In our latest blog, guest writer Guillaume Boisvert, Director of Product Innovation, unravels the intricacies of Microsoft 365 account attacks and breaches—an alarming reality that demands collective attention and strategic vigilance. Read on to learn how to further strengthen your Microsoft 365 security.
The security operation center for Office Protect Alliance gives us incredible visibility on common attacks on Microsoft 365. In the last few weeks, we have observed a significant increase in successful attacks that appear to share tactics, techniques, and procedures. As an MSP centric company, we wanted to share our observations and recommendations with the community. While all components of these attacks appear to have been seen in the wild before, we felt the increase in frequency warranted some exposure and wanted to help you safeguard your business against these evolving threats.
Indicators of Compromise (IOC)
What are the common denominators in recent successful Microsoft 365 attacks?
The observed attack relies heavily on session/token hijacking to bypass multifactor authentication (MFA). This method a common one today to get around MFA and it is simple to execute. It can be done with a well known open-source tool called Evilginx. It is also now part of for-profit hacker tools such as W3ll. Using these tools, or other methods, session hijacking is basically always finding a way to get the valid, MFA authenticated, session token from an identified user, and leveraging it to access the account from the attackers device.
We have observed multiple outcomes to these breaches. Some lead to the “PerfectData” attack which has been documented by Darktrace. Others simply start spewing phishing emails from the victims’ mailboxes. All of these actions appear to be part of modern attacks that try to leverage account information to do Business Email Compromise (BEC) attacks. The second goal, including the spamming, is to find more victims by sending out more phishing emails. In all cases, we have seen a significant delay between the original account access, and the actual BEC/fraud actions.
How can you identify a breach?
One IOC observed across our different cases have been the creation of an Exchange rule to hide incoming emails. The simple rule is usually named “…” (without the quotes) and redirects all incoming email traffic to the “/RSS Feed/” folder in the victims’ inbox. As far as we can tell, this is simply to hide notifications about the mailbox being used to spam phishing emails to the victims’ contacts, and not a fancy way to persist access.
We have also observed the use of anonymizing VPN services to hide the attackers’ true location, allowing them to appear to be from a country matching the operating country of the tenant. Interestingly, this appears to not be done 100% throughout the attack and IPs seen mid-attack have been consumer IPs rather than VPN IPs. Some of the attackers’ infrastructure appears to be in eastern Europe, particularly Russia.
Attack remediation
What immediate steps should MSPs take after a breach?
Managed Service Providers (MSPs) looking to remediate the attack should start by following Microsoft best practices when it comes to breached accounts, including the very important step of revoking existing sessions. Without that step, the hacker could retain access longer, potentially allowing lateral movement attack and improved persistence mechanisms.
What if the attack origin isn’t clear?
If you cannot identify exactly how the attacker hijacked the user session, it is probably worth investigating outside of Microsoft 365, including the endpoint, for signs of compromise.
Prevention and hardening
How can you harden your Microsoft 365 tenant against attacks?
Another consideration should be the hardening of the Microsoft 365 tenant to prevent the attack being successful in the first place. We recommend a few things that will help:
- Prevent non-admin users from accepting any 3rd party software. This will help for the PerfectData Software component of the attack related above. This can be done in Microsoft 365, or very easily using Sherweb’s Office Protect. It will reduce the efficacy of the attack by slowing it down and not allowing “en masse” download of the victim’s data.
- The creation of strict conditional access policy. While there are many options here, and your ability to pin things down will be influenced by the reality of the tenant’s business requirement, we recommend creating rules that do not allow access from most countries. We generally recommend not allowing the use of anonymizing VPN services in a business context, allowing their blocking and easy detection. Additionally, if you can, limit access from any unknown device at all, for added protection.
What specific measures enhance protection?
The final step in attack prevention is strict monitoring of any activities that relates to the above indicators of compromise. Any access from anonymizing VPN, 3rd party software installation, Exchange rule creation or outbound spam should be detected and acted upon immediately. Microsoft provides tools to do some of this, or you can seek the help of products like Office Protect, Octega or Blackpoint Cyber.
Hopefully implementing theses recommended measures to fortify your Microsoft 365 accounts helps your business protect their tenants. Remember, security is a shared responsibility—never give up the good fight!
