Bad players are using legitimate services & tools within Microsoft’s productivity suite to launch cyber-attacks on COVID-19 stay-at-home workers, new research indicates.
Threat players are consistently using legitimate services & tools from within Microsoft Office 365 to pilfer sensitive data & launch phishing, ransomware, & other attacks across corporate networks from a persistent position inside the cloud-based suite, new research has discovered.
Office 365 user account takeover, particularly during the COVID-19 pandemic with so many working from home, is one of the most effective ways for an attacker to gain a foothold in an organisation’s network, commented Chris Morales, Head of Security Analytics at Vectra AI.
4m Office 365 Customers
Attackers can then move laterally to launch attacks, something that researchers observed in 96% of the 4m Office 365 customers sampled June-August 2020. The company revealed the findings of this research in a 2020 Spotlight Report, released Tues.
“We expect this trend to magnify in the months ahead,” Morales observed.
The report looks at some of the most popular ways that attackers use Office 365 services & tools to compromise corporate networks.
Office 365 presents a wide-playing field for attackers; the leading software-as-a-service (SaaS) productivity suite has more than 250m active users each month, which has made it a consistent target for attacks.
Many of those users are currently working from home due to COVID-19 restrictions, often on networks that do not have the same protections as the corporate cloud. This adds another dimension of accessibility for attackers, Morales explained.
Researchers found 3 key features of the suite that attackers exploit to take over accounts & go on to perform a variety of attacks: OAuth, Power Automate & eDiscovery.
“OAuth is used for establishing a foothold, Power Automate is used for command & control & lateral movement, & eDiscovery is used for reconnaissance & exfiltration,” Morales outlined.
OAuth is an open standard for access authentication used in Office 365 & already has been seen by researchers as a way for attackers to gain access to the cloud-based suite.
3rd-party applications use the standard to authenticate users by employing Office 365 login services & the user’s associated credentials so that they don’t have “to continuously log into every app every time the user & app requires access,” Morales further observed.
Unfortunately, this convenience also good for threat players, because it allows an attacker to steal OAuth credentials or access them by convincing a real user to approve a malicious app (via phishing email), he suggested.
This can allow attackers to maintain persistent & undetected access to Office 365 accounts.
Power Automate lets users create custom integrations & automated workflows between Office 365 applications, is enabled by default, & includes connectors to hundreds of 3rd-party applications & services, also giving it appeal for both users & hackers, Morales noted.
It allows users to automate mundane tasks but can also be used by attackers, not only because of its default on status, but also because it allows them to make lateral movements within the app & execute malicious command-&-control behaviours, he asserted.
“There is no way to turn off individual connectors – it is all or nothing,” Morales stated. “Attackers can sign up for free trials to get access to premium connectors that do even more.”
Vectra found that 71% of customers sampled in their research exhibited suspicious Office 365 Power Automate behaviours.
Meanwhile, Microsoft eDiscovery searches across Office 365 applications & data & exports the results.
Once inside Office 365, attackers are using this feature as an internal reconnaissance & data exfiltration tool to find critical data to steal that can be used with malicious intent. 56% of customers sampled in Vectra’s research exhibited suspicious Office 365 eDiscovery behaviours, researchers found.
Account Compromise Impact
When attackers use these features & services to take over Office 365 accounts, there are a number of techniques they use to compromise networks. They can search through emails, chat histories, & files looking for passwords or interesting data to exfiltrate or set up forwarding rules to get access to a steady stream of email without needing to sign-in again, researchers surmised.
Threat players also can use the trusted communication channel to send socially engineered phishing emails to employees, customers, or partners.
E.g., researchers observed (& helped mitigate) an incident where a medical research unit at a university was targeted with a phishing lure that promoted a free calendar optimisation & time-management app.
After 1 person was fooled & installed the malicious OAuth app, the attackers had complete access to Office 365, & used it to send internal phishing emails, taking advantage of trusted identities & communications to spread further inside the university.
Other attacks that can happen because Office 365 account takeover include the ability to plant malware or malicious links in documents that many people trust & use; or steal or hold files & data for ransom.
To mitigate threats, researchers recommend that organisations move away from employing static, prevention-based, policy control-centric or one-off mitigations & move to a more contextual security approach, Morales counselled.
“These approaches continue to fail,” “Security teams must have detailed context that explains how entities utilise their privileges, known as observed privilege, within SaaS applications like Office 365. Just as attackers observe or infer interactions between entities, defenders should think similarly about their adversaries.
It is about the usage patterns & behaviours, not the static access.”