The most common threat vectors and…


Security experts discuss the most typical ways attackers use Microsoft 365 and share their guidance for defenders.

(Photo: phloxii via Adob​​e Stock)

As more and more organizations rely more and more on Microsoft 365, Google Cloud and Amazon Web Services, cybercriminals have begun to realize that this shift is beneficial to them and are therefore adjusting their attacks to take advantage of the main cloud used by the organization platform.

Proofpoint reports that last year, more than 59.8 million messages from Microsoft 365 targeted thousands of organizations, and Google sent or hosted more than 90 million malicious messages. In the first quarter of 2021, 7 million malicious messages came from Microsoft 365 and 45 million came from Google’s infrastructure, which is much higher than the quarterly attacks based on Google in 2020.

“I think this fits the general pattern,” Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, said of the increase in cloud-based attacks. Although experts have seen cloud email services abused in the past, today’s attacker infrastructure looks different.

“Now, if you are an attacker…you only need to hack into a few Office 365 or Google Workspace accounts and use them to perform everything from launching the attack to hosting the load,” Kalember continued. “Frankly, if you are an attacker, this is a one-stop shop. From an infrastructure perspective, this is what you need.”

In Microsoft 365 or other major cloud platforms, it doesn’t matter whether the attacker wants to conduct research on corporate email intrusion or get someone to click a malicious link in the early stages of a ransomware attack. Damaged cloud accounts, especially cloud email accounts, can be used for many different types of attacks. Kalember pointed out that from an attacker’s point of view, this is a useful place for information leakage because it may not be prevented.

The sheer size of the Microsoft 365 user base makes it more attractive to attackers. Oliver Tavakoli, chief technology officer of Vectra, said that although some companies may use platforms such as G Suite as an alternative, Microsoft 365 is “a gorilla weighing up to 800 pounds in terms of collaboration space.” Attackers know the value of the data stored in the Microsoft platform and how they can effectively obtain this data.

Aiming at the cloud
Obviously, a compromised cloud account can prove to be very helpful to criminals. But how exactly do they abuse these platforms? What are these attacks usually like?

To learn more, Vectra researchers compiled the top threat detections among the most common corporate customers in Microsoft Azure AD and Microsoft Office 365.

They report that the most common is Office 365 risky Exchange operations: in these cases, abnormal Exchange operations detected may indicate that an attacker is manipulating Exchange to gain access to specific data or further attack processes. Researchers found that since the beginning of 2021, more than 70% of Vectra’s customer base has triggered this detection every week.

The second most common threat detection involves suspicious operations in Azure AD. Abnormal Azure AD operations may indicate that an attacker is elevating permissions and performing administrator-level operations after a regular account has taken over. The attacker carried out a “mass attack” in Azure AD, adding and removing people from the group and escalating permissions.

“If I break in and have your credentials, I just need to add you to a specific group-this may have downstream effects in Office 365-you can now access a lot of SharePoint that you don’t have,” Tavakoli explained. “If I stole your account, so give your account more rights, and then use these rights in the application is a very interesting attack vector.

He said that one of the problems in Azure AD is that there is no complete separation between what someone should be able to do for themselves (such as setting a profile picture in a directory) and the rather privileged operations that should be limited to administrators. Say.

“Now we have to sharpen the pencil effectively and really figure out how to sort out the important operations [to the attacker] From the ones that didn’t,” Tavacoli said.

Other common threat detections include the attacker downloading an abnormal number of objects in Office 365, and the account sharing files and/or folders is larger than normal, both of which may indicate that the attacker is using download and sharing features To steal data. Vectra researchers also reported on the creation of redundant access in Azure AD and the addition of external accounts to the Office 365 team as threat detections that organizations should be aware of.

Proofpoint’s Kalember said that attackers are also increasingly relying on OAuth applications and other third-party applications that connect people to Office 365 and Google Workspace accounts. These web applications are not necessarily phishing credentials; they make people trust them. He said that it is not difficult for an attacker to create a fake version of SharePoint Online and send phishing emails. If successful, they can obtain an OAuth token that represents their personal credentials.

“The attacker then uses this access in a variety of different ways,” he said. “They will use it in a highly manual manner and read the contents of the inbox, send emails as that person, and then carry out further attacks in this way.”

They can also use these tokens in automated large-scale activities to capture more credentials and compromise more accounts.

Defense for Microsoft 365: Tips and Challenges
Verizon’s recently released “Data Breach Investigation Report 2021” (DBIR) report stated that the vast majority (85%) of data breaches involve human factors, and 61% involve credential breaches.

“This is how attackers work now. They won’t invade – they will log in,” Kalember said, noting that only 3% of attacks in DBIR use exploits. As attackers rely on these technologies, the steps that organizations can take to protect credentials will become increasingly important.

He suggested that organizations cancel the legacy agreement and add multi-factor authentication to “everything facing the Internet”. He pointed out that these two steps have been good recommendations for a long time, and for organizations that have not yet taken these steps, this It should be the top priority. For organizations that cannot afford cloud access security brokers (CASB) or other cloud security tools, he recommends carefully studying Microsoft Sentinel, a tool that organizations can use to access Office 365 logs.

“If you can’t afford to deploy CASB or cloud security tools to do this for you, at least be able to go back to the logs, which is really important,” he added.

When talking about the obstacles facing security teams, Tavakoli said that Microsoft 365 is complicated for defenders because its many different tools are also convenient for attackers. Consider eDiscovery, a tool designed to help display specific terms (such as “passwords”) across emails, teams, and other communications. It is designed to help employees access different resources, but it can also help attackers find information.

“When you have a very complex system that the defender can’t really master, and you eject it outside the fortress wall, the attacker has an innate advantage,” he explained. “They will take the time to figure out this complexity, they need to find some design patterns that are easy to attack, and then these design patterns are often incredibly reusable.”

Tavakoli emphasized the importance of understanding the strategy within Office 365. Do you want it to be primarily a collaboration platform within your organization, or do you also want to use it with external partners? If you are working with external partners, it is important to establish critical demarcation points. He pointed out that SharePoint shared with partners should be maintained differently from SharePoint used for internal collaboration. What parts of the system and what data can external partners use? Has there been an internal expectation for this?

Determining the number of insurance policies is a tricky balance. Tavakoli says that you may need at least 10 to 15 policies—not hundreds, but not too few, so that they give people too broad rights. The principle of least privilege remains the key.

“Only provide users with the permissions they need to complete their work,” he added.

Kelly Sheridan is a full-time editor of Dark Reading. She focuses on cybersecurity news and analysis.She is a business technology reporter. She has previously reported on Microsoft for InformationWeek, and has reported on finance in insurance and technology… View full bio

Recommended reading:

More insights

Related Articles

Back to top button