Office 365 accounts are like gold-dust to
cyber-criminals. These accounts are highly valuable because they are the
gateway to your business networks. With one corporate Office 365 account,
attackers are able to access multiple applications and services.
Account compromise is a serious problem, especially for organizations who currently have a large number of employees working remotely. In this article we’ll go through what account compromise is, and why it’s so damaging. We’ll also cover how organizations can identify and remediate against accounts that have been compromised, and outline steps to take to prevent account compromise from happening.
What is Account Compromise?
Account compromise essentially occurs when
cyber-criminals are able to take control of business accounts. In the case of
cloud-based business environments, such as Office 365 and Gsuite, account
compromise can lead to attackers being able to access multiple applications and
potentially compromise many other accounts.
There are numerous ways that accounts can become compromised. A common way accounts become compromised is employees using weak passwords or reusing passwords across all of their accounts. If passwords are reused, and one account is made public in a data breach, attackers are then able to compromise all of the other accounts very easily.
Phishing Attacks and Fake Landing Pages
Phishing attacks are another common way that hackers are able to compromise accounts. These email threats aim to trick users into giving up their account details, by taking users to fake log-in pages, or asking them to reset their account passwords.
Often, attackers will create lanfing pages that look identical to the O365 login page, with sometimes only one or two small details that give away the page as being malicious. The aim is to get users to login as they usually would, which gives the cyber-criminal your account details. These attacks can be highly sophisticated, with even very highly security conscious users susceptible to be tricked.
When Office 365 and Gsuite accounts are compromised, attackers have access to multiple highly important business applications. This includes email, OneDrive, your calendars, and SharePoint files. These applications can often hold invoices, financial information, customer data, and give cyber-criminals the access they need to start sophisticated phishing attacks.
Business Email Compromise
If accounts are compromised businesses can face
costly disruption and data loss. A common occurrence is business email
compromise, a form of attack in which cyber-criminals genuine Office 365
accounts to email contacts, asking for payments to be made, or requesting sensitive information. This can be very
difficult to detect, especially if a hacker is able to appear genuine by
referencing other people on contact lists.
Attackers will often try and create a sense of urgency, telling users they need to open a link or make a payment immediately. This can lead to monetary loss for the organization, as well as potentially spreading ransomware or malware if users click on malicious URLs. There has also been a growing number of attackers compromising the accounts of high-level executives and company CEOs. This can be hugely damaging to organizations, as most users won’t expect an email from their company CEO to be fraudulent.
Detecting Account Compromise
There are often signs that all organizations
should be aware of to identify instances of account compromise. These include:
- Emails being deleted by mailbox rules
- Inability to access an account, or multiple accounts
- Phishing attacks being sent internally or to clients by internal users
- Missing or deleted emails, or suspicious configuration changes
- New inbox rules, such as automatically forwarding emails, or moving emails to folders
- Changes to users accounts that were not authorized
- Multiple password changes, or forgotten password resets from unknown locations
- Suspicious logins, or multiple failed login attempts
- Unusual inbox activity, including emails with multiple recipients, and high numbers of BCC recipients. This is usually a sign that attackers are sending out emails to hundreds of people in order to compromise another account.
- Profile changes, such as the name, the telephone number, or the postal code being updated.
- Credential changes, such as multiple password changes.
- Unusual signatures added to emails.
There are also a range of technological solutions that aim to detect account compromise in Office 365. These include:
Proofpoint
Proofpoint helps you detect account hacks by using analyzing contextual data, including user location, device, network and login time. They use behavioral analytics to monitor for suspicious activity and use their global threat intelligence for IP reputation checks. They also correlate threat activity across email and the cloud to connect the dots between credential phishing and suspicious logins.
IRONSCALES
IRONSCALES operates at the mailbox level within Office 365 and automatically checks every employee’s inbox for anomalies with unique fingerprint technology.
Skyhigh Networks
Skyhigh detects insider threats, privileged user threats, and compromised accounts leveraging machine learning. Skyhigh connects to Office 365 and immediately begins building behavior models based on actual user activity.
McAfee
McAfee detects compromised account activity in Office 365 based on brute force login attempts, logins from new and untrusted locations for a specific user, and consecutive login attempts from two locations in a time period that implies impossible travel, even if the two logins occur across two cloud services.
AVANAN
Avanan has developed an algorithm to detect compromised accounts, using a number of threat signals appearing in the Office 365 instance. The adaptive technology looks at email activity, and correlates that with account activity and user behavior.
How You Can Resolve Account Compromise
Step one: Reset the user’s password.
It’s important that the new password is not sent to the infected account, as this will allow the hacker to retain access. The password should be highly secure, not easily guessed.
Step two: Remove any suspicious email forwarding addressees
- Open
the Microsoft 365 admin center > Active Users
- Find
the user account in question and expand Mail Settings
- For
Email Forwarding click Edit.
- Remove
any suspicious forwarding addresses.
Step three: Disable any suspicious inbox rules
- Sign
into the user’s inbox using Outlook on the web
- Click
on the gear icon and click Mail
- Click
Inbox and sweep rules and review
- Disable
or delete suspicious rules
Step four: Check for signature changes and out of office replies
Clever hackers can place malicious links in
email signatures and out of office replies. Double check there have been no
changes to these settings in the user account.
Step five: Unblock the user from sending mail
Microsoft advices
that If mailboxes were used to send spam email, it’s likely that the mailbox
has been blocked from sending mail. To unblock users, you can follow procedures
here: Removing a user from the
Restricted Users portal after sending spam email
How You Can Protect Yourself Against Account Compromise
There are a number of steps organizations can
take to protect themselves against account compromise.
Multi-Factor Authentication
Microsoft estimates that 99.9% of account
compromise attacks can be prevented simply by organizations implementing
multi-factor authentication. Multi-factor authentication requires users to verify
their identity with two or more factors. These factors include something a user
knows, like a password, and something a user possesses, like a code from a
smartphone. Sometimes this extends to biometric controls, like a fingerprint
scan.
Having MFA in place makes it much harder for hackers
to compromise business accounts. Passwords can be unsecure and often all too
easy to steal, but it’s unlikely that cyber-criminals will go to the effort of trying
to get past MFA controls. O365 admins can implement MFA as standard throughout
their accounts, you
can read a guide to this here.
You can also use third party MFA and adaptive
authentication platforms that work across your business applications to protect
them from account compromise and make the login process more seamless for
users. Check out our guide to the top solutions here: https://www.expertinsights.com/insights/the-top-multi-factor-authentication-mfa-solutions-for-business/
However, it’s important to note that MFA won’t
completely protect your accounts from compromise. Chris Murray, cybersecurity
specialist at Bleam Cybersecurity
points out that “MFA isn’t a silver
bullet to stop account compromise,” as there are methods attacks can phish
passwords and MFA sessions to enable the impersonation of a user.
It’s also true that user error can also cause
MFA to fail. A recent Reddit
thread highlighted this problem. One user received an alert on her phone asking
her to verify her identity via MFA, despite her not trying to log in. Rather
than blocking the login attempt, the IT admin instead removed MFA from the
account, giving the attacker access.
The takeaway from this should be that implementing
MFA is a very good move to secure accounts from compromise, but it’s not the
only step that organizations should be taking.
Configure Office 365
Inside O365 there are a range of security measures
admins can implement that help to stop attackers from being able to breach
accounts. This includes admins ensuring that:
- User
accounts do not have admin permissions
- Creating
conditional access policies in Azure Active directory, such as only allowing sign
in from managed devices
Microsoft have also created a road map for O365
admins here, detailing security steps to take to protect your accounts from
compromise and other threats: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/security-roadmap?view=o365-worldwide
Email Security
Implementing strong email security controls can
help to stop organizations falling victim to account compromise. Email security
gateway solutions block malicious emails from entering the email network, helping
to protect users from attacks that aim to harvest user credentials. They also
help to stop malicious emails circulating internally within organizations, so that
if accounts are compromised, users are protected.
You can read our guide to the Top 11 Email
Security Gateway solutions here: https://www.expertinsights.com/insights/top-11-email-security-gateways/
There are also advanced ‘post-delivery’ email protection
solutions that use machine learning to identify and remediate against account
compromise. These platforms look for anomalies within your email networks, like
accounts logging in from new locations, emailing at unusual times, and sending
from different IP addresses, to automatically identify account compromise.
These solutions can then block these senders.
Post-Delivery Protection platforms also provide
a range of protections against phishing and spear-phishing attacks. They automatically
identify phishing emails based on a range of contextual factors and allow users
to report suspicious emails directly from their mailboxes. This makes it much
more difficult for hackers to spread attacks that compromise account details.