Our recently published research in the 2020 Spotlight Report for Office 365 identifies the tools and services within the cloud-based application commonly being leveraged by attackers. By observing 4 million Office 365 accounts over a 90-day period, we were able to identify suspicious high-risk behaviors associated with attacker techniques exploiting built-in Office 365 capabilities.
This research coincides with a huge transition to remote work—a result of the ongoing COVID-19 pandemic—and the increased adoption of SaaS platforms, like Microsoft Office 365, as the daily go-to digital workspaces. While Office 365 provides the distributed workforce with a primary domain to conduct business, it also creates a central repository of data and information that’s a prime target for attackers to exploit.
While multi-factor authentication (MFA) is single best technique to reduce the possibility of a breach, Office 365 breaches continue to occur. MFA security measures are no longer enough to deter malicious and insidious attacks. Of those attacks, account takeover breaches are the fastest growing and most prevalent, adversely impacting organizations’ reputations and incurring financial consequences.
After attackers gain a foothold in an Office 365 environment, there are several common techniques that can occur, including:
The Spotlight Report found that of Office 365’s services, three in particular stood out as useful for an attack. OAuth is used for establishing a foothold and persistence, Power Automate is used for command and control and lateral movement, and eDiscovery is used for reconnaissance and exfiltration.
often utilized by third-party applications to authenticate users by employing Office 365 login services and the user’s associated credentials. The OAuth authorization code grant can be used in apps that are installed on a device to gain access to protected resources, such as web APIs. Attackers are leveraging OAuth enabled malicious Azure applications to maintain persistent access to users Office 365 accounts.
It is enabled by default and includes connectors to hundreds of third-party applications and services, but flows can bypass security policies including data loss prevention (DLP). Power Automate’s wide availability and ease of use also makes it a partially useful tool for attackers to orchestrate malicious command-and-control and lateral movement behaviors.
Attackers use eDiscovery as a powerful internal reconnaissance and data exfiltration tool—for example, they could search “password” or “pwd” across Microsoft Outlook, Teams, all files in SharePoint and OneDrive, and OneNote notebooks using one simple command.
In addition, attackers can capitalize on vulnerabilities found in Azure Active Directory, Exchange, and SharePoint once acquiring and exploiting identity credentials and privileged access. Attackers can escalate privileges and perform administrator-level operations after a regular account takeover. Adversaries will also have provisioned access into a sensitive role to create redundant access into the system.
This isn’t to say that Office 365 services are easy to infiltrate; rather, it is the permissions assigned to the user and how they are used. Security teams must have detailed context that explains how entities utilize their privileges—known as observed privilege—within SaaS applications like Office 365.
This translates into understanding how users access Office 365 resources and from where, but without looking at the full data payload to protect privacy. It is about the usage patterns and behaviors, not the static access.
The importance of keeping a watchful eye on the misuse of user access cannot be overstated given its prevalence in real-world attacks. In the current cybersecurity landscape, security measures like multi-factor authentication are no longer enough to deter attackers. SaaS platforms like Office 365 are a safe haven for attacker lateral movement, making it paramount to focus on user access to accounts and services. When security teams have solid information and expectations about SaaS platforms such as Office 365, malicious behaviors and privilege abuse are much easier to quickly identify and mitigate.
Deployed in minutes without agents, Vectra Detect for Office 365 gives you visibility of your Office 365 attack surface and allows you to:
The Vectra 2020 Spotlight Report on Office 365 demonstrates the value of network detection and response (NDR) when it comes to discovering attacks and enabling security teams to halt any damaging principles that have been installed because of lateral movement.
Read the 2020 Spotlight Report on Office 365 or contact us to find out more.