Microsoft Office 365 Attacks Circumvent Multi-Factor Authentication, Lead to Account Compromise and Wire Fraud
With an increasingly mobile workforce using cloud apps, the challenges faced by the IT and security teams have taken a new turn. As organizations move messaging and collaboration platforms from behind corporate networks to Office 365, they come under heavy attacks from cybercriminals.
We refer to these types of cloud-based email threats as Email Account Compromise (EAC). EAC, a $12 billion scam according to the FBI, targets businesses and individuals performing wire transfer payments. Once criminals compromise the credentials for Office 365 accounts, they use trusted accounts to launch attacks inside and outside of an organization. They can convince users to wire money or give up sensitive data. And they can access a company’s proprietary information including intellectual property and customer data. This impacts reputation and finances.
In this post, we explore the different methods attackers use to launch EAC attacks and compromise Office 365 accounts.
Cybercrime Automates Attacks
Credential compromise occurs when a user’s username and password is obtained or deduced by an attacker. Here’s how attackers usually get hold of credentials:
- Brute-force attack where an automated system tries hundreds of thousands of character and word combinations until it finds the valid password.
- Password reuse from mega breaches. It counts on users’ tendency to re-use passwords for multiple accounts.
- Phishing, or tricking the user into providing credentials directly
- Malware such as key loggers or credential stealers
The risk of account compromise has increased this year as attackers utilize more creative phishing lures, employ credential stuffing attacks via bots, post fake Microsoft log-in web pages, and use artificial intelligence to predict likely passwords.
Office 365 Access and Wire Fraud
In the past two months, we talked to dozens of customers with an urgent need to get in front of this costly problem. Recently, an attacker accessed the Office 365 account of a CEO, who heads a 15,000 user financial services and insurance firm. This sophisticated attacker viewed the CEO's emails and calendar to find the opportunity. As the CEO was meeting with a supplier to close a deal, the attacker used the compromised account to send a timely email to the CFO. The email stated: Since I am stuck in the meeting, please wire the funds by end of day as the last step to close this deal. Here are the details…” They lost $1M over the course of several transfers.
The FBI points to the real estate sector as the most heavily targeted industry. We observed compromised Office 365 accounts in a 75,000-user real estate investment firm. Five executives, including many regional general managers, had their accounts taken over. With access to the executive’s email, the attackers navigated to change the ABA routing numbers. The company lost over $500,000 as a result.
It is common for attackers to target employees from the accounts receivable or payable groups. We helped a global engineering services (consulting) firm detect compromised accounts that belong to the controller and accounts receivable. The attacker logged into these accounts and changed payment details, and emailed legitimate invoices to the firm’s business partners. Luckily, one of the partners called to confirm if it was a valid change. Naturally, this should not be your line of defense.
Defending Office 365 Accounts
Our research has found that these attackers were able to access accounts even if the company deployed single sign-on or multi-factor authentication (MFA) as part of their security system. Email is a core part of Microsoft Office 365, and there are ways to interface with Exchange Online (as part of Office 365) and Exchange not covered by two-factor authentication. This is especially the case if modern authentication is not implemented or available across all systems. Organizations with hybrid email configurations (i.e. have on-premises Exchange Servers), use applications that interface via Exchange Web Services (EWS), or ActiveSync may not be protected by multi-factor authentication. These gaps can be used by attackers to connect to a user’s Office 365 email to use trusted accounts and launch attacks.
Effective protection against Office 365 account compromise means you need exceptional threat detection, detailed logs to trace the attacker’s footsteps, and the ability to automate remediation. To this effect, we offer Proofpoint Cloud Account Defense:
- Detect Compromised Accounts: CAD studies the attacker’s footprint by combining contextual data like user location, device, and login time, with Proofpoint’s rich threat intelligence to establish safe baseline behaviors, conduct IP reputation checks and flag suspicious activity to detect compromised accounts.
- Investigate Incidents with Fine-grained Forensics: Organizations can investigate past activity and alerts through CAD’s intuitive dashboard using fine-grained forensic data such as user, date, time, IP, device, browser, location, threat, threat score, and more.
- Defend Office 365 Accounts with Flexible Policies: With insights from CAD’s detailed forensics, users can prioritize alerts based on severity to prevent alert fatigue while building flexible policies based on multiple parameters such as user, location, network, device, and suspicious activity.
- Deploy Quickly in the Cloud: Proofpoint’s cloud architecture and integration with Microsoft Office 365 APIs enable organizations to quickly deploy and derive value from CAD.
The migration to Microsoft Office 365 brings with it a myriad of new risks such as compromised accounts. We encourage every Office 365 customer to assess your application. Our customers of Proofpoint Target Attack Protection can easily monitor their risks using TAP SaaS Defense. Others can request a free CAD trial here today.
CAD builds upon Proofpoint’s extensive cloud-enabled portfolio of solutions that allow organizations to deploy and use cloud applications with confidence. For more information on Proofpoint Cloud Account Defense, please click here.