Vectra released its 2020 Spotlight Report on Microsoft Office 365, which highlights the use of Office 365 in enterprise cyberattacks. The report explains how cybercriminals use built-in Office 365 services in their attacks.
Attacks that target software-as-a-service (SaaS) user accounts are one of the fastest-growing and most prevalent problems fororganisations,even before COVID-19 forced the vast and rapid shift to remote work. With many organisations increasing their cloud software usage, Microsoft has dominated the productivity space, with more than 250 million active users each month. Office 365is the foundation of enterprise data sharing, storage, and communication for many of those users, making it an incredibly rich treasure trove for attackers.
“Within the new work-from-home paradigm, user account takeover in Office 365 is the most effective way for an attacker to move laterally inside an organisation’s network.” said Chris Morales, head of security analytics at Vectra. “We expect this trend to magnify in the months ahead. Attackers will continue to exploit human behaviours, social engineering, and identity theft to establish a foothold and to steal data in every type of organisation.”
Even with the increasing adoption of security postures to protect user accounts such as multifactor authentication (MFA), 40 percent of organizations still suffer from Office 365 breaches, leading to massive financial and reputational losses. In a recent study, analyst firm Forrester Research put the cost of account takeovers at $6.5 billion to $7 billion in annual losses across multiple industries.
Techniques used by Office 365 attackers:
Attackers use several common techniques to get access to user’s Office 365 accounts including:
- Searching through emails, chat histories, and files looking for passwords or interesting data
- Setting up forwarding rules to get access to a steady stream of email without needing to sign-in again
- Leveraging the trusted communication channel — the email isn’t spoofing an email from the CEO; it is an email from the CEO — to socially engineer employees, customers or partners
- Planting malware or malicious links in documents that many people trust and use, again leveraging trust to get around prevention controls that may trigger warnings
- Stealing or holding files and data for ransom
However smart cybercriminals can launch attacks that are far more sophisticated targeting legitimate tools and services such as Power Automate (an application which lets users create custom integrations and automated workflows between Office 365 applications), Microsoft eDiscovery (an electronic discovery tool that searches across Office 365 applications/data and exports the results) and OAuth (an open standard for access authentication).
In fact, research from the Vectra 2020 Spotlight Report on Office 365 found:
- 96 percent of customers sampled exhibited lateral movement behaviours
- 71 percent of customers sampled exhibited suspicious Office 365 Power Automate behaviours
- 56 percent of customers sampled exhibited suspicious Office 365 eDiscovery behaviours
“Identifying user access misuse has been treated as a static problem using approaches that are prevention-based, policy control-centric, or rely on manual entitlements that surface threats as they occur, leaving little time to properly respond. These approaches continue to fail,” continued Chris. “Security teams must have detailed context that explains how entities utilize their privileges — known as observed privilege — within SaaS applications like Office 365. Just as attackers observe or infer interactions between entities, defenders should think similarly about their adversaries. This translates into understanding how users access Office 365 resources and from where, but without looking at the full data payload to protect privacy. It is about the usage patterns and behaviors, not the static access. Ideally, when security teams have solid information and expectations about SaaS platforms, malicious behaviors and privilege abuse will be much easier to quickly identify and mitigate.”
The report is based on the participation of 4 million Microsoft Office 365 accounts monitored by Vectra from June-August 2020, representing the first 90 days of market availability for the company’s SaaS product, Cognito Detect™ for Office 365.