Office 365 account compromise attempts on the increase

With more than 100 million monthly active subscribers, the rapid adoption of Office 365 has made it a hot target

While moving email services to Office 365 is a fantastic way to provide anywhere access for employees and reduce costs, its ubiquity has also made it a breeding ground for highly personalised, compelling attacks by cyber criminals.

With more than 100 million monthly active subscribers, the rapid adoption of Office 365 has made it a hot target. Office 365 Account Compromise attacks are on the rise, with attackers focused on attempting to steal login credentials and ultimately gain access to launch attacks from within an organisation.

There’s an inherent trust when we receive an email from a coworker using their correct address. While it might appear legitimate, unfortunately that’s not always the case.

Many phishing attempts are easy for end users to sniff out because they contain bold requests, misspelled words or questionable attachments that raise red flags. However, we’re seeing an increase in the number of attacks that are much more difficult to spot due to the personalised nature in which they are carefully crafted and delivered.

One common example we’ve seen appears to come from Microsoft to alert the user that they need to reactivate their Office 365 account. While the message itself doesn’t appear to be anything out of the ordinary, it mentions how the user’s account “has been suspended.” While not overly alarming, this is not a typical action on Office 365 accounts. Many employees probably wouldn’t know that and could easily fall victim.

As is the case with any suspicious emails, the user should alert the IT department when a message like this is received. But what happens if the user decides to follow the directions in this message?

This particular attack is designed to steal the user’s Office 365 credentials and take over the account. The user clicks a link in the message that sends them to a well crafted landing page where they are prompted to enter their credentials. Once they do that — game on. The attackers will then have login credentials and access to the account.

From this point, we’ve seen a few different scary scenarios. A common one has attackers setup forwarding rules on the account to observe the user’s communications patterns, both with others inside and outside the organisation. This knowledge can be used as leverage for future attacks such as ransomware or other advanced threats.

Another common scenario is where attackers use the compromised account to send messages to other employees inside the organisation in an attempt to collect additional credentials or other sensitive information.

This approach typically has more short-term success, as there’s typically an immediate response or action required:

·           A so-called colleague forwards a PDF document to review, with casual instructions that say the document can be accessed by entering a work email and password.

·           An invoice is sent via email for payment that requires the recipient to log on to a “web portal” to view the (fake) invoice.

These insider threats are not only looking for credentials, however. Attackers often request an “urgent” action that needs attention, such as paying an invoice or forwarding sensitive information like employee tax details. 

Office 365 is still a relatively new tool with a large and growing user base, and attackers are taking advantage of the accessibility.

Take action

There are steps you can take to protect your organisation and employees:

1.         User training and awareness

Employees should be regularly trained and tested to increase their security awareness of various targeted attacks. Simulated targeted attack training is the most effective form of training. Focus on training high-risk individuals, not just senior executives.

2.         Multi-factor authentication

A form of multi-factor authentication is included with Office 365, but you can also purchase Azure multi-factor authentication that includes extended functionality.

3.         Deploy DMARC authentication

Deploy DMARC (domain-based message authentication, reporting & conformance), an email authentication, policy and reporting protocol that prevents attackers from sending emails from your domain. It blocks domain spoofing and helps you understand who’s sending both legitimate and fraudulent email on your behalf.

4.    Real-time defence

Deploy a dedicated solution for real-time quarantine and defence against spear phishing. Even the most trained employees can fall victim, so find a solution that incorporates employee awareness and real-time defence.

Mark Lukie is a senior sales engineer for Australia and New Zealand at Barracuda Networks. He has over 16 years’ experience in networking, security, backup/disaster recovery, public cloud platforms, as well as systems integration.


Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cyber securityBarracuda NetworksOffice 365

More about AustraliaBarracuda NetworksMicrosoft

Show Comments