 back to blog

What We Saw in 90 days from 4 Million Microsoft Office 365 Accounts

October 13, 2020
Please note that this is an automated translation. For the most accurate information, refer to the original version in English.

Vectra is excited to announce the release of our 2020 Spotlight Report on Microsoft Office 365. With the growing distributed workforce and rapid adoption of cloud-based applications to accommodate remote workers, Microsoft Office 365 is one of the most widely used suites of productivity applications in the world, with over 258 million Office 365 and 75 million Teams users.

The new report draws on data observed in over 4 million participating accounts from June-August 2020. During this time, Vectra discovered extensive amounts of lateral movement within Office 365 environments, and we have quantified exponential growth in the threat surface that the cloud presents. Check out the executive summary to learn about high-level takeaways and read the full report for an in-depth analysis.

Email and user accounts are frequently used cyberattackers to gain entry into a network. Vectra research highlights that attackers who gain access use tools that are built into an organization’s cloud environments, such as Microsoft Power Automate and eDiscovery, for lateral movement.  

With remote work projected to remain high, we expect this trend to continue in the months to come, as attackers continue to exploit human behavior and use the legitimate tools provided by the cloud to establish a foothold and remain undetected within a target organization.    

Key findings

This report contains analysis findings from Detect for Office 365 deployments and highlights how attackers use native Office 365 services to enable attacks.

Highlights from the report include:

  • 96% of customers sampled exhibited lateral movement behaviors  
  • 71% of customers sampled exhibited suspicious Office 365 Power Automate behaviors  
  • 56% of customers sampled exhibited suspicious Office 365 eDiscovery behaviors
  • How Power Automate and eDiscovery are used to create and automate malicious command-and-control communication and facilitate data exfiltration
  • How attackers leverage Microsoft federation services authentication to bypass multi-factor authentication (MFA) and embedded security controls
  • How the Cognito network detection and response (NDR) platform from Vectra identified and blocked real-life instances of business email compromise and phishing campaigns, as shown in case studies from a mid-sized manufacturer and a research university

In addition, the report assesses the top ten most common suspicious behaviors in Office 365 over the designated three-month period. An analysis of these findings emphasizes the need to swiftly identify user data misuse and recognize the value of understanding how entities utilize privileges within SaaS applications like Office 365 and beyond.

The Vectra 2020 Spotlight Report on Office 365 demonstrates the value of NDR when it comes to discovering attacks and enabling security teams to halt any damaging principles that have been installed because of lateral movement.

Deployed in minutes without agents, Detect for Office 365 automatically identifies and prioritizes attacker behaviors, streamlines investigations, and enables proactive threat hunting. In its first 90 days of availability, Cognito Detect for Office 365 was adopted, deployed and proceeded to protect over 4 million accounts.

Get the entire report or to learn more, please contact us or schedule a demo.

Want to learn more?

Vectra® is the leader in Security AI-driven hybrid cloud threat detection and response. The Vectra platform and services cover public cloud, SaaS applications, identity systems and network infrastructure – both on-premises and cloud-based. Organizations worldwide rely on the Vectra platform and services for resilience to ransomware, supply chain compromise, identity takeovers, and other cyberattacks impacting their organization.

If you’d like to hear more, contact us and we’ll show you exactly how we do this and what you can do to protect your data. We can also put you in contact with one of our customers to hear directly from them about their experiences with our solution.

Get in touch