Slow and Methodical Attack Targets Large Microsoft Office 365 Customers
A widescale, yet stealthy attack against Office 365 (O365) accounts started in May and is still continuing. It is a low-key attack that tries to hide under the radar, and is delivered by a small botnet of 83 IP addresses across 63 networks. The majority of IP addresses are registered in China, but the attack activity also originates from 15 other countries, such as Russia, Brazil, the US and Malaysia.
The attack was detected by Skyhigh Networks — a cloud access security broker (CASB) — and described in a blog post Thursday.
The attack is not a traditional brute force attack against O365 accounts, but a slow and methodical attack that tries to avoid highlighting its activity. “First, it targets a very small proportion (typically <2%) of the O365 account base,” writes Sandeep Chandana, principal data scientist at Skyhigh. “Second, it is devoid of any bursts in hacking activity, and averages only 3-5 attempts per account in order to try and fly under the radar of traditional defenses.”
“This campaign on Office 365 is particularly troubling due to its focus on system accounts that are essential for today’s business automation, that typically do not require MFA and that traditionally have weak security oversight,” explains Sekhar Sarukkai, chief scientist at Skyhigh. “Detection and protection from attacks on these ‘weakest link’ accounts require a cloud-native security approach for complete visibility and mitigation.”
Once an account is compromised, the attacker exfiltrates any data in the inbox and then creates a new inbox rule designed to hide and divert any incoming messages. From here the attacker can initiate harder to detect in-company phishing attempts and start to propagate infection across the network: “attack a weak-link with the potential for elevated exploits,” writes Chandana. He adds, “Since this is a persistent attack that may go unnoticed, it is possible that the attackers may tailor the payload based on the organization they have infiltrated for a larger takeover over time.”
The accounts targeted are carefully chosen: system accounts rather than people accounts. Such accounts tend to have two important characteristics: they have high access privileges, and poor protection.
“We have worked with our customers,” Skyhigh’s chief European spokesperson Nigel Hawthorn told SecurityWeek, “and seen that the attackers have used service accounts (like the ones used for user provisioning in larger enterprises), automation accounts (like the ones used to automate data and system backups), machine accounts (like the ones used for applications within data centers), marketing automation accounts (like the ones used for marketing and customer communication), internal tools accounts (like the ones used with JIRA, Jenkins, GitHub etc.), in addition to accounts set up for distribution lists and shared and delegated mailboxes.”
The targeted account names have probably been guessed (eg, [email protected]), or filtered from stolen credential lists published on the darknet.
Skyhigh detected the attacks when its machine learning anomaly detection engine detected anomalous access locations defying standard behavioral patterns across multiple customers. “As the number of these anomalous accesses increased, Skyhigh’s threat funnel correlated multiple of these access attempt anomalies into threats.” It analyzed billions of 0365 events across hundreds of customers.
However, although this attack was detected on Skyhigh customers, it is not a Skyhigh-specific problem. “We found that over 50 percent of our customers are being attacked,” Hawthorn told SecurityWeek, “and I think it is fair to assume that 50 percent of all large Office 365 customers are being attacked even if they are not Skyhigh customers.”
The 83 recognized attacking IP addresses have been fed back to the researchers that compile and publish lists of known bad IP addresses. None of them were already included on the lists. Some companies still rely on these lists to block individual IPs, “But,” suggests Hawthorn, “it’s a bit of a game of whack-a-mole to try to do this and keep up with every address, as the bad actors can move IP addresses in seconds. The best way to address it is with user behavioral analysis and machine learning that indicates unusual traffic patterns going to/from your cloud services and is able to respond to a fluid situation.”