Beware of the Office 365 Compromise

Author: anne.mroczynski August 1, 2018

There’s an old saying that a bad day fishing is better than a good day doing anything else. Many cyber thieves might agree that applies to phishing, as well, particularly if they put some extra effort into their endeavor.

In our work with clients, we are seeing evidence that the bad guys are taking their phishing activities to the next level and are improving how they write and deliver their attacks – making them more personal and more likely to gain the trust of even the most careful and skeptical email recipients.

And, increasingly, their platform of choice is Office 365.

Lately we’ve seen a rise in Office 365 Business Email Compromise attacks, with the cyber criminals focusing on stealing login credentials and ultimately launching attacks from within an organization.

In one recent incident, a client came to us after an employee found that emails were being sent out under her name from her official work account within Office 365.  These messages looked official.  They included a subject line “Docusign: Action Required” and a link to a PDF file to be completed and signed by the recipient.

The key here is that gaining access through the Office 365 environment enabled the hacker to operate within the target organization’s network, to determine who might send out financial documents for signature, to whom that person might send those documents, and to determine how they are usually written.  So, by doing a little research within the network they’ve breached, the thieves can exploit the relationship of trust that the organization and its employees have built with each other and with clients, customers, vendors, and others.

Clearly, this is what was happening in another incident we recently investigated, where a company’s employee had received fraudulent emails from someone purporting to be the firm’s office administrator and requesting that a check be sent to a person outside of the office.  When we looked into it, we found dozens of unauthorized logons to the office administrator’s Office 365 email account using IP addresses originating overseas.  While logged into the email account, the threat actor searched emails on the server using the search terms “wire” and “bank,” then viewed numerous messages and attachments in the mailbox.

In our experience, when criminals get access like this, they will actively search through the victim’s mailbox before they launch an attack, collecting information that will aid them in compromising other victims. Some attackers will even engage in back-and-forth conversations with unsuspecting coworkers of the victim.  (If you’ve had this happen to you, then you know how creeped out it can make you feel.) We have also seen cases where the attacker will forward all of the victim’s emails to an external, attacker-owned account so they do not have to continue logging into the victim’s email.

Accordingly, it has become increasingly important for companies using Office 365 products to take appropriate steps to prevent or mitigate the fallout from these incidents.  Fortunately, Microsoft has several tools available that help an enterprise manage an Office 365 environment.  Use as many of them as you can manage.

And call us if you think your Office 365 platform has been compromised. We know what to do.

Topics: Tech Talk