Government-sponsored hackers, who carry out cyber espionage campaigns, invest more resources than ever to find new ways of attacking the cloud. One of their preferred targets is Microsoft 365, previously called Office 365, a platform used by an increasing number of organizations of all sizes.
From an intelligence collector's perspective, it makes sense to target it. For many organizations the data is probably going to be in Microsoft 365, whether it's in the contents of individual emails, or files shared on SharePoint or OneDrive, or even Teams messages.
On a quantitative level, Office 365 draws over 250 million active users, according to Microsoft statistics. Attackers can thus intuitively guess that a certain percentage of these users lack proper security protection, and as a bonus, often serve as an easy entry point into an organization’s Azure cloud data, including APIs. A conservative estimate, for example, might peg the percentage of vulnerable machines at 10%—the word “vulnerable” varies depending on the talents of the hacker, which can also include ethical hackers—which would represent over 25 million easy targets to penetrate.
Where Supply Chain Cyberattacks Come In
Supply chain attacks starting in Office 365 can take on many different forms. For instance, spear phishers can use a compromised Office 365 account to scout out a targeted employee’s ongoing emails. They can then use what they learn to go after vendors and suppliers with business email compromise fraud attacks.
Other types can be even more far-reaching. At the end of 2020, for instance, threat actors compromised an IT network management provider’s product update methods and misused their access to infect customers with malware. The attacker compromised the victim’s Office 365 emails, which “may have provided access to other data contained in the company’s office productivity tools”.
Several months later, the new CEO for that company revealed that the cyberattacks compromised one of its Office 365 accounts in December 2019. “That led them to compromise other email accounts and as a result, our broader [Office] 365 environment was compromised,” they told The Wall Street Journal.
The Cybersecurity & Infrastructure Security Agency warned of the same attackers using compromised apps in victims’ Office 365 environments in January 2021. That threat was present regardless of whatever threat vector they used to gain access first.
Cybercriminal Tactics
Researchers found three key features of the suite that attackers exploit to take over accounts and go on to perform a variety of attacks: OAuth, Power Automate and eDiscovery.
OAuth is used for establishing a foothold, Power Automate is used for command and control and lateral movement, and eDiscovery is used for reconnaissance and exfiltration.
OAuth is an open standard for access authentication used in Office 365 and already has been observed by researchers as a way for attackers to gain access to the cloud-based suite. Third-party applications use the standard to authenticate users by employing Office 365 login services and the user’s associated credentials so that they don’t have to continuously log into every app every time the user and app requires access.
Unfortunately, this convenience also is a boon for threat actors because it allows an attacker to steal OAuth credentials or access them by convincing a legitimate user to approve a malicious app (via phishing email). This can allow attackers to maintain persistent and undetected access to Office 365 accounts.
Power Automate lets users create custom integrations and automated workflows between Office 365 applications, is enabled by default, and includes connectors to hundreds of third-party applications and services—also giving it appeal for both users and hackers.
It allows users to automate mundane tasks but can also be leveraged by attackers, not only because of its default on status, but also because it allows them to make lateral movements within the app and execute malicious command-and-control behaviors.
There is no way to turn off individual connectors — it is all or nothing. Attackers can sign up for free trials to get access to premium connectors that do even more.
Meanwhile, Microsoft eDiscovery searches across Office 365 applications and data and exports the results. Once inside Office 365, attackers are using this feature as an internal reconnaissance and data exfiltration tool to find critical data to steal that can be used with malicious intent.
Going Beyond Native Controls
Supply chain cyberattacks involving Office 365 are effective in that they enable threat actors to bypass some authentication controls. They can avoid triggering an alarm if the right tools or solutions aren’t in place. Therefore, organizations need to focus on putting defense best practices in place. Those measures include enabling Multi Factor Authentication on users’ email accounts and monitoring for suspicious behavior using extended detection and response.
It’s not always easy to manage these efforts at the same time; more so when so many accounts might be involved. That’s why they should consider taking a single-pane-of-glass approach to gain intelligent security analytics into the most critical assets. This will help gain comprehensive visibility over their networks. From there, they can spot and shut down potential supply chain cyberattacks and other digital threats.
Account Compromise Impact
Once attackers use these features and services to take over Office 365 accounts, there are several techniques they use to compromise networks. They can search through emails, chat histories, and files looking for passwords or interesting data to exfiltrate or set up forwarding rules to get access to a steady stream of email without needing to sign-in again.
Threat actors also can leverage the trusted communication channel to send socially engineered phishing emails to employees, customers, or partners. For instance, researchers observed (and helped mitigate) an incident where a medical research unit at a university was targeted with a phishing lure that promoted a free calendar optimization and time-management app.
After one person took the bait and installed the malicious OAuth app, the attackers had complete access to Office 365 and used it to send internal phishing emails, taking advantage of trusted identities and communications to spread further inside the university.
Other attacks that can occur due to Office 365 account takeover include the ability to plant malware or malicious links in documents that many people trust and use; or steal or hold files and data for ransom.
Conclusion
To help you better defend your own Microsoft Office 365 environment we recommend:
Understand your privileged accounts. You need to understand which accounts can access sensitive data or use powerful Microsoft Office 365 tools such as eDiscovery. Such accounts will be prime targets for cybercriminals. Strictly limiting system and tool access to required job roles will contain the damage from a compromised account.
Measure the right metrics. Any metrics you use to measure security effectiveness must pass the "so what?" test. It must trigger a specific action and not merely inform. Make sure you measure the time it takes to acknowledge a threat and the time required to respond to one. You also should measure any repeated incidents as well as reinfection rates. All of this information will reveal how effectively your team is identifying and mitigating threats.
Implement MFA. Multi Factor Authentication may not be the golden ticket of securing accounts, but it's still an important tool for slowing down attackers. If you don't already, ensure that all accounts are using MFA.
Minimize configuration complexity. Transitional hybrid cloud environments can deliver the worst of both worlds in security, redundancies and blind spots to be exploited. Lengthy transitions can strain your IT and security resources and increase risk. Accelerating the transition will simplify and streamline your environment.
Conduct regular testing. Such exercises as penetration testing and red teaming will help you assess the foundation of your security defenses by identifying vulnerabilities and attack paths. Repeat these tests regularly to ensure that any changes actually improve your security posture.
Train all your staff, including security professionals. As you shift your operations to the cloud, make sure that your workforce knows how to use any new tools safely and securely. Also educate employees about specific threats, such as adversaries who try to impersonate the IT team in phishing emails. Further, ensure that your security staff understands the new environment and can switch from traditional perimeter-based strategies to the more open borders of the cloud.
Understand how tools are being used. Microsoft Office 365 tools like eDiscovery and Power Automate can be devastating in the wrong hands. You need to learn how these tools are used in the context of their normal behavior. Suspicious or malicious activity should be identified immediately and stopped before any damage can be done.
Gain a unified view across your environments. Adversaries will freely move between your traditional environment and cloud networks, challenging you to look for threats across the board. You need to be able to identify malicious behaviors throughout your IT network, SaaS cloud environment, data center and other areas that could be exploited.
Use AI to accelerate and automate your response times. You aren't the only one benefiting from the increased speed and scale of the cloud. Threat actors are as well. Enhanced analytics derived from artificial intelligence and machine can help you quickly find malicious activity and automate your responses.
Cut through the noise. Rapid response capabilities are essential but they're only half the story. You need a way to cut through the noise so that you're not overwhelmed by too many false positives. Using an AI-powered network detection and response tool that's accurate and reliable can help achieve this.
If you are anyone would like to discuss this or other cyber topics please feel free to reach out to us here.