Vectra has released its 2020 Spotlight Report on Microsoft Office 365, which highlights the use of Office 365 in enterprise cyberattacks. The report explains how cybercriminals use built-in Office 365 services in their attacks. Attacks that target software-as-a-service, SaaS, user accounts are one of the fastest-growing and most prevalent problems for organisations, even before Covid-19 forced the vast and rapid shift to remote work. With many organisations increasing their cloud software usage, Microsoft has dominated the productivity space, with more than 250 million active users each month. Office 365 is the foundation of enterprise data sharing, storage, and communication for many of those users, making it an incredibly rich treasure trove for attackers.
Even with the increasing adoption of security postures to protect user accounts such as multifactor authentication, 40% of organisations still suffer from Office 365 breaches, leading to massive financial and reputational losses. In a recent study, analyst firm Forrester Research put the cost of account takeovers at $6.5 billion to $7 billion in annual losses across multiple industries.
Attackers use several common techniques to get access to user’s Office 365 accounts including:
- Searching through emails, chat histories, and files looking for passwords or interesting data
- Setting up forwarding rules to get access to a steady stream of email without needing to sign-in again
- Leveraging the trusted communication channel, the email isn’t spoofing an email from the CEO; it is an email from the CEO, to socially engineer employees, customers or partners
- Planting malware or malicious links in documents that many people trust and use, again leveraging trust to get around prevention controls that may trigger warnings
- Stealing or holding files and data for ransom
However smart cybercriminals can launch attacks that are far more sophisticated targeting legitimate tools and services such as Power Automate, an application which lets users create custom integrations and automated workflows between Office 365 applications, Microsoft eDiscovery and OAuth.
In fact, research from the Vectra 2020 Spotlight Report on Office 365 found:
- 96% of customers sampled exhibited lateral movement behaviours
- 71% of customers sampled exhibited suspicious Office 365 Power Automate behaviours
- 56% of customers sampled exhibited suspicious Office 365 eDiscovery behaviours
“Within the new work-from-home paradigm, user account takeover in Office 365 is the most effective way for an attacker to move laterally inside an organisation’s network.” said Chris Morales, Head of Security Analytics at Vectra. “We expect this trend to magnify in the months ahead. Attackers will continue to exploit human behaviours, social engineering, and identity theft to establish a foothold and to steal data in every type of organisation.”