In a recent six-month study of major cloud service tenants, Proofpoint researchers observed massive attacks leveraging legacy protocols and credential dumps to increase the speed and effectiveness of brute force account compromises at scale. Attacks against Office 365 and G Suite cloud accounts using IMAP may be difficult to protect against with multi-factor authentication, where service accounts and shared mailboxes are notably vulnerable. At the same time, targeted, intelligent brute force attacks brought a new approach to traditional password-spraying, employing common variations of the usernames and passwords exposed in large credential dumps to compromise accounts. Moreover, sophisticated phishing campaigns tricked recipients into revealing authentication credentials, providing attackers with additional avenues into corporate accounts.
Proofpoint analyzed over one hundred thousand unauthorized logins across millions of monitored cloud user-accounts and found that:
72% of tenants were targeted at least once by threat actors
40% of tenants had at least one compromised account in their environment
Over 2% of active user-accounts were targeted by malicious actors
15 out of every 10,000 active user-accounts were successfully breached by attackers
The attacker’s primary aim is often to launch internal phishing, especially if the initial target does not have the access needed to move money or data. Post-login access to a user’s cloud email and contact information improve an attacker’s ability to expand footholds within an organization via internal phishing and internal BEC, which are much harder to detect than external phishing attempts. Attackers also leverage these trusted user accounts or brands to launch external attacks or make use of the infrastructure as part of broader attack campaigns.
Most attacker logins originate from Nigerian IP addresses. These accounted for 40% of all successful malicious efforts, followed by logins from Chinese IP addresses, accounting for 26% of successful account compromises. Other major sources of successful attacks included the United States, Brazil, and South Africa (Figure 1).
Figure 1: Relative volume of successful malicious login sources
Between November 2018 and January 2019, successful brute force and phishing-related attacks involving Nigerian IP addresses increased by 65%. While these attacks did not all necessarily involve Nigerian actors, recent arrests and activity are consistent with widespread cybercrime in the region.
Brute force Attacks on Cloud Apps Get Targeted and Intelligent
In our study, IMAP was the most commonly abused legacy protocol. IMAP is a legacy authentication protocol that may be used to bypass multifactor authentication (MFA) under specific circumstances:
- When used with third-party email clients that do not support Modern Authentication
- Against targets that do not fully implement app passwords (an alternative to MFA for unsupported clients)
- When targeting shared email accounts for which MFA cannot be enabled and/or for which IMAP is not blocked.
By design, these attacks avoid account lock-out and look like isolated failed logins, so they go unnoticed.
Approximately 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks
Roughly 25% of Office 365 and G Suite tenants experienced a successful breach as a result
Threat actors achieved a 44% success rate breaching an account at a targeted organization
IMAP-based password-spraying campaigns were particularly effective, appearing in high volumes between September 2018 and February 2019. These attacks especially target high-value users such as executives and their administrative assistants.
On average, attackers targeted 10% of active user-accounts in targeted tenants
1% of targeted user-accounts were successfully breached by attackers
Attackers utilized thousands of hijacked network devices around the world -- primarily vulnerable routers and servers -- as operational attack platforms. These hijacked devices gained access to a new tenant every 2.5 days on average during a 50-day period.
Most IMAP-based attacks originated in China, representing 53% of all successful malicious efforts, followed by attacks from Brazilian IP addresses (39%), and US infrastructure (31%). Note that attacks often originated from multiple geographies over the study period and, as is often the case, it is important not to assume a consistent, direct correlation between the origin of attacks and the nationality of the threat actors carrying them out.
Efficacy of IMAP password-spraying attacks jump after credential dump
Figure 2: Successful account breaches by month associated with IMAP-based password-spraying attacks
Organizations across various industries and countries around the world are affected, but both K-12 and higher education sectors appear to be the most vulnerable to these high-volume brute force attacks. 70% of all educational institutions’ tenants experienced breaches that originated from IMAP-based brute force attacks. Over 13% of successful attacks were aimed at educational institutions, with attackers taking advantage of susceptible students and seeking access to valuable data, such as scientific research. More frequently, though, attackers simply use these easily-compromised, hijacked accounts to launch spam campaigns, meaning that the impact of attacks on this industry extend far beyond educational institutions.
Phishing gives rise to lateral movement and hybrid attacks
In contrast to attacks leveraging breached data, these attacks begin with email phishing campaigns. Threat actors then use the stolen credentials to infiltrate users’ cloud application accounts. Our researchers found that over 31% of all cloud tenants were subject to breaches originating from successful phishing campaigns.
Most of these attacks originated from Nigerian IP addresses, representing 63% of all successful malicious efforts, followed by South African infrastructure (21%), and the United States via VPNs (11%). Attackers sometimes used anonymization services, such as VPNs or Tor nodes to bypass conditional access and geolocation-based authentication. These attacks may also make use of the IMAP protocol, forming a hybrid attack.
Figure 3: Schematic showing typical phishing attacks resulting in compromised and leveraged cloud accounts
After threat actors compromise cloud accounts, they send internal phishing from these “trusted” accounts to move laterally inside the organization and impact additional users. Attackers often modify email forwarding rules or set email delegations to maintain access and sometimes launch man-in-the-middle attacks. They also leverage breached accounts to phish users in other organizations, causing cross-tenant contamination.
Although organizations of all sectors were targeted by attackers, as with password-spraying attacks the education sector is also the most vulnerable to phishing-related attacks. 15% of successful attacks affect educational institutions’ users, especially university and high school students.
Other targeted industries include retail, finance, and technology. In certain cases, attackers target corporations’ payroll systems to reroute employee paychecks and access financial documents. Consistently, title-holders such as sales representatives, general managers, commercial franchisees, project managers, and account executives are targeted and are highly susceptible to phishing-related breaches.
This study demonstrates the increasing sophistication of threat actors around the world who are leveraging brute force methods, massive credential dumps, and successful phishing attacks to compromise cloud accounts at unprecedented scale. Service accounts and shared mailboxes are particularly vulnerable while multifactor authentication has proven vulnerable. Attackers parlay successful compromises into internal phishing attacks, lateral movement in organizations, and additional compromises at trusted external organizations. Organizations need to implement layered, intelligent security measures – including user education – to combat these evolving threats that are increasingly successful in compromising user cloud accounts.
Update, March 21, 2019: This post has been updated to reflect specific cases in which IMAP-based password-spraying attacks were successful, particularly as threat actors targeted shared service accounts, (e.g., hr@company[.]com or helpdesk@company[.]com) or exploited weaknesses in MFA implementations and third-party email client logins.