CNS Group: Office 365 – the common target
Over the past month alone, the CNS emergency response team have attended a number of incidents that have followed very similar and well known patterns; the culprit being an active and prolonged attack against office 365 based resources, now, this is nothing new and has been a well known avenue of attack for some time. Recently however we have seen a certain resurgence of these attacks coupled with a common misconfiguraiton within office 365 making said incidents very much a worth while topic of discussion for this week.
While each incident investigated in recent times has had it’s own variations, each have been targeted and exploited in the same fashion and at their core, a very simple and fundamental set of recommendations that could have helped prevent the attacks from every occurring.
The attacks we are talking about are often launched against office 365 user accounts directly via the web browser; once compromised resources such as outlook and SharePoint are the most obvious targets here for the wealth of information they contain. Once access to these core platforms is gained the most typical attacks are to search for invoices, financial information or further contact details relating to clients or other interesting targets.
From here it is a simple case of spoofing information for the attackers. In many cases invoice templates or financial data can be extracted from past emails and then spoofed to known contacts; the rate of payment success once at this stage is alarming. The fun doesn’t stop there for the attackers either, with a contact list and access to SharePoint, highly realistic phishing emails and content can be generated causing endless chaos and possibilities for malware propagation from a seemingly legitimate source.
Worrying or creative – whichever your perspective, the attacks and their preventitive measures should be understood to ensure such critical systems are well protected against simplistic attacks. To be clear at this stage, we are not talking about some critical flaw or vulnerability in office 365 itself allowing attackers in – and that is perhaps what is most worrying of all. These attacks are simple, so simple in fact they can be scripted or manually executed by novices.
We are of course talking about attacks against the users themselves and there are several ways in which users can be targeted; the most common method is via a phishing email,the content of which asks a user to access the organisations office 365 portal to carry out a trivial task such as resetting a password. The user is then redirected to a page that looks much like the office 365 login page they know and trust, but is in fact a replicated copy whose sole purpose is to capture the credentials input by the unsuspecting user.
Other common methods used to target individuals are via prolonged “low and slow” brute force attacks that are automated and designed to fly under the radar of the account lockout policy in what is a very lengthy process. On occasion it has also been noted that attackers have used old lists of passwords from past unrelated website breaches (such as LinkedIn among many others) and discovered users reusing passwords form personal accounts for their corporate accounts.
Whatever the method used to extract a usable password from the target, and with a system where usernames are email address that can be found within the public domain, the sudden awareness that access to this one set of credentials can be used to target an organisations internal systems from multiple aspects is alarming.
The common mistake made within many setups is the reluctance to enforce the use of two-factor authentication for office 365. In the realms of other technologies we make use of certificates or tokens for many things; authenticating workstations to a network, users to SSH services, VPN connectivity etc. Yet the basic setup for office 365 in many organisations seems to be a setup that enforces the use of a username and password only. By enforcing the use of two factor authentication the impact of such attacks can be reduced significantly – in the worst case scenario of an employee handing their password over to an attacker (knowingly or unknowingly), they would still require the use of a separate physical or software token to gain access to these prized systems.
Moves to cloud based infrastructures are often conducted on large scales and are rarely a relaxed process, pressures to get critical systems online and working within short time scales combined with the ease of use of a cloud based platform like office 365 can often mean security details such as two factor authentication are overlooked or are decided to be introduced at a later date; it is not to say the platforms do not support these features – they do – and all too often their use is advised but crucially not enforced, much to the detriment of any organisation being targeted by such means.