Our recent blog post detailing how cybercriminals compromise cloud accounts provides crucial insight into attacks on Microsoft Office 365 and Google G Suite specifically. 40% of all tenants have at least one compromised account in their environment as a result of these brute force and phishing-related attacks. Once successful in getting a foothold in a tenant, threat actors move laterally by phishing other members of the organization and its business partners to find an avenue for cyber fraud and data theft.
Office 365 and G Suite accounts are heavily targeted because they hold the key to business communication and valuable data. An attacker can also reset passwords to other cloud service accounts when they take over a user’s email account. Protecting these two cloud services from account compromise requires careful layering of threat protection, authentication and data security capabilities along with a people-centric security approach that accounts for who is most attacked, vulnerable to attacks and/or privileged with access to sensitive data.
Proofpoint can help organizations detect cloud threats and auto-respond. Before we reveal how it’s worth reviewing how cloud attacks work.
The anatomy of a cloud attack
Proofpoint studies attacks against cloud accounts and has identified four distinct stages.
Stage 1: Reconnaissance
Threat actors hunt for cloud credentials to improve the efficacy of their attacks. They may send phishing emails, infect users with malware such as key loggers, or gather leaked credentials from credential dumps such as Collection #1 before launching brute force attacks against their targets.
Stage 2: Infiltrate
Based on Proofpoint research, threat actors continue to evolve their techniques to avoid detection and bypass common security measures. Phishing attacks leverage anonymization services like VPNs to bypass conditional access measures that limit access outside of specific geographies. Such measures can be circumvented with the use of a VPN located in those geographies. We also observed recent IMAP-based password-spraying attacks targeting service or shared accounts such as HR@company[.]com or help@company[.]com. Commonly, these accounts allow access by legacy email authentication protocols, which do not support multi-factor authentication (MFA). For example, Proofpoint came across conference room email accounts that were compromised and used as part of a threat campaign. Usually, within days of credential theft or successful brute force attack, threat actors access the accounts and begin to expand their attack.
Stage 3: Expand and Persist
One compromised account is all it takes for an attack to spread rapidly. Once logged into the compromised account, threat actors start gathering information. They read emails, view the user’s calendar, download contacts and learn about business processes. This helps them target other users, both internal and external to the organization. If the initial target does not provide the right opportunity to steal money or data, threat actors commonly expand their footprint by sending phishing emails to internal and external users or sharing malware with them on cloud apps such as OneDrive.
In addition, threat actors change folder sharing permissions or install OAuth apps to be able to leak data even if the user’s password is changed. They also create email forwarding rules, create admin accounts and disable two-factor authentication to maintain access to compromised accounts.
Stage 4: Exfiltrate
If an attack is not detected in time and allowed to move laterally and expand, account compromise can result in theft of money or valuable data such as financial records or intellectual property. Proofpoint has observed attempts at man-in-the-middle attacks, business email compromise, social engineering, exfiltration of data via email, file download or sharing and installation of OAuth apps.
Combating cloud app attacks at every stage
Combatting cloud app attacks successfully requires a people-centric security approach. You need to understand who is being attacked at your organization and how.
Let’s take a look at how to best protect your people at every stage of these cloud attacks.
Stage 1: Multi-channel Threat Intelligence
Since leaked or stolen credentials are the stepping stone to compromising cloud services tenants, accurate detection of compromised accounts requires cross channel threat intelligence including:
- email threats intel to determine phishing-related incidents
- leaked credentials intel to determine accounts vulnerable to brute force attacks
- emerging threats intel to identify IPs and domains involved in suspicious and malicious activity
Stage 2: Threat Detection and Risk-based MFA
Beating threat actors at their game is not easy. Detecting their sophisticated attacks accurately among the logins of millions of users requires capabilities based on advanced machine learning and more:
- User and entity behavior analytics (UEBA) study the user’s cloud access patterns, such as device, location and ISP, and detect any unusual behavior.
- Wide-range actor activity identification detects IPs accessing multiple accounts across multiple cloud service tenants as seen in brute force attacks.
- Correlating email threat intel with UEBA findings connects the dots between successful phishing attacks and account compromise.
- People-centric parameters such as recently leaked credentials are used in calculating risk levels.
- IP reputation check determines whether the logins are coming from malicious IPs.
- Malicious file scanning and sandboxing detect malware shared in the cloud.
- Cloud threats research team provides cutting edge visibility to the constantly evolving threat landscape.
As password exploits continue to rise and cloud services multiply, authentication methods must also evolve. After legacy authentication protocols are blocked, Modern Authentication must be enabled:
With risk-based MFA, organizations can leverage the threat detection capabilities described above to decide whether to allow the user access and/or require MFA. A variety of inputs such as the user’s role, privileges, location, IP reputation and device hygiene and compliance are also used to determine the risk potential of any login attempt.
Stage 3: Threat Protection and Continuous Authentication
Depending on the level and type of threat detected, organizations layer different cloud access security measures:
- When there is the possibility of account compromise, granular activity forensics helps with the investigation and sheds light on a threat actor’s efforts to expand and persist in the account.
- When a high-level threat is detected and MFA is not an option (e.g., the need to support legacy authentication protocols or shared accounts), auto-remediation such as suspending a user account is a good alternative.
- As risky behavior escalates during a session (e.g., changing email delegations or broad sharing of folders), access can be limited to view only or gated via continuous authentication measures. For example, file downloads onto a non-compliant device can be blocked via the use of web isolation tools and risk-based MFA can be applied mid-session.
- Since internal phishing or spam is a common expansion method, internal email scanning and auto-pull tools can be used to detect and retract malicious emails from users' inboxes.
Stage 4: Data Security
A compromised account can be used to exfiltrate the user’s data, but also other broadly shared company data from collaboration tools like Microsoft SharePoint Online. To prevent data theft, organizations require a broad array of data security capabilities:
- Multi-channel data loss prevention helps organizations accurately discover and protect sensitive data across primary data stores and channels of data exchange such as on-premises repositories, email, and the cloud.
- Granular file forensics and correlating anomalous file activity with suspicious logins improve the speed and efficacy of data breach investigations.
- Automated file and folder remediation capabilities reduce the chances of broad sharing and data theft.
- Ability to revoke risky OAuth app permissions prevents threat actors from persisting in the account and leaking data for extended periods of time.
The effectiveness of large-scale cloud attacks points to the need for a more rigorous approach to cloud app security. We encourage every Office 365 and G Suite customer to audit your cloud application for risks by requesting an assessment here today. And join us at a city near you for the Proofpoint Cybersecurity Series: Securing the Cloud with CASB. Register here.
Proofpoint Cloud App Security Broker (PCASB) and Internal Mail Defense (IMD) protects organizations from cloud app attacks, theft of sensitive data and compliance risks in the cloud. Learn more about PCASB here.