Our recently published research in the 2020 Spotlight Report for Office 365 identifies the tools and services within the cloud-based application commonly being leveraged by attackers. By observing 4 million Office 365 accounts over a 90-day period, we were able to identify suspicious high-risk behaviors associated with attacker techniques exploiting built-in Office 365 capabilities.
This research coincides with a huge transition to remote work – a result of the ongoing COVID-19 pandemic – and the increased adoption of SaaS platforms, like Microsoft Office 365, as the daily go-to digital workspaces. While Office 365 provides the distributed workforce with a primary domain to conduct business, it also creates a central repository of data and information that’s a prime target for attackers to exploit.
While multifactor authentication (MFA) is single best technique to reduce the possibility of a breach, Office 365 breaches continue to occur. MFA security measures are no longer enough to deter malicious and insidious attacks. Of those attacks, account takeover breaches are the fastest growing and most prevalent, adversely impacting organizations’ reputations and incurring financial consequences.
Attacker behaviors in Office 365
After attackers gain a foothold in an Office 365 environment, there are several common techniques that can occur, including:
How do they do it?
The Spotlight Report found that of Office 365’s services, three in particular stood out as useful for an attack. OAuth is used for establishing a foothold and persistence, Power Automate is used for command and control and lateral movement, and eDiscovery is used for reconnaissance and exfiltration.
In addition, attackers can capitalize on vulnerabilities found in Azure Active Directory, Exchange, and SharePoint once acquiring and exploiting identity credentials and privileged access. Attackers can escalate privileges and perform administrator-level operations after a regular account takeover. Adversaries will also have provisioned access into a sensitive role to create redundant access into the system.
This isn’t to say that Office 365 services are easy to infiltrate; rather, it is the permissions assigned to the user and how they are used. Security teams must have detailed context that explains how entities utilize their privileges – known as observed privilege – within SaaS applications like Office 365.
This translates into understanding how users access Office 365 resources and from where, but without looking at the full data payload to protect privacy. It is about the usage patterns and behaviors, not the static access.
What you should do to mitigate risk
The importance of keeping a watchful eye on the misuse of user access cannot be overstated given its prevalence in real-world attacks. In the current cybersecurity landscape, security measures like multi-factor authentication are no longer enough to deter attackers. SaaS platforms like Office 365 are a safe haven for attacker lateral movement, making it paramount to focus on user access to accounts and services. When security teams have solid information and expectations about SaaS platforms such as Office 365, malicious behaviors and privilege abuse are much easier to quickly identify and mitigate.
Deployed in minutes without agents, Vectra Cognito Detect for Office 365 gives you visibility of your Office 365 attack surface and allows you to:
The Vectra 2020 Spotlight Report on Office 365 demonstrates the value of network detection and response (NDR) when it comes to discovering attacks and enabling security teams to halt any damaging principles that have been installed because of lateral movement.
Chris Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs for Fortune 500 enterprise clients. He has nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles. Christopher is a widely respected expert on cybersecurity issues and technologies and has researched, written and presented numerous information security architecture programs and processes.