O365 attacks continue exploiting your weakest link
(Last updated on December 3, 2020)
With more than 120 million active users, Office (O365) is a frontrunner in the cloud service popularity contest. Consequently, its users are equally popular with hackers. For IT pros, storing data in the cloud means a bigger attack surface, a threat aggravated by targeted, more sophisticated techniques.
Guided by the “you are only secure as your weakest link” mantra, hackers continue exploiting the absence of security awareness, commonly in the form of employees.
This post will summarize some of the recent O365 assaults, along with some best practice guidelines to help your organization avoid exposure.
The foothold: Phishing
While they won’t fall for letters from a Nigerian prince, end-users might find it harder to avoid today’s crafted attacks. Free of misspelled words, and doubtful attachments, O365 phishing emails appear to be from a trusted source. Messages are carefully constructed, perhaps taking the form of an automated email alert from Microsoft, or a document to review from a colleague. Both will prompt the user to enter their credentials on a malicious web page, constructed to look like the O365 login page. If successful, access to just one account, can lead to more advanced attacks via user impersonation.
The targeted: Brute-force
Scaling down the classic brute-force technique, attackers recently targeted O365 accounts belonging to senior employees at Fortune 2000 companies. With a trial and error methodology on credentials using email variations of their name, and a single password likely retrieved from a previous breach, attacker’s attempted 100,000 logins. Their approach was staggered and concealed further with a cloud-on-cloud method from multiple cloud providers. This gave them multiple chances to guess the username, before being prompted to enter the password on O365.
The privileged: KnockKnock
In the recent KnockKnock campaign, accounts with elevated privileges, such as service accounts, were the target of a botnet attack. Service accounts are not tied to a unique user, but rather used to integrate corporate email systems with tools such as marketing and sales automation. Despite their high value, these accounts are often missing key security measures such as a suitable password policy, or multi-factor authentication (MFA). Since they are not regularly monitored, they can be used to access resources unnoticed. By targeting such accounts, attackers are enabled to steal data, and launch additional attacks, including enterprise-wide phishing attacks.
The old rules still apply
When it comes to securing O365, the old security rules still apply. The following best practices address security vulnerabilities in most organizations, and serve as effective barriers for attackers:
- Despite repeatedly being dubbed as the weakest link, employees want to do the right thing. A security awareness training program can help them identify potential threats such as phishing, and social engineering, as well as the steps to take when something seems suspicious. The program should be completed by all new employees, and followed up with updated training on an annual basis.
- Control privileges: When setting administrator privileges, always do so for the lowest level required. Keep an eye out for stale accounts as they can be an attractive target for attackers. Organizations using Azure AD Connect for directory synchronization should follow the suggested actions outlined here, to avoid the creation of unwanted administrator privileges. The suggested actions are in response to an advisory flaw, for an improper configuration in Azure AD Connect, which led to the creation of stealthy admins.
- Awareness training can only go so far, and when it comes to authentication, putting the security burden on authentication systems can eliminate the threat when end-user judgement fails. The Digital Identity Guidelines from NIST is a good standard to follow when creating authentication requirements for O365.