Our recently published research in the 2020 Spotlight Report for Office 365 identifies the tools and services within the cloud-based application commonly being leveraged by attackers. By observing 4 million Office 365 accounts over a 90-day period, we were able to identify suspicious high-risk behaviors associated with attacker techniques exploiting built-in Office 365 capabilities.

This research coincides with a huge transition to remote work—a result of the ongoing COVID-19 pandemic—and the increased adoption of SaaS platforms, like Microsoft Office 365, as the daily go-to digital workspaces. While Office 365 provides the distributed workforce with a primary domain to conduct business, it also creates a central repository of data and information that’s a prime target for attackers to exploit.

While multi-factor authentication (MFA) is single best technique to reduce the possibility of a breach, Office 365 breaches continue to occur. MFA security measures are no longer enough to deter malicious and insidious attacks. Of those attacks, account takeover breaches are the fastest growing and most prevalent, adversely impacting organizations’ reputations and incurring financial consequences.

‍

Attacker behaviors in Office 365

After attackers gain a foothold in an Office 365 environment, there are several common techniques that can occur, including:  

1. Searching through emails, chat histories, and files looking for passwords or other interesting data
2. Setting up forwarding rules to obtain access to a steady stream of email without needing to sign-in again
3. Leveraging the trusted communication channel (i.e. sending an illegitimate email from the CEO’s official account, used to socially engineer employees, customers, or partners)
4. Planting malware or malicious links in documents that many people trust and use, again manipulating trust to circumvent prevention controls that may trigger warnings
5. Stealing or holding files and data for ransom

How do they do it?

The Spotlight Report found that of Office 365’s services, three in particular stood out as useful for an attack. OAuth is used for establishing a foothold and persistence, Power Automate is used for command and control and lateral movement, and eDiscovery is used for reconnaissance and exfiltration.

1. OAuth is an open standard for access authentication, often utilized by third-party applications to authenticate users by employing Office 365 login services and the user’s associated credentials. The OAuth authorization code grant can be used in apps that are installed on a device to gain access to protected resources, such as web APIs. Attackers are leveraging OAuth enabled malicious Azure applications to maintain persistent access to users Office 365 accounts.
   ‍
2. Power Automate lets users create custom integrations and automated workflows between Office 365 applications. It is enabled by default and includes connectors to hundreds of third-party applications and services, but flows can bypass security policies including data loss prevention (DLP). Power Automate’s wide availability and ease of use also makes it a partially useful tool for attackers to orchestrate malicious command-and-control and lateral movement behaviors.
   ‍
3. eDiscovery is an electronic discovery tool that searches across Office 365 applications and data and exports the results. Attackers use eDiscovery as a powerful internal reconnaissance and data exfiltration tool—for example, they could search “password” or “pwd” across Microsoft Outlook, Teams, all files in SharePoint and OneDrive, and OneNote notebooks using one simple command.  

In addition, attackers can capitalize on vulnerabilities found in Azure Active Directory, Exchange, and SharePoint once acquiring and exploiting identity credentials and privileged access. Attackers can escalate privileges and perform administrator-level operations after a regular account takeover. Adversaries will also have provisioned access into a sensitive role to create redundant access into the system.

This isn’t to say that Office 365 services are easy to infiltrate; rather, it is the permissions assigned to the user and how they are used. Security teams must have detailed context that explains how entities utilize their privileges—known as observed privilege—within SaaS applications like Office 365.

This translates into understanding how users access Office 365 resources and from where, but without looking at the full data payload to protect privacy. It is about the usage patterns and behaviors, not the static access.

What you should do to mitigate risk

1. Restrict the use of, or remove the internal Power Automate license from your Office 365 users who do not have legitimate use cases
2. Review your Office 365 Data Loss prevention policies and use a “business zone” to restrict Power Automate access to your business data
3. Restrict access to eDiscovery to Office 365 who have legitimate use cases
4. Enable real-time threat detection and response to identify suspicious and malicious use of Office 365 tools and services

The importance of keeping a watchful eye on the misuse of user access cannot be overstated given its prevalence in real-world attacks. In the current cybersecurity landscape, security measures like multi-factor authentication are no longer enough to deter attackers. SaaS platforms like Office 365 are a safe haven for attacker lateral movement, making it paramount to focus on user access to accounts and services. When security teams have solid information and expectations about SaaS platforms such as Office 365, malicious behaviors and privilege abuse are much easier to quickly identify and mitigate.

Deployed in minutes without agents, Vectra Cognito Detect for Office 365 gives you visibility of your Office 365 attack surface and allows you to:

• Detect suspicious account activity, such as multiple failed login attempts followed by success, and which accounts were used in both scenarios.  
• Be aware of the creation of Power Automate flows, addition of new accounts, and installation of malicious applications  
• Discover privilege escalation, including adding users to groups

The Vectra 2020 Spotlight Report on Office 365 demonstrates the value of network detection and response (NDR) when it comes to discovering attacks and enabling security teams to halt any damaging principles that have been installed because of lateral movement.  

Read the 2020 Spotlight Report on Office 365 or contact us to find out more.