Email Security

How You Can Identify And Stop Account Compromise In Office 365

How to identify and prevent account compromise in Microsoft Office 365.

Article thumbnail image

Office 365 accounts are like gold-dust to cyber-criminals. These accounts are highly valuable because they are the gateway to your business networks. With one corporate Office 365 account, attackers are able to access multiple applications and services.

Account compromise is a serious problem, especially for organizations who currently have a large number of employees working remotely. In this article we’ll go through what account compromise is, and why it’s so damaging. We’ll also cover how organizations can identify and remediate against accounts that have been compromised, and outline steps to take to prevent account compromise from happening.

What is Account Compromise?

Account compromise essentially occurs when cyber-criminals are able to take control of business accounts. In the case of cloud-based business environments, such as Office 365 and Gsuite, account compromise can lead to attackers being able to access multiple applications and potentially compromise many other accounts.

There are numerous ways that accounts can become compromised. A common way accounts become compromised is employees using weak passwords or reusing passwords across all of their accounts. If passwords are reused, and one account is made public in a data breach, attackers are then able to compromise all of the other accounts very easily.

Phishing Attacks And Fake Landing Pages

Phishing attacks are another common way that hackers are able to compromise accounts.  These email threats aim to trick users into giving up their account details, by taking users to fake log-in pages, or asking them to reset their account passwords.

Often, attackers will create lanfing pages that look identical to the O365 login page, with sometimes only one or two small details that give away the page as being malicious. The aim is to get users to login as they usually would, which gives the cyber-criminal your account details. These attacks can be highly sophisticated, with even very highly security conscious users susceptible to be tricked.

When Office 365 and Gsuite accounts are compromised, attackers have access to multiple highly important business applications. This includes email, OneDrive, your calendars, and SharePoint files. These applications can often hold invoices, financial information, customer data, and give cyber-criminals the access they need to start sophisticated phishing attacks.

Business Email Compromise

If accounts are compromised businesses can face costly disruption and data loss. A common occurrence is business email compromise, a form of attack in which cyber-criminals genuine Office 365 accounts to email contacts, asking for payments to be made, or requesting sensitive information. This can be very difficult to detect, especially if a hacker is able to appear genuine by referencing other people on contact lists.

Attackers will often try and create a sense of urgency, telling users they need to open a link or make a payment immediately. This can lead to monetary loss for the organization, as well as potentially spreading ransomware or malware if users click on malicious URLs. There has also been a growing number of attackers compromising the accounts of high-level executives and company CEOs. This can be hugely damaging to organizations, as most users won’t expect an email from their company CEO to be fraudulent.

Detecting Account Compromise

There are often signs that all organizations should be aware of to identify instances of account compromise. These include:

  • Emails being deleted by mailbox rules
  • Inability to access an account, or multiple accounts
  • Phishing attacks being sent internally or to clients by internal users
  • Missing or deleted emails, or suspicious configuration changes
  • New inbox rules, such as automatically forwarding emails, or moving emails to folders
  • Changes to users accounts that were not authorized
  • Multiple password changes, or forgotten password resets from unknown locations
  • Suspicious logins, or multiple failed login attempts
  • Unusual inbox activity, including emails with multiple recipients, and high numbers of BCC recipients. This is usually a sign that attackers are sending out emails to hundreds of people in order to compromise another account.
  • Profile changes, such as the name, the telephone number, or the postal code being updated.
  • Credential changes, such as multiple password changes.
  • Unusual signatures added to emails.

There are also a range of technological solutions that aim to detect account compromise in Office 365. These include:

Proofpoint: Proofpoint helps you detect account hacks by using analyzing contextual data, including user location, device, network and login time. They use behavioral analytics to monitor for suspicious activity and use their global threat intelligence for IP reputation checks. They also correlate threat activity across email and the cloud to connect the dots between credential phishing and suspicious logins.

IRONSCALES: IRONSCALES operates at the mailbox level within Office 365 and automatically checks every employee’s inbox for anomalies with unique fingerprint technology.

Skyhigh Networks: Skyhigh detects insider threats, privileged user threats, and compromised accounts leveraging machine learning. Skyhigh connects to Office 365 and immediately begins building behavior models based on actual user activity.

McAfee: McAfee detects compromised account activity in Office 365 based on brute force login attempts, logins from new and untrusted locations for a specific user, and consecutive login attempts from two locations in a time period that implies impossible travel, even if the two logins occur across two cloud services.

AVANAN: Avanan has developed an algorithm to detect compromised accounts, using a number of threat signals appearing in the Office 365 instance. The adaptive technology looks at email activity, and correlates that with account activity and user behavior.

How You Can Resolve Account Compromise

Step one: Reset the user’s password.

It’s important that the new password is not sent to the infected account, as this will allow the hacker to retain access. The password should be highly secure, not easily guessed.

Step two: Remove any suspicious email forwarding addressees

  1. Open the Microsoft 365 admin center > Active Users
  2. Find the user account in question and expand Mail Settings
  3. For Email Forwarding click Edit.
  4. Remove any suspicious forwarding addresses.

Step three: Disable any suspicious inbox rules

  1. Sign into the user’s inbox using Outlook on the web
  2. Click on the gear icon and click Mail
  3. Click Inbox and sweep rules and review
  4. Disable or delete suspicious rules

Step four: Check for signature changes and out of office replies

Clever hackers can place malicious links in email signatures and out of office replies. Double check there have been no changes to these settings in the user account.

Step five: Unblock the user from sending mail

Microsoft advices that If mailboxes were used to send spam email, it’s likely that the mailbox has been blocked from sending mail. To unblock users, you can follow procedures here: Removing a user from the Restricted Users portal after sending spam email

How You Can Protect Yourself Against Account Compromise

There are a number of steps organizations can take to protect themselves against account compromise.

Multi-Factor Authentication

Microsoft estimates that 99.9% of account compromise attacks can be prevented simply by organizations implementing multi-factor authentication. Multi-factor authentication requires users to verify their identity with two or more factors. These factors include something a user knows, like a password, and something a user possesses, like a code from a smartphone. Sometimes this extends to biometric controls, like a fingerprint scan.

Having MFA in place makes it much harder for hackers to compromise business accounts. Passwords can be unsecure and often all too easy to steal, but it’s unlikely that cyber-criminals will go to the effort of trying to get past MFA controls. O365 admins can implement MFA as standard throughout their accounts, you can read a guide to this here.

You can also use third party MFA and adaptive authentication platforms that work across your business applications to protect them from account compromise and make the login process more seamless for users. Check out our guide to the top solutions here:

However, it’s important to note that MFA won’t completely protect your accounts from compromise. Chris Murray, cybersecurity specialist at Bleam Cybersecurity points out that “MFA isn’t a silver bullet to stop account compromise,” as there are methods attacks can phish passwords and MFA sessions to enable the impersonation of a user.

It’s also true that user error can also cause MFA to fail. A recent Reddit thread highlighted this problem. One user received an alert on her phone asking her to verify her identity via MFA, despite her not trying to log in. Rather than blocking the login attempt, the IT admin instead removed MFA from the account, giving the attacker access.

The takeaway from this should be that implementing MFA is a very good move to secure accounts from compromise, but it’s not the only step that organizations should be taking.

Configure Office 365

Inside O365 there are a range of security measures admins can implement that help to stop attackers from being able to breach accounts. This includes admins ensuring that:

  • User accounts do not have admin permissions
  • Creating conditional access policies in Azure Active directory, such as only allowing sign in from managed devices

Microsoft have also created a road map for O365 admins here, detailing security steps to take to protect your accounts from compromise and other threats:

Email Security

Implementing strong email security controls can help to stop organizations falling victim to account compromise. Email security gateway solutions block malicious emails from entering the email network, helping to protect users from attacks that aim to harvest user credentials. They also help to stop malicious emails circulating internally within organizations, so that if accounts are compromised, users are protected.

You can read our guide to the Top 11 Email Security Gateway solutions here:

There are also advanced cloud email security solutions that use machine learning to identify and remediate against account compromise. These platforms look for anomalies within your email networks, like accounts logging in from new locations, emailing at unusual times, and sending from different IP addresses, to automatically identify account compromise. These solutions can then block these senders.

Cloud email security solutions also provide a range of protections against phishing and spear-phishing attacks. They automatically identify phishing emails based on a range of contextual factors and allow users to report suspicious emails directly from their mailboxes. This makes it much more difficult for hackers to spread attacks that compromise account details.