Office 365 Account Takeover

Microsoft now have over 100 million monthly subscribers to their Office 365 SaaS platform. Companies have shifted their email and file data to Exchange Online and SharePoint on a mass scale and thought “that’s one less headache now that Microsoft are managing it”.

There is no denying, the platform is well fortified and is possibly one of the most heavily pen tested environments out there, but it’s designed to make staff agile, encourage collaboration and mobile working easy. This means in many cases; you give someone your Office 365 password and they can access your data from somewhere else.

In the cyber security industry, we are seeing a surge and rise in Office 365 account takeovers. This is where credentials are successfully phished through a social engineering campaign, either through spear phishing emails or even a phone call pretending to be IT.

A common example will be an email to a staff member, appearing to be from Microsoft. The email will say something like “Confirm your Office 365 account”, with a link to a convincing landing page asking for their 365 credentials. These types of email will often pass through your email security gateway as there is nothing that would appear malicious from the content itself (but they are still crucial n a layered defense to stop all the other attacks that aren’t going away!)

An evolution in account takeovers is that the industry is now also seeing lateral attacks being performed across a business.

Lateral attacks? Example: “Bob” has their credentials leaked; attacker sends an email from “Bob” to “Jane” asking to wire some money to an account no & sort code. Or maybe “Bob” asks “Jane” for their credentials, then the attacker sends an email from “Jane” (CEO) to “Richard” (Finance), to wire some money somewhere. Perhaps they just use all the credentials to access all your most locked down, secure files and emails. The possibilities are endless.

Small and medium businesses are now major targets because they are seen as soft targets with less security.

It’s not safe to have the attitude “we’re too small for anyone to target us” because it’s simply not true. I’ve seen companies with under 10 employees pay a £10,000 Ransom because they got hit and didn’t have backup. I’ve seen small business with under 50 employees lose roughly £150,000 through a fraudulent wire transfer to a “known supplier” in their chain. ATO is no different in it’s targets.

It is scary stuff but lets not suddenly rush to put everything back on-premises because then you lose all that great functionality and the productivity benefits. You can take action to defend your business though.

Here’s just a few tips to help form a layered security strategy:

  • Implement Multi-factor authentication on your Office 365 platform
  • Train your staff on cyber awareness and enable them to become an extra line of defence (rather than a weakness). Effective simulated attack training allows staff to be continually tested by varied spam campaigns in a safe environment, whilst performing point-in-time training and reporting functionality.
  • Implement Real-Time Spear Phishing and Cyber Fraud Defence (check out Barracuda Sentinel it is some futuristic stuff! It will detect abnormal behavior such as impossible logons, e.g. mobile logged in from Nottingham but a Firefox browser logged in 1 minute later from Madrid, or someone making inbox rules to delete mails from sent items or forward responses to an external email. Most important, it’s actionable intelligence.

My take away would be account compromise / account takeover is growing, you need to ensure you are doing enough to protect your business. With some research firms claiming as many as 29% of 365 accounts may have already been compromised, the chances are that an account in your business already is.

Sometimes compromised credentials are leaked and sold on, rather than immediately exploited. Whether you’re curious or sure you’ve got it covered already, I’d recommend run a free scan to give you some insight into what could be lurking in your mailbox!

Filed under: Uncategorised - @ 27 July 2019 09:19