September 20, 2024
|
8
min read
Vasil Michev
Vasil is a nine-time Microsoft MVP and expert with over a decade of experience in Microsoft cloud, lifecycle management, migration, adoption, and automation.
Dark, hacker and computer with malware screen for cybersecurity

Contributors: Sharon Breeze, Terence Jackson

As Microsoft 365 increasingly becomes the world’s digital workspace, cybercriminals are increasingly turning their focus to it. In this article, we’ll cover:

Increased Cyberattacks Target Microsoft 365

Just in the first quarter of 2024, Microsoft 365 observed a tenfold surge in password-based attacks, from around 3 billion per month to over 30 billion.  Recent high-profile incidents, such as the Midnight Blizzard attack by the Russian state-sponsored group Nobelium, have shown just how exposed organizations are. Worse still, attackers like Fancy Bear, APT28, and Strontium are increasingly targeting M365 each year.  

In this three-part series, we break down the tools, techniques, and tactics cybercriminals use in an attack on a Microsoft 365 tenant and share clear practical guidance on how best to secure your organization.  

For the first part of this series, we’ll focus on Entry. We’ll explain the different strategies that attackers apply to gain access to your Microsoft 365 tenant, from password-based brute-force attacks to targeting external users with exploitable permissions.  

Stay tuned for the 2nd and 3rd parts of this series which will be coming soon:  

  • The Anatomy of a Microsoft 365 Attack - Part 2: Privilege Elevation
  • The Anatomy of a Microsoft 365 Attack - Part 3: Persistence and Evasion

How Does an Attacker Gain Entry into Microsoft 365?

Before launching an attack, cybercriminals often conduct extensive reconnaissance to identify the most vulnerable entry points into an organization's tenants in Microsoft 365. This research phase involves gathering information about the target organization's infrastructure, user accounts, and potential security weaknesses. Armed with this intelligence, they then employ various techniques to breach the system:

So, how can you prevent attackers from exploiting these entry points to gain access to your organization’s tenant architecture? First, you need to understand how each of these tactics work.

Top Ways Cyberattacks Gain Entry into Microsoft 365

Brute Force and Password Spraying in Microsoft 365

During a password spray attack, the attacker tries a small number of commonly used passwords against many different accounts. This contrasts with a brute force attack, where attackers try many passwords against a single account. Together, these are the two most common forms of cyberattacks that cloud-based private organizations experience.  

When Midnight Blizzard breached Microsoft's environment, it was using a classic password spray technique to gain entry. While this might seem too easy, it helped the attackers find exactly what they were looking for: a powerful account with a guessable password and no multi-factor authentication. Other examples of famous password spray and brute force attacks include the Bad Rabbit ransomware from 2018 and the GRU campaign of 2019-21.

How to Prevent Brute Force and Password Spray Attempts

Enforce a strong password policy.
Prohibit common and easily guessable passwords. Require a minimum length and complexity. Educate users on how to create strong, unique passwords for their work accounts.

Enforce multi-factor authentication (MFA) for all your Microsoft accounts.
Require a second factor prevents access even if a password is compromised. MFA should be mandatory, especially for privileged admin accounts.

Configure Conditional Access to block legacy M365 authentication.
Many password spray attacks use older protocols like IMAP and POP that don't support modern authentication. Blocking legacy auth with Conditional Access Policies (CAP) significantly reduces your attack surface.

Enable password protection for Entra ID.
Azure AD Password Protection detects and blocks known weak passwords and their variants. It can be enforced for both cloud-only and hybrid Microsoft 365 environments.

Brute Force and Password Detection

Report on sudden spikes in failed logins.
A high volume of failed logins across many accounts in a short period is a telltale sign of a password spray attack. Configure your SIEM to alert on this anomalous activity.

Stay alert for high numbers of locked accounts.
Multiple accounts getting locked out around the same time could indicate a spray attack that exceeded lockout thresholds. Investigate any widespread account lockouts.

Watch out for unknown or invalid user attempts.
Password spray attacks often try to log into accounts that don't exist to avoid lockouts on real accounts. Monitor for failed logins with invalid usernames.

Email and Spear Phishing in Microsoft 365

Spear phishing is a sophisticated email attack aimed at a particular individual, business, or organization. Unlike regular phishing which uses generic, broad messages, spear phishing is highly customized to the intended target.

71.4% of Microsoft 365 business users suffer at least one compromised account each month. Examples of spear phishing attacks can be found as early as 2009 with Operation Aurora, which targeted companies like Adobe and Google. Cyber criminals use it for a wide variety of complex objectives, including ransomware deployment, financial fraud, and reconnaissance.

Ensure that Microsoft Defender/Advanced Threat Protection is properly configured.
Microsoft Defender for Office 365 includes advanced threat protection features like Safe Links, Safe Attachments, and anti-phishing policies. Make sure these are enabled and tuned for your environment.

Implement advanced email security beyond Microsoft's native Advanced Threat Protection capabilities.  
While Microsoft's built-in features provide a good baseline, consider augmenting with third-party email security solutions for more comprehensive protection against sophisticated threats.

Ensure the Safe Links policy is enabled.
Safe Links protects users from malicious URLs in emails and Office documents. Ensure the policy is turned on and configured to scan URLs and email attachments.

Ensure internal phishing protection for Forms is enabled.
This setting in Microsoft Defender for Office 365 protects against phishing attempts that use Microsoft Forms.

Ensure Microsoft Defender for Cloud Apps is enabled.
Cloud App Security provides visibility, control, and threat protection for your cloud apps, including detecting anomalous activities that could indicate a compromised account.

Ensure the spoofed domains report is reviewed weekly.
Regularly check the spoof intelligence insight to identify and remediate any spoofed domains targeting your organization.

Run regular phishing simulation exercises and training for your teams.
Educate users to recognize and report suspicious emails through phishing simulations. Provide training to reinforce best practices like scrutinizing message details and not clicking unknown links.

Detecting Phishing Attacks

Monitor your Advanced Threat Protection for configuration drift.
Regularly audit your ATP settings to ensure protections haven't been disabled or misconfigured, which could allow phishing emails through.

Check for suspicious Exchange mailboxes.
Look for mailboxes that have been set with external forwarding, as this could be used to exfiltrate sensitive data to an attacker.

Enforce policies to detect anomalous account logins.
Set up alerts for logins from unusual locations, IP addresses, or devices that deviate from a user's normal behavior.

OAuth Consent Phishing in Microsoft 365

In a typical OAuth consent phishing attack, the attacker registers a malicious app with an OAuth 2.0 provider like Microsoft 365. They then send a phishing email with a link that directs the user to grant permissions to the app. The consent screen shows the permissions the app is requesting, which often include excessive access like the ability to read emails or files. If the user consents, the malicious app gains access to their account data and can perform unauthorized actions without needing further interaction or passwords.

Even security-savvy users can fall for these attacks, as the consent prompts come from legitimate identity providers and the requested permissions may seem reasonable at a glance. Attackers exploit the fact that users are accustomed to granting app permissions as part of their normal workflow.

Preventing OAuth Consent Phishing

Configure Entra ID to require consent before third-party applications can access M365 permissions.
This ensures an admin reviews any app requesting sensitive permissions before users can grant consent.

Entra ID configurations should be monitored to detect configuration drift.
Regularly audit your OAuth settings to ensure protections haven't been disabled or misconfigured, opening the door to malicious apps.

Document a process for careful review of third-party application privileges.
Establish clear guidelines for evaluating the legitimacy and permissions of OAuth apps. Admins should know how to manage consent requests.

Learn how to build an effective Disaster Recovery Plan to protect Microsoft 365.

How to Detect OAuth Phishing

Enforce a process to detect third-party apps that are connecting to Entra ID with excessive privilege requirements.
Use tools like Microsoft Defender for Cloud Apps to discover OAuth apps with suspicious permissions or behavior.

Implement a process to have these apps reviewed and removed where appropriate.
Investigate any apps flagged as high-risk and remove their access if they are deemed malicious or unnecessary. Conduct regular audits of consented apps and permissions.

External Teams and SharePoint Users Security

Many organizations need to allow cross-tenant access to their Teams and SharePoint environments. This creates a channel that can be exploited by cyber criminals. The challenge is that you can't enforce your typical security policies (like password complexity or multi-factor authentication) on these accounts.

Despite this, third parties and external users can still have access to sensitive SharePoint and OneDrive documents. They may also be part of multiple Microsoft 365 distribution and teams groups, creating a unique window for attackers to leverage. If their account is breached, attackers could abuse their access to your environment to steal data or launch further attacks.  

Read more about external sharing in this guide to SharePoint security.

How to Prevent Unwanted External Access

Create a governance plan that determines what external users can do, data they can access, and what they can and can't share.
Establish clear policies around external collaboration, including what types of data can be shared, with whom, and for how long. Communicate these policies to both internal and external users.

Disable anonymous sharing and limit the external sharing of sensitive data.
Configure SharePoint and OneDrive settings to prevent unauthenticated access and restrict external sharing for sensitive sites and files. Use sensitivity labels to classify and protect critical data.

Properly configure Microsoft's native DLP capabilities for Exchange, SharePoint, OneDrive, and Teams.
Leverage Data Loss Prevention policies to detect and prevent the unauthorized sharing of sensitive information with external parties. Set up rules to block or restrict sharing based on data classifications.

Monitor your DLP configurations for configuration drift.
Regularly audit your DLP settings to ensure they haven't been modified or disabled, which could allow sensitive data to be exposed. Use tools to track and alert on configuration changes.

How to Identify Unsecured Access in Teams

Enforce a process to detect external users in Teams and SharePoint.
Regularly review the list of external users and their permissions across your Teams and SharePoint sites. Remove access for users who no longer require it or whose accounts show suspicious activity.

Identify public Teams groups.
Scan for Teams that allow public access and verify they don't contain sensitive data or discussions. Restrict public groups to only those with a legitimate business need.

Look for SharePoint sites with external sharing and no expiration policy.
Find sites that allow external access indefinitely and implement expiration policies to automatically revoke access after a set period. This ensures external users don't retain access longer than necessary.

Track all OneDrive files that are being shared externally.
Monitor for sensitive files stored in OneDrive that are being shared with external parties. Investigate any unusual sharing activity or files being accessed by unauthorized users.

Develop a lifecycle management process to decommission unused sites.
Implement a process to identify and archive inactive Teams and SharePoint sites, removing external access in the process. This reduces your attack surface by eliminating stale external permissions.

Read the full list of Teams governance best practices in the Essential Guide to Microsoft Teams Governance: Best Practices, Plans, and Templates.

Compromised Accounts on the Dark Web

In a research effort that identified more than 15 billion credentials in circulation on the dark web, Digital Shadows found domain admin accounts being auctioned for $120,000 on dark web marketplaces. cybercriminals can bypass the early stages of the attack by searching on the dark web to get ahead.

Attackers actively seek out compromised Microsoft 365 accounts on the dark web, especially those with administrative privileges. With a stolen Global Admin account, an attacker could gain unrestricted access to your entire tenant on M365. They could exfiltrate sensitive data, deploy malware, modify configurations, and wreak havoc on your business.

Preventing Dark Web Account Exposure

Enforce least privilege access for Microsoft 365 admins.
Compliance mandates like NIST, SOX, NIS, ASD, and others all require that organizations enforce least privilege. This is especially important for Microsoft 365. Global Admin and other privileged accounts give cyber criminals the power to destroy your business. Try to delegate just enough privilege to administrators and regional teams. If you struggle with Microsoft's delegation capabilities, seek a purpose-built solution to create least privilege access to your tenant.

Enforce strong credential standards for all Microsoft Online accounts.
Require complex passwords. Educate users on password best practices. Consider using a password manager. Implement banned password lists to prevent the use of commonly compromised passwords.

Enforce multi-factor authentication and a zero-trust approach for all logins.
Multi-factor authentication (MFA) adds a critical extra layer of security. Even if a password is compromised, attackers can't access the account without the second factor. Adopt a zero-trust model that continuously verifies every access attempt.

Build a best-practice governance plan for Microsoft 365 with our Governance Starter Kit.

How to Detect Compromise Accounts

Work with third parties to get an assessment of your dark web profile and risk exposure.
Engage a reputable cybersecurity firm to scan dark web marketplaces and forums for any mentions of your organization's accounts or data. They can alert you if any of your Microsoft 365 admin credentials are being sold or traded by cybercriminals. This early warning allows you to proactively reset compromised accounts before they can be abused.

CoreView's Free Tools for Microsoft 365 Security

As a leading Microsoft 365 management platform, CoreView offers a range of free tools for securing Microsoft to help organizations get a head start in assessing and improving their security posture. These tools provide valuable insights into vulnerabilities and misconfigurations that attackers could exploit to gain entry into your environment.  

For example:

  • CIS Baselines for Microsoft 365: With over 100 benchmarks across 25+ categories, it can be challenging to understand how CIS standards apply to Microsoft 365. CoreView's dedicated CIS baselines simplify the process by identifying how each control applies to the M365 ecosystem.  
  • Midnight Blizzard App Permissions Scanner: In the wake of the devastating Midnight Blizzard attack, CoreView introduced a free scanner to identify vulnerabilities that cybercriminals could exploit, such as legacy accounts and misconfigured permissions.
  • Entra App Registration Scanner: CoreView's free Entra Security Scanner for App Registrations scans your Microsoft 365 environment to identify security risks associated with app permissions and configurations. Developed by 9-time MVP Vasil Michev and CTO Ivan Fioravanti.

Ready to begin improving your M365 security posture one step at a time? Check out our list of free tools to see how they can help!

Get a personalized demo today

Created by M365 experts, for M365 experts.