Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Stealthy Attack Could Hit 50 Percent of Large Office 365 Customers: Report

Slow and Methodical Attack Targets Large Microsoft Office 365 Customers

Slow and Methodical Attack Targets Large Microsoft Office 365 Customers

A widescale, yet stealthy attack against Office 365 (O365) accounts started in May and is still continuing. It is a low-key attack that tries to hide under the radar, and is delivered by a small botnet of 83 IP addresses across 63 networks. The majority of IP addresses are registered in China, but the attack activity also originates from 15 other countries, such as Russia, Brazil, the US and Malaysia.

The attack was detected by Skyhigh Networks — a cloud access security broker (CASB) — and described in a blog post Thursday.

The attack is not a traditional brute force attack against O365 accounts, but a slow and methodical attack that tries to avoid highlighting its activity. “First, it targets a very small proportion (typically <2%) of the O365 account base,” writes Sandeep Chandana, principal data scientist at Skyhigh. “Second, it is devoid of any bursts in hacking activity, and averages only 3-5 attempts per account in order to try and fly under the radar of traditional defenses.”

“This campaign on Office 365 is particularly troubling due to its focus on system accounts that are essential for today’s business automation, that typically do not require MFA and that traditionally have weak security oversight,” explains Sekhar Sarukkai, chief scientist at Skyhigh. “Detection and protection from attacks on these ‘weakest link’ accounts require a cloud-native security approach for complete visibility and mitigation.”

Once an account is compromised, the attacker exfiltrates any data in the inbox and then creates a new inbox rule designed to hide and divert any incoming messages. From here the attacker can initiate harder to detect in-company phishing attempts and start to propagate infection across the network: “attack a weak-link with the potential for elevated exploits,” writes Chandana. He adds, “Since this is a persistent attack that may go unnoticed, it is possible that the attackers may tailor the payload based on the organization they have infiltrated for a larger takeover over time.”

The accounts targeted are carefully chosen: system accounts rather than people accounts. Such accounts tend to have two important characteristics: they have high access privileges, and poor protection.

“We have worked with our customers,” Skyhigh’s chief European spokesperson Nigel Hawthorn told SecurityWeek, “and seen that the attackers have used service accounts (like the ones used for user provisioning in larger enterprises), automation accounts (like the ones used to automate data and system backups), machine accounts (like the ones used for applications within data centers), marketing automation accounts (like the ones used for marketing and customer communication), internal tools accounts (like the ones used with JIRA, Jenkins, GitHub etc.), in addition to accounts set up for distribution lists and shared and delegated mailboxes.”

The targeted account names have probably been guessed (eg, [email protected]), or filtered from stolen credential lists published on the darknet. 

Skyhigh detected the attacks when its machine learning anomaly detection engine detected anomalous access locations defying standard behavioral patterns across multiple customers. “As the number of these anomalous accesses increased, Skyhigh’s threat funnel correlated multiple of these access attempt anomalies into threats.” It analyzed billions of 0365 events across hundreds of customers.

However, although this attack was detected on Skyhigh customers, it is not a Skyhigh-specific problem. “We found that over 50 percent of our customers are being attacked,” Hawthorn told SecurityWeek, “and I think it is fair to assume that 50 percent of all large Office 365 customers are being attacked even if they are not Skyhigh customers.”

The 83 recognized attacking IP addresses have been fed back to the researchers that compile and publish lists of known bad IP addresses. None of them were already included on the lists. Some companies still rely on these lists to block individual IPs, “But,” suggests Hawthorn, “it’s a bit of a game of whack-a-mole to try to do this and keep up with every address, as the bad actors can move IP addresses in seconds. The best way to address it is with user behavioral analysis and machine learning that indicates unusual traffic patterns going to/from your cloud services and is able to respond to a fluid situation.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...