A Tale of Two Attacks: Enhancing Microsoft Office 365 Security

October 26, 2020
Vectra AI Security Research team
A Tale of Two Attacks: Enhancing Microsoft Office 365 Security

2020 has been an unusual year for everyone: change hit us unexpectedly and quickly. And the ways we work, go to work, and communicate have changed, too, as we transitioned to remote work and began using cloud-based services such as Microsoft Office 365.

For example, an online survey (conducted by YouGov on behalf of Vectra) of 1,097 working adults in UK between the 8th–9th of October 2020 revealed that 70% of those who are able to work from home and use Office 365/Microsoft 365 expect their home working to stay the same or increase post-COVID-19. It’s reasonable to anticipate similar results in other developed countries.  

These changes are obviously going to alter the attack surface that organizations are protecting. When we launched Detect for Office 365 a few months ago, we became well-placed to help answer what these changes look like inside the world’s most used SaaS application. From June to August, we collected data on 4 million accounts, giving us a data set to start understanding the nature of suspicious behaviors and attacks that occur within the Office 365 ecosystem.

We published our findings in the 2020 Spotlight Report on Office 365, where we identified how attackers are leveraging built-in Office 365 tools and services to execute their attacks. As part of our analysis we also highlighted examples of how we saw attackers operating inside Office 365.

Financial Fraud Attempt on Office 365

The attacker of this midsized manufacturer zeroed in on the finance department, likely using LinkedIn to identify targets. A low-and-slow brute-sweep attack was run against legacy protocols—finding the place where multi-factor authentication (MFA) could not be enabled—to gain access to Office 365.

Once inside, the attacker implemented rules to forward all emails related to either DocuSign or invoices, making the financial fraud motive clear. Cleverly, the attacker also set up rules to erase threat evidence and avoid discovery by automatically deleting all emails related to passwords and security.

In real time, Vectra detected multiple stages of the attack and enabled the security team to delete the forwarding rules and change passwords before any emails were sent outside the organization.

Overall, Vectra identified brute force, suspicious sign-on, risky exchange operation, and suspicious email forwarding as the main stages and indicators of the attack.

Threat detection process

Medical Research Data Theft in Office 365

A medical research unit at a university was targeted with a phishing lure that promoted a free calendar optimization and time-management app.

One person took the bait and installed the malicious OAuth app, bypassing MFA and unknowingly providing complete access to Office 365. Using that access, the attackers then sent internal phishing emails, taking advantage of trusted identities and communications to spread further inside the university. With one phishing email, the attackers infiltrated and enacted lateral movement within the network.

Vectra detected the suspicious app installation, and as part of the investigation, noted that the internal spear-phishing detection had also fired. The security team was able to evict the attacker by removing the malicious app.

Threat detection process in healthcare

Case Studies: Office 365 Security Breaches

Credential abuse is the leading cyberattack method used against Office 365, which has more than 200 million monthly users. Smart attackers will exploit human behavior to hijack passwords, take over accounts, and steal critical business data. Inversely, smart security teams will have solid information and expectations about SaaS platforms so they can identify and mitigate malicious behaviors and privilege abuse.

Both of these customer examples showcase the ways in which Office 365 services were manipulated and exploited by attackers. And when inside these organizations’ networks, attackers used the existing tools present to live off the land and try to avoid detection.

Fortunately, these attacks were curtailed by Detect for Office 365 detecting and alerting each organization about the suspicious behaviors. Vectra’s AI-derived machine learning algorithms equipped these security teams with the necessary information to halt the attacks, averting damage and theft.

By automatically detecting and prioritizing attacker behaviors, accelerating investigations, and enabling proactive threat hunting, Vectra Cognito Detect for Office 365 give you back control of Microsoft Office 365 security and protects you from insidious Office 365 hackers.

Read the full Spotlight Report on Office 365, and check out other case studies to see the Vectra Platform in action.


What types of attacks target Microsoft Office 365?

Common attacks include phishing, credential abuse, and exploitation of built-in Office 365 tools.

What measures can prevent medical research data theft?

Implementing MFA, monitoring app installations, and using AI-driven threat detection can prevent data theft.

What are the signs of a phishing attack in Office 365?

Signs include unexpected email requests, installation of unapproved apps, and internal phishing attempts.

What are the best practices for securing Office 365?

Best practices include regular security audits, user training, and using advanced threat detection tools.

How can AI improve Office 365 security?

AI enhances security by detecting anomalous behaviors, reducing false positives, and automating threat responses.

How can organizations detect financial fraud attempts in Office 365?

Organizations can detect fraud by monitoring email forwarding rules, suspicious sign-ons, and risky operations.

How does Vectra AI help secure Office 365?

Vectra AI provides continuous monitoring, detects suspicious behaviors, and accelerates threat investigation.

How can security teams respond to detected threats in Office 365?

Security teams should investigate alerts, remove malicious apps, and change compromised credentials immediately.

How do attackers exploit built-in Office 365 tools?

Attackers exploit tools like email forwarding and automation rules to avoid detection and exfiltrate data.

What are the benefits of multi-factor authentication (MFA) in Office 365?

MFA adds an extra layer of security, making it harder for attackers to gain unauthorized access to accounts.