Connect with us

Hi, what are you looking for?


Email Security

Stealthy Attack Could Hit 50 Percent of Large Office 365 Customers: Report

Slow and Methodical Attack Targets Large Microsoft Office 365 Customers

Slow and Methodical Attack Targets Large Microsoft Office 365 Customers

A widescale, yet stealthy attack against Office 365 (O365) accounts started in May and is still continuing. It is a low-key attack that tries to hide under the radar, and is delivered by a small botnet of 83 IP addresses across 63 networks. The majority of IP addresses are registered in China, but the attack activity also originates from 15 other countries, such as Russia, Brazil, the US and Malaysia.

The attack was detected by Skyhigh Networks — a cloud access security broker (CASB) — and described in a blog post Thursday.

The attack is not a traditional brute force attack against O365 accounts, but a slow and methodical attack that tries to avoid highlighting its activity. “First, it targets a very small proportion (typically <2%) of the O365 account base,” writes Sandeep Chandana, principal data scientist at Skyhigh. “Second, it is devoid of any bursts in hacking activity, and averages only 3-5 attempts per account in order to try and fly under the radar of traditional defenses.”

“This campaign on Office 365 is particularly troubling due to its focus on system accounts that are essential for today’s business automation, that typically do not require MFA and that traditionally have weak security oversight,” explains Sekhar Sarukkai, chief scientist at Skyhigh. “Detection and protection from attacks on these ‘weakest link’ accounts require a cloud-native security approach for complete visibility and mitigation.”

Once an account is compromised, the attacker exfiltrates any data in the inbox and then creates a new inbox rule designed to hide and divert any incoming messages. From here the attacker can initiate harder to detect in-company phishing attempts and start to propagate infection across the network: “attack a weak-link with the potential for elevated exploits,” writes Chandana. He adds, “Since this is a persistent attack that may go unnoticed, it is possible that the attackers may tailor the payload based on the organization they have infiltrated for a larger takeover over time.”

The accounts targeted are carefully chosen: system accounts rather than people accounts. Such accounts tend to have two important characteristics: they have high access privileges, and poor protection.

Advertisement. Scroll to continue reading.

“We have worked with our customers,” Skyhigh’s chief European spokesperson Nigel Hawthorn told SecurityWeek, “and seen that the attackers have used service accounts (like the ones used for user provisioning in larger enterprises), automation accounts (like the ones used to automate data and system backups), machine accounts (like the ones used for applications within data centers), marketing automation accounts (like the ones used for marketing and customer communication), internal tools accounts (like the ones used with JIRA, Jenkins, GitHub etc.), in addition to accounts set up for distribution lists and shared and delegated mailboxes.”

The targeted account names have probably been guessed (eg, CRMlink@domain), or filtered from stolen credential lists published on the darknet. 

Skyhigh detected the attacks when its machine learning anomaly detection engine detected anomalous access locations defying standard behavioral patterns across multiple customers. “As the number of these anomalous accesses increased, Skyhigh’s threat funnel correlated multiple of these access attempt anomalies into threats.” It analyzed billions of 0365 events across hundreds of customers.

However, although this attack was detected on Skyhigh customers, it is not a Skyhigh-specific problem. “We found that over 50 percent of our customers are being attacked,” Hawthorn told SecurityWeek, “and I think it is fair to assume that 50 percent of all large Office 365 customers are being attacked even if they are not Skyhigh customers.”

The 83 recognized attacking IP addresses have been fed back to the researchers that compile and publish lists of known bad IP addresses. None of them were already included on the lists. Some companies still rely on these lists to block individual IPs, “But,” suggests Hawthorn, “it’s a bit of a game of whack-a-mole to try to do this and keep up with every address, as the bad actors can move IP addresses in seconds. The best way to address it is with user behavioral analysis and machine learning that indicates unusual traffic patterns going to/from your cloud services and is able to respond to a fluid situation.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...