A Tale of Two Attacks: Shining a Security Spotlight on Microsoft Office 365

October 26, 2020
Vectra AI Security Research team
A Tale of Two Attacks: Shining a Security Spotlight on Microsoft Office 365

2020 has been an unusual year for everyone: change hit us unexpectedly and quickly. And the ways we work, go to work, and communicate have changed, too, as we transitioned to remote work and began using cloud-based services such as Microsoft Office 365.

For example, an online survey (conducted by YouGov on behalf of Vectra) of 1,097 working adults in UK between the 8th–9th of October 2020 revealed that 70% of those who are able to work from home and use Office 365/Microsoft 365 expect their home working to stay the same or increase post-COVID-19. It’s reasonable to anticipate similar results in other developed countries.  

These changes are obviously going to alter the attack surface that organizations are protecting. When we launched Detect for Office 365 a few months ago, we became well-placed to help answer what these changes look like inside the world’s most used SaaS application. From June to August, we collected data on 4 million accounts, giving us a data set to start understanding the nature of suspicious behaviors and attacks that occur within the Office 365 ecosystem.

We published our findings in the 2020 Spotlight Report on Office 365, where we identified how attackers are leveraging built-in Office 365 tools and services to execute their attacks. As part of our analysis we also highlighted examples of how we saw attackers operating inside Office 365.

Financial fraud attempt

The attacker of this midsized manufacturer zeroed in on the finance department, likely using LinkedIn to identify targets. A low-and-slow brute-sweep attack was run against legacy protocols—finding the place where multi-factor authentication (MFA) could not be enabled—to gain access to Office 365.

Once inside, the attacker implemented rules to forward all emails related to either DocuSign or invoices, making the financial fraud motive clear. Cleverly, the attacker also set up rules to erase threat evidence and avoid discovery by automatically deleting all emails related to passwords and security.

In real time, Vectra detected multiple stages of the attack and enabled the security team to delete the forwarding rules and change passwords before any emails were sent outside the organization.

Overall, Vectra identified brute force, suspicious sign-on, risky exchange operation, and suspicious email forwarding as the main stages and indicators of the attack.

Threat detection process

Medical research theft

A medical research unit at a university was targeted with a phishing lure that promoted a free calendar optimization and time-management app.

One person took the bait and installed the malicious OAuth app, bypassing MFA and unknowingly providing complete access to Office 365. Using that access, the attackers then sent internal phishing emails, taking advantage of trusted identities and communications to spread further inside the university. With one phishing email, the attackers infiltrated and enacted lateral movement within the network.

Vectra detected the suspicious app installation, and as part of the investigation, noted that the internal spear-phishing detection had also fired. The security team was able to evict the attacker by removing the malicious app.

Threat detection process in healthcare

Case (studies) in point

Credential abuse is the leading cyberattack method used against Office 365, which has more than 200 million monthly users. Smart attackers will exploit human behavior to hijack passwords, take over accounts, and steal critical business data. Inversely, smart security teams will have solid information and expectations about SaaS platforms so they can identify and mitigate malicious behaviors and privilege abuse.

Both of these customer examples showcase the ways in which Office 365 services were manipulated and exploited by attackers. And when inside these organizations’ networks, attackers used the existing tools present to live off the land and try to avoid detection.

Fortunately, these attacks were curtailed by Detect for Office 365 detecting and alerting each organization about the suspicious behaviors. Vectra’s AI-derived machine learning algorithms equipped these security teams with the necessary information to halt the attacks, averting damage and theft.

By automatically detecting and prioritizing attacker behaviors, accelerating investigations, and enabling proactive threat hunting, Vectra Cognito Detect for Office 365 give you back control of Microsoft Office 365 security and protects you from insidious Office 365 hackers.

Read the full Spotlight Report on Office 365, and check out other case studies to see the Vectra Platform in action.