O365 attacks continue exploiting your weakest link

With more than 120 million active users, Office (O365) is a frontrunner in the cloud service popularity contest. Consequently, its users are equally popular with hackers. For IT pros, storing data in the cloud means a bigger attack surface, a threat aggravated by targeted, more sophisticated techniques.

Guided by the “you are only secure as your weakest link mantra, hackers continue exploiting the absence of security awareness, commonly in the form of employees.

This post will summarize some of the recent O365 assaults, along with some best practice guidelines to help your organization avoid exposure.

The foothold: Phishing

While they won’t fall for letters from a Nigerian prince, end-users might find it harder to avoid today’s crafted attacks. Free of misspelled words, and doubtful attachments, O365 phishing emails appear to be from a trusted source. Messages are carefully constructed, perhaps taking the form of an automated email alert from Microsoft, or a document to review from a colleague. Both will prompt the user to enter their credentials on a malicious web page, constructed to look like the O365 login page. If successful, access to just one account, can lead to more advanced attacks via user impersonation.

The targeted: Brute-force

Scaling down the classic brute-force technique, attackers recently targeted O365 accounts belonging to senior employees at Fortune 2000 companies. With a trial-and-error methodology on credentials using email variations of their name, and a single password likely retrieved from a previous breach, attacker’s attempted 100,000 logins. Their approach was staggered and concealed further with a cloud-on-cloud method from multiple cloud providers. This gave them multiple chances to guess the username, before being prompted to enter the password on O365.

The privileged: KnockKnock

In the recent KnockKnock campaign, accounts with elevated privileges, such as service accounts, were the target of a botnet attack. Service accounts are not tied to a unique user, but rather used to integrate corporate email systems with tools such as marketing and sales automation. Despite their high value, these accounts are often missing key security measures such as a suitable password policy, or multi-factor authentication (MFA). Since they are not regularly monitored, they can be used to access resources unnoticed. By targeting such accounts, attackers are enabled to steal data, and launch additional attacks, including enterprise-wide phishing attacks.

The old rules still apply

When it comes to securing O365, the old security rules still apply. The following best practices address security vulnerabilities in most organizations, and serve as effective barriers for attackers:

  1. Despite repeatedly being dubbed as the weakest link, employees want to do the right thing. A security awareness training program can help them identify potential threats such as phishing, and social engineering, as well as the steps to take when something seems suspicious. The program should be completed by all new employees and followed up with updated training on an annual basis.
  2. Control privileges: When setting administrator privileges, always do so for the lowest level required. Keep an eye out for stale accounts as they can be an attractive target for attackers. Organizations using Azure AD Connect for directory synchronization should follow the suggested actions outlined here, to avoid the creation of unwanted administrator privileges. The suggested actions are in response to an advisory flaw, for an improper configuration in Azure AD Connect, which led to the creation of stealthy admins.
  3. Awareness training can only go so far, and when it comes to authentication, putting the security burden on authentication systems can eliminate the threat when end-user judgement fails. The Digital Identity Guidelines from NIST is a good standard to follow when creating authentication requirements for O365.

(Last updated on October 30, 2023)

Tags: , ,

Back to Blog

Related Articles

  • Why choose 3rd party MFA for O365?

    The adoption of SaaS services requires organizations to house user data in the cloud. Without the right strategy in place, this can mean user management and authentication processes – outside the confines of IT. Take the move to O365, and its creation of a tenant in Azure AD. Maintaining it alongside the on-premises Active Directory…

    Read More
  • Step up your security game with dynamic MFA

    Multi-factor authentication (MFA) requires authentication from independent categories of credentials: something you know (i.e. password), something you have (i.e. Mobile device), and something you are (i.e. Fingerprint). MFA enhances security when accessing resources on SaaS applications, and even during password resets. When it comes to authentication, more layers means more protection against attacks and breaches….

    Read More