HOSTED NEWS
Over 70% of Office 365 business users suffer at least one compromised account each month. Office 365 applications come with some inherent vulnerabilities, especially when admins do not follow proper security measures. These are the biggest vulnerabilities to look out for:
Phishing Attacks
Phishing emails have been around for years, but they never go away – instead they mutate and seemingly live forever. One particularly popular attack is aimed at Office 365 admins. In some cases the phishing emails even appear to come from Microsoft with company logos or Office 365 logos.
“The messages include an HTML attachment that redirects the victim to a phishing site that is designed to look like the Microsoft Office 365 portal. At that point, the victim is prompted to enter their Office 365 credentials, and those credentials are promptly stolen,” writes Microsoft MVP Brien Posey in a Redmond.com column.
These emails, purportedly from Microsoft, ask Office 365 admins to perform an action, often updating billing information. This same attack has a new approach. “Instead of trying to spoof Microsoft in message’s Sender field, the attacker will send the message from another domain that has been compromised. The idea is that because the message comes from a legitimate domain (albeit one that has been compromised), filters will be less likely to block the message. Of course, an administrator who is paying attention can easily verify that the message did not come from Microsoft,” Posey explained.
The Sharepoint Attack
Sharepoint is key repository for corporate data, so needless to say it’s a top target. Experienced hackers are compromising Office 365 accounts and using these accounts to plant malware on SharePoint sites. To make matters worse they then send out link to company clients offering access to business documents.
“These scams have gone as far as adjusting the names and contents of the files to look legitimate. For example, we have seen cases where a malware-laden Excel document was posted on an employee’s legitimate OneDrive for Business shared folder, and that link was sent to all business contacts that had been active in the past six (6) months,” security consultancy TrustedSec reported.
Account Takeover Attacks (ATO)
Account takeovers are the most common form of Office 365 compromise. 71% of Office 365 deployments have suffered an account takeover of a legitimate users account. This is not just once though, on average it happens seven times a year. By hijacking these accounts, hackers have sent millions of malicious junk mails.
The attackers used login credentials stolen through data breaches, and shared across hacker forums. A big problem here is that even old passwords are valuable since many passwords so rarely change. The main culprit is having password set to never expire. The make the most of an attack, hackers watch the activity in the account to learn more about how to inflict the most damage, or steal the most valuable data such as financial information or confidential files.
Ransomware Attacks
Ransomware is on the rise with one attack happening every 14 seconds.
The Cerber ransomware attack hit some 57% of Office 365 sites, spreading throughout the tenant via email and bypassing Office 365 security by using private Office 365 email accounts. This was a variant of a previous attack, and itself the basis on newer ransomware exploits.
KnockKnock alike Attacks
The KnockKnock attack was a novel type of brute force attack. It maybe largely gone, but KnockKnock alike attacks persist to this day. Targets are normally admin accounts that have not been assigned to a particular user.
SkyHigh Networks identified as targets included service accounts (like the ones used for user provisioning in larger enterprises), automation accounts (like the ones used to automate data and system backups), machine accounts (like the ones used for applications within data centers), marketing automation accounts (like the ones used for marketing and customer communication), internal tools accounts (like the ones used with JIRA, Jenkins, GitHub etc.), in addition to accounts set up for distribution lists and shared and delegated mailboxes,” the company said.
“The reason this is so clever is that system accounts, given their purpose, tend to have higher access and privileges than an average account. Moreover, such accounts do not yield well to authentication frameworks like Single-Sign-On (SSO) or Multi-Factor Authentication (MFA) and are also subject to lax password policies. These two aspects help reveal the motivation behind KnockKnock, (i.e. attack a weak-link with the potential for elevated exploits).”
These unassigned accounts are rarely monitored, usually automated and ignored, not protected by two-factor authentication and secured with poor passwords. However, they can still be used to gain access to corporate Office 365 email accounts for phishing, data-theft, and more.
