Office 365 Users Under Attack
Cybercriminals are targeting account login credentials of Microsoft Office 365, with its more than 100 million monthly active subscribers, to ultimately launch attacks from within organization, including financial institutions.
Cybercriminals have a long history of designing attacks to reach the largest number of eyeballs possible, according to research from Campbell, Calif.-based real-time spear phishing and cyberfraud defense firm Barracuda Sentinel. “From the early days of traditional spam, to search or trending topics on social platforms, criminals follow the users, and Office 365 has become a breeding ground for highly personalized, compelling attacks,” Asaf Cidon, spear phishing behavior expert and vice president, content security services at Barracuda, said.
Attackers prey on the inherent trust of email received from coworkers. Most individuals are almost positive it is legitimate, but unfortunately, that’s not always the case.
Barracuda Sentinel examined increasingly popular threat, Office 365 Account Compromise, within its large customer based on Office 365. They found Office 365 account compromise attackers attempt to steal user credentials to launch attacks from an internal account.
The techniques used in these Office 365 account compromise attacks are:
- Spear phishing: Attackers send an email that prompts users to follow a link to reset their Office 365 credentials.
- Account compromise: Once the attackers have a user’s credentials, they can launch new attacks from that account.
- Insider impersonation: Attackers send emails that appear to be from other employees inside the organization.
Many phishing attempts are easy for end users to sniff out because they contain bold requests, misspelled words, or questionable attachments that raise red flags.
Barracuda Sentinel in focusing on its customers using Office 365 noticed an increase in the number of attacks that are much more difficult to spot due to its carefully crafted and delivered personalized nature.
In one example, the message itself doesn’t appear to be anything out of the ordinary. It appears to be coming from Microsoft to alert the user that they need to reactivate their Office 365 account. There is one red flag, but nothing overly alarming: It mentions how the user’s account “has been suspended,” not a typical action on Office 365 accounts.
As is the case with any suspicious emails, the user should alert their IT department. But what happens if the user decides to follow the directions in this message?
This attack tries to steal the user’s Office 365 credentials and takeover the account. The user clicks a link in the message that sends them to a well-crafted landing page that prompts them for their credentials. “Once they do that—game on. The attackers then will have login credentials and access to the account,” Barracuda Sentinel noted.
Once inside an organization, a couple of scary scenarios can emerge where attackers:
- Set up forwarding rules on the account to observe the user’s communications patterns inside and outside the organization. They can then leverage that information for future attacks such as ransomware or other advanced threats.
- Use the compromised account to send messages to other employees inside the organization to collect additional credentials or other sensitive information. This approach, which typically has more short-term success because it requires an immediate response or action, can utilize a PDF attachment, a fake invoice, or an urgent request for sensitive information like employee tax details.
Office 365 is still a relatively new tool with a large and growing user base, and attackers are taking advantage of the accessibility. While the sample focused on Office 365 Cidon noted he has seen the threat on Gmail also, another cloud-based email platform.
Barracuda Sentinel recommends the regular training and testing of employees to increase their security awareness of various targeted attacks, multi-factor authentication and spear phishing and cyberfraud defense.