Microsoft Misses Account Compromise Attacks

Microsoft – The Threat Actor’s Playground. A Blog Series.

This post is an ongoing blog series about the different types of people-centric email attacks Microsoft misses. These attacks cost organizations millions of dollars every year in losses and cause frustration for information security teams and users alike due to outdated detection technologies and the inherent limitations of Microsoft email security. 

In this series, you can expect to learn more about Microsoft missing various types of account compromise attacks, which we’ll explore in-depth and provide recent examples of:

• Business email compromise (BEC) 
• Ransomware
• Supplier fraud
• Account compromise
• Weaponized file sharing

Subscribe to our blog at the bottom of this page to stay up to date on these misses that may impact your organization. Also, use our Threat Assessment process to better understand your organization’s risks.

Account compromise attacks missed by Microsoft

Account compromise attacks are a common tactic for malicious actors. “The 2021 Human Factor Report” from Proofpoint notes that credential theft accounts for about two-thirds of attacks. And according to Verizon’s “2021 Data Breach Investigations Report,” 60% of attacks involve credentials. 

Other types of attacks can use malware, like keyloggers, to steal credentials from users or even socially engineer users (e.g., consent grants) to gain access to their accounts.

Figure 1. Credential phishing by message volume from “The Human Factor 2021 Report.”

Account compromise attacks can hurt organizations’ bottom line. According to the “2021 Ponemon Report: Cost of Cloud Compromise and Shadow IT,” cloud account compromises cost organizations $6.2 million annually, on average.

With more and more organizations increasing their use of cloud applications, the risk of account compromise attacks is growing. It’s already high. Consider the research Proofpoint conducted in 2020 on account compromises, which found that:

• 95% of organizations are targeted for account compromise
• 52% of organizations have users compromised
• 32% of organizations have files manipulated by attackers

In a month’s time frame, Proofpoint detected, in just a limited data set of rapid risk assessments, more than 112,000 credential theft, keylogger and downloader threats that had slipped past Microsoft email security perimeter defenses.

At one large software firm with almost 15,000 employees, more than 13,000 credential threats were delivered to employees. At a smaller insurance firm with fewer than 1,000 employees, almost 1,800 threats were delivered to users. That’s almost two threats per user, in just one month. And at an international media organization with 2,000 employees, more than 25,000 credential threats were delivered to employees, overwhelming internal IT security resources.

Below are examples of account comprise and credential theft attack types missed by Microsoft that were discovered during recent Proofpoint rapid risk assessments.

Office 365 credential harvest attack overview:

We see many credential threats using the same tactic: imitating Microsoft to get past Microsoft perimeter defenses. Even with multifactor authentication in place, attackers are becoming increasingly more adept at compromising email accounts, leading to extremely dangerous email account compromise (EAC) attacks, where attackers can assume the corporate identity of victims.

Here’s one example of an attack missed by Microsoft:

• Environment: Microsoft 365
• Threat Category: URL-Based
• Attack Type: Credential Theft
• Target: Customer Service Department

Figure 2. Credential theft attack, missed by Microsoft, which was attempting to steal Microsoft Office 365 credentials and compromise the account.

The anatomy of the attack:

This credential theft attack bypassed native Microsoft email security controls. The impostor, purporting to be IT support staff, used a friendly display name and Microsoft brand impersonation in an attempt to compromise the victim’s account. Using a legitimate URL (in this case, sendgrid.net) is a common tactic that Proofpoint sees bad actors using to bypass URL scanning defenses. 

In fact, over 50% of URLs that Proofpoint observes from malicious actors use a SharePoint, OneDrive or other file-sharing “legitimate” site. That’s why Proofpoint always predictively sandboxes these threats to determine whether they’re malicious and, if they are, prevents them from being delivered to users. 

In a proof of concept, Proofpoint detected this credential harvesting attempt and would have stopped it from being activated.

Account compromise attack overview:

Not all attacks go after Microsoft Office 365 accounts. With a growing number of cloud accounts, attackers frequently target accounts that may have less protection than Office 365. Malicious actors, such as those in the example below, can use partners’ accounts that are already compromised to improve the likelihood of victims activating an attack.

Here’s an example of an attack missed by Microsoft:

• Environment: Microsoft 365
• Threat Category: Attachment-Based, Containing URL-Based Threat
• Attack Type: Credential Phishing
• Target: School Counselors and Administrators

Figure 3. The above credential page is impersonating an Adobe software login.

The anatomy of the attack:

This credential harvest attack was sent from a legitimate, compromised partner account the customer communicates with regularly. As the above image shows, the page uses Adobe brand impersonation, with the attacker attempting to harvest that software’s credentials. Microsoft failed to stop the attack for a few reasons:

• It was a compromised partner account, so it passed SPF/DKIM authentication and is a trusted name with regular correspondence from Microsoft’s static reputation scoring
• The malicious payload (URL) used sandbox obfuscation techniques by being contained within the attachment and not the email itself
• The URL was not detected by Microsoft’s reputation scan, which struggles to identify new malicious URLs

The above attack was very sophisticated, which is why we recommend layers of defense for effective email security. Our Nexus Supplier Risk Explorer feature, for instance, can rank and prioritize the risk level of supplier domains to see if a supplier or partner presents a risk. This is one of the signals we use to assess if potential emails are threats.

DocuSign hybrid threat overview:

People are more likely to active attacks when they see popular and well-known brand names in malicious emails. When sent from a seemingly legitimate account—in this case, a compromised office administrator—the attack becomes more difficult to detect and more dangerous. 

Figure 4. DocuSign hybrid attack from a compromised account, which could lead to keyloggers, stolen credentials and more compromised accounts.

Here’s one example of an attack missed by Microsoft:

• Environment: Microsoft 365
• Threat Category: URL-Based, Leading to Macro-Enabled Attachment
• Attack Type: Downloader
• Target: Account Executive Staff

The anatomy of the attack:

In this attack sent from a compromised client, the message contained a malicious file containing macros that, if enabled, could install downloaders containing keyloggers and ultimately lead to further compromised accounts. Microsoft missed this threat for a few reasons:

• Since it was a compromised partner account, it passed SPF/DKIM authentication and is a trusted name with regular correspondence from Microsoft’s static reputation scoring
• Microsoft didn’t detect the abuse of the DocuSign brand in the message
• The malicious payload used sandbox evasion tactics 

Figure 5. Proofpoint provides detailed visibility into people-centric attacks, arming teams with details about the attack, campaigns involved, and people targeted to understand how and why attackers are trying to cause damage.

Proofpoint’s advanced email security detected and would have blocked these threats from being activated.

How Proofpoint helps stop account compromise

Proofpoint is the only vendor that provides an end-to-end, integrated solution with multiple layers of protection to combat account compromise. We’ve built multilayered detection techniques to defend against constantly evolving threats, including Advanced URL Defense, Advanced Attachment Defense and Advanced BEC Defense. 

Because account compromise is a common problem, we built the Supplier Risk Explorer for our Email Fraud Defense product and include analytics from these insights. This unique tool can provide your team with valuable information about suppliers that may pose a risk to your organization.

Figure 6. Supplier Risk Explorer identifies supplier domains and provides visibility into which suppliers may pose a risk to your organization.

Also, Proofpoint provides details on suspicious login activities and potentially malicious third-party applications with our included SaaS Defense feature, delivering insight into account compromise. To protect against compromised accounts further, you can take proactive actions, such as applying extra controls to your Very Attacked People™ with our technology partners. Or you can supplement protection with our Information Protection Platform, which will help you identify and protect against compromised users and data loss.

Again, it’s important to note that in all the examples of the attacks outlined above that Microsoft missed, Proofpoint would have detected and blocked the messages. 

Recommendations to prevent account compromise attacks

Proofpoint takes a layered approach to stop account compromise attacks with our Threat Protection Platform alongside our Information Protection Platform, so there are more layers to protect organizations. Some of the layers in our Threat Protection Platform include our leading detection, isolation, authentication, education, and automated remediation capabilities. 

There is no one tool or strategy to stop account compromise attacks, which is why a layered, integrated threat protection solution is necessary. To learn more about how the Proofpoint Threat Protection Platform can help protect your environment, take a free Email Rapid Risk Assessment.