How Attackers Use Business Email to Compromise Office 365

December 3, 2020
Vectra AI Security Research team
How Attackers Use Business Email to Compromise Office 365

The FBI recently issued a Private Industry Notification that cyberattackers are assigning auto-forwarding rules to victims’ web-based email clients to conceal their activities. Attackers then capitalize on this reduced visibility to increase the likelihood of a successful business email compromise (BEC).

This is serious stuff. Last year, the Internet Crime Complaint Center (IC3) reported losses of more than $1.7 billion worldwide due to BEC actors.

This brings up the cyberthreat that’s been plaguing Microsoft Office 365 accounts, which includes the Outlook mail client and Exchange mail server. With more than 200 million monthly subscribers, Office 365 is a rich target for cybercriminals. And every month, 30% of organizations who use it fall victim to attackers.

Although Office 365 gives the new distributed workforce a primary domain in which to conduct business, it also creates a central repository of data and information that’s easy for attackers to exploit.

Instead of malware, attackers use the tools and capabilities that are available by default in Office 365, living off the land and staying hidden for months. Forwarding emails is just one of many techniques to worry about. After attackers gain a foothold in an Office 365 environment, several things can happen, including:

  • Searching through emails, chat histories, and files looking for passwords or other useful data
  • Setting up forwarding rules to access a steady stream of emails without needing to sign-in again
  • Hijacking a trusted communication channel, such as sending an illegitimate email from the CEO’s official account to socially engineer employees, customers and partners
  • Planting malware or malicious links in trusted documents to manipulate people into circumventing prevention controls that trigger warnings
  • Stealing or encrypting files and data for ransom

Vectra research on the Top 10 most common attack techniques used against Office 365 found suspicious mail forwarding to be the eighth most common malicious behavior.

commonly leveraged tools/services in Office 365

It’s critical to keep a watchful eye on the misuse of account privileges for Office 365, given its prevalence in real-world attacks. Security measures like multi-factor authentication (MFA) no longer stops attackers in this new cybersecurity landscape.

Office 365 and other SaaS platforms are a safe haven for attacker lateral movement, making it paramount to detect and respond to account privilege abuse when users access applications and services in cloud environments.

This is precisely what Detect for Office 365 does. It enables security teams to quickly and easily identify and mitigate hidden attackers in SaaS platforms like Office 365 so that it’s no longer a safe haven for cybercrooks.