How Attackers Use Business Email to Compromise Office 365

How Attackers Use Business Email to Compromise Office 365

How Attackers Use Business Email to Compromise Office 365

How Attackers Use Business

Email to Compromise Office 365

How Attackers Use Business

Email to Compromise Office 365

By:
投稿者:
Vectra
December 3, 2020

The FBI recently issued a Private Industry Notification that cyberattackers are assigning auto-forwarding rules to victims’ web-based email clients to conceal their activities. Attackers then capitalize on this reduced visibility to increase the likelihood of a successful business email compromise (BEC).

This is serious stuff. Last year, the Internet Crime Complaint Center (IC3) reported losses of more than $1.7 billion worldwide due to BEC actors.

This brings up the cyberthreat that’s been plaguing Microsoft Office 365 accounts, which includes the Outlook mail client and Exchange mail server. With more than 200 million monthly subscribers, Office 365 is a rich target for cybercriminals. And every month, 30% of organizations who use it fall victim to attackers.

Although Office 365 gives the new distributed workforce a primary domain in which to conduct business, it also creates a central repository of data and information that’s easy for attackers to exploit.

Instead of malware, attackers use the tools and capabilities that are available by default in Office 365, living off the land and staying hidden for months. Forwarding emails is just one of many techniques to worry about. After attackers gain a foothold in an Office 365 environment, several things can happen, including:

  • Searching through emails, chat histories, and files looking for passwords or other useful data
  • Setting up forwarding rules to access a steady stream of emails without needing to sign-in again
  • Hijacking a trusted communication channel, such as sending an illegitimate email from the CEO’s official account to socially engineer employees, customers and partners
  • Planting malware or malicious links in trusted documents to manipulate people into circumventing prevention controls that trigger warnings
  • Stealing or encrypting files and data for ransom

Vectra research on the Top 10 most common attack techniques used against Office 365 found suspicious mail forwarding to be the eighth most common malicious behavior.

Office 365 Tools and Services Attacker Use

It’s critical to keep a watchful eye on the misuse of account privileges for Office 365, given its prevalence in real-world attacks. Security measures like multifactor authentication (MFA) no longer stops attackers in this new cybersecurity landscape.

Office 365 and other SaaS platforms are a safe haven for attacker lateral movement, making it paramount to detect and respond to account privilege abuse when users access applications and services in cloud environments.

This is precisely what Cognito Detect for Office 365 does. It enables security teams to quickly and easily identify and mitigate hidden attackers in SaaS platforms like Office 365 so that it’s no longer a safe haven for cybercrooks.

If you want to see all this for yourself, you can get a 30-day free trial here.

About the author

Vectra

Vectra® is the world leader in AI-powered network detection and response.

Author profile and blog posts

Most recent blog posts from the same author

Security operations

Chronicle integration: Conduct faster, context-driven investigations into active cyberattacks with Vectra and Chronicle

November 19, 2019
Read blog post
Security operations

Swimlane integration: Automate response and speed remediation with Swimlane and Vectra

November 11, 2019
Read blog post
Security operations

Forescout integration: Gain real-time visibility and automated response

November 4, 2019
Read blog post