What We Saw in 90 days from 4 Million Microsoft Office 365 Accounts

October 13, 2020
Vectra AI Security Research team
What We Saw in 90 days from 4 Million Microsoft Office 365 Accounts

Vectra is excited to announce the release of our 2020 Spotlight Report on Microsoft Office 365. With the growing distributed workforce and rapid adoption of cloud-based applications to accommodate remote workers, Microsoft Office 365 is one of the most widely used suites of productivity applications in the world, with over 258 million Office 365 and 75 million Teams users.

The new report draws on data observed in over 4 million participating accounts from June-August 2020. During this time, Vectra discovered extensive amounts of lateral movement within Office 365 environments, and we have quantified exponential growth in the threat surface that the cloud presents. Check out the executive summary to learn about high-level takeaways and read the full report for an in-depth analysis.

Email and user accounts are frequently used cyberattackers to gain entry into a network. Vectra research highlights that attackers who gain access use tools that are built into an organization’s cloud environments, such as Microsoft Power Automate and eDiscovery, for lateral movement.  

With remote work projected to remain high, we expect this trend to continue in the months to come, as attackers continue to exploit human behavior and use the legitimate tools provided by the cloud to establish a foothold and remain undetected within a target organization.    

Key findings

This report contains analysis findings from Detect for Office 365 deployments and highlights how attackers use native Office 365 services to enable attacks.

Highlights from the report include:

  • 96% of customers sampled exhibited lateral movement behaviors  
  • 71% of customers sampled exhibited suspicious Office 365 Power Automate behaviors  
  • 56% of customers sampled exhibited suspicious Office 365 eDiscovery behaviors
  • How Power Automate and eDiscovery are used to create and automate malicious command-and-control communication and facilitate data exfiltration
  • How attackers leverage Microsoft federation services authentication to bypass multi-factor authentication (MFA) and embedded security controls
  • How the Cognito network detection and response (NDR) platform from Vectra identified and blocked real-life instances of business email compromise and phishing campaigns, as shown in case studies from a mid-sized manufacturer and a research university

In addition, the report assesses the top ten most common suspicious behaviors in Office 365 over the designated three-month period. An analysis of these findings emphasizes the need to swiftly identify user data misuse and recognize the value of understanding how entities utilize privileges within SaaS applications like Office 365 and beyond.

The Vectra 2020 Spotlight Report on Office 365 demonstrates the value of NDR when it comes to discovering attacks and enabling security teams to halt any damaging principles that have been installed because of lateral movement.

Deployed in minutes without agents, Detect for Office 365 automatically identifies and prioritizes attacker behaviors, streamlines investigations, and enables proactive threat hunting. In its first 90 days of availability, Cognito Detect for Office 365 was adopted, deployed and proceeded to protect over 4 million accounts.

Get the entire report or to learn more, please contact us or schedule a demo.