over 70% of O365 business users suffer at least one compromised account each month. The fact is, Office 365 applications come with some inherent vulnerabilities, especially when admins do not follow proper security measures, and rely entirely on non-Office 365-specific security solutions.
While there are plenty of Office 365-focused attacks, there are also many common areas of exposure that are regularly tested by hackers, including poor email practices, lack of attention to data loss/leakage, cloud storage, and more. Smart Microsoft IT pros take pains to address both concerns.
Meanwhile, hackers are smart enough to know that Office 365 admins hold the keys to the kingdom, and increasingly attempt to crack these high-level accounts.
The Gift That Keeps Giving
A big problem with exploits is they never seem to go away. Let’s say a hacker creates an attack that runs wild, breaches systems and wreaks havoc. It might seem like it died out since the attacks lessen, but in reality, other hackers tweak the code, and the exploits reemerge under a new name. These attacks mutate, and seemingly live forever.
This is the case with a popular phishing attack aimed at O365 admins, which has taken myriad forms. In some cases, these phishing emails even appear to come from Microsoft, with company logos, Office 365 logos, or Teams logos.
“The messages include an HTML attachment that redirects the victim to a phishing site that is designed to look like the Microsoft Office 365 portal. At that point, the victim is prompted to enter their Office 365 credentials, and those credentials are promptly stolen,” wrote Microsoft MVP Brien Posey in a Redmond.com column. These emails, purportedly from Microsoft, ask O365 admins to perform an action, often updating billing information. Now this same attack has a new approach. “Instead of trying to spoof Microsoft in message’s Sender field, the attacker will send the message from another domain that has been compromised. The idea is that because the message comes from a legitimate domain (albeit one that has been compromised), filters will be less likely to block the message. Of course, an administrator who is paying attention can easily verify that the message did not come from Microsoft,” Posey explained.
Phishing Email Sent to Microsoft MVP
The SharePoint Target
As a key repository for critical corporate data, SharePoint is a tantalizing target. Hackers are compromising O365 accounts, and using them to plant malware on corporate SharePoint sites. Making matters worse, they send out links to the infected SharePoint sites to company clients, offering access to purportedly legitimate business documents. “These scams have gone as far as adjusting the names and contents of the files to look legitimate. For example, we have seen cases where a malware-laden Excel document was posted on an employee’s legitimate OneDrive for Business shared folder, and that link was sent to all business contacts that had been active in the past six (6) months,” security consultancy TrustedSec reported.
Accounting for Account Takeover Attacks (ATO)
Account Takeovers is a key way cybercriminals breach and compromise O365 systems. In one month alone, nearly 30% of all O36 shops had accounts compromised this way, and by hijacking these accounts, hackers sent over 1.5 million malicious and junk emails.
The attackers used login credentials stolen through data breaches, and shared across hacker forums. A big problem here is that even old passwords are hacker gold, since many passwords so seldom change.
Password set to never expire is a main culprit here.
To maximize the level of infiltration, ATO hackers compromise an account, but do not take immediate advantage. Instead, they watch the activity in the account to learn more about how to inflict the most damage, or steal the most valuable data such as financial information or executive’s files.
O365 Ransomware on the Rise
Ransomware is running amuck, and O365 is far from immune to this scourge. In fact, the Cerber ransomware attack hit some 57% of Office 365 shops, spreading throughout the tenant via email and bypassing Office 365 security by using private O365 email accounts. This was a variant of a previous attack, and itself the basis on newer ransomware exploits.
KnockKnock Still at the Door
The KnockKnock O365 botnet may be largely gone in name, but KnockKnock-like attacks persist, and are sure to reemerge in more damaging ways. With these attacks, hackers ‘knock’ on backdoors to get into the O365 tenant. Rather than just root around for key chunks of data, the cybercriminals have more ambitious goals – compromising admin accounts. Making it harder to discover, this attack goes after admin accounts that are not assigned to a particular user.
SkyHigh Networks, now owned by McAfee, tracked and dissected KnockKnock. “The system accounts that SkyHigh identified as targets included service accounts (like the ones used for user provisioning in larger enterprises), automation accounts (like the ones used to automate data and system backups), machine accounts (like the ones used for applications within data centers), marketing automation accounts (like the ones used for marketing and customer communication), internal tools accounts (like the ones used with JIRA, Jenkins, GitHub etc.), in addition to accounts set up for distribution lists and shared and delegated mailboxes,” the company said. “The reason this is so clever is that system accounts, given their purpose, tend to have higher access and privileges than an average account. Moreover, such accounts do not yield well to authentication frameworks like Single-Sign-On (SSO) or Multi-Factor Authentication (MFA) and are also subject to lax password policies. These two aspects help reveal the motivation behind KnockKnock, (i.e. attack a weak-link with the potential for elevated exploits).”
These unassigned accounts are rarely monitored, usually automated and ignored, not protected by two-factor authentication and secured with poor passwords. However, they can still be used to gain access to corporate Office 365 email accounts for phishing, data-theft, and more.
Similar attacks continue to challenge IT groups around the world. A recent article, Horizontal Password Guessing Attacks, on Symantec’s website warns of another type of attack model. These attacks are often performed by hackers using malicious BotNets that leverage infected machines in China, India and other locations that can be uncommon login origins for your Office 365 tenant. To help organizations guard against these types of attacks, CoreView implemented a new reporting model in CoreView that groups these types of suspicious sign-ins by category. Leveraging Custom Pivot Table reports in CoreView will help you quickly identify common locations for Failed Sign-ins for your tenant, so you can create policies on your Azure AD to block online access from suspicious areas or IP addresses.
Learn About 26 Office 365 Security Pain Points – and How to Cure Them
CoreView has four white papers showing 26 common O365 security problems. Topics include: