Companies have increasingly turned to the cloud for their email solution. Cybercriminals or attackers have watched this trend and are finding ways to access email hosted in the cloud, which is known in the security community as a Business Email Compromise (BEC). The cloud version of Microsoft Office, known as Office 365 or O365, leads the industry. Therefore, most attacks are now propagated against a company’s O365 environment, not because of a vulnerability with O365 but because attackers are exploiting what is often the weakest link–humans. Unfortunately, many companies are implementing O365 without an understanding of how attackers are getting in and what safeguards help prevent a successful attack, including Microsoft’s security settings.
The vectors for compromised email attacks are the same as many other types of system or network occurrences. The most common attack vectors are phishing or spear phishing emails, which contain an attachment containing malware or a malicious link that brings the user to a legitimate-looking website and prompts the user for credentials. When the email recipient clicks on the link and provides credentials or opens the attachment from a phishing email, the attacker is able to get a foot in the “door” of the company, so to speak. The security community refers to this as gaining a foothold, and this is the first step in a cyberattack.
Credential stuffing is another attack vector often used, which involves using stolen credentials, typically obtained from successful data breaches, to access the O365 environment. Attackers find that credential stuffing works well because many people use the same username and passwords for multiple accounts across the internet. Credential stuffing involves the automated entry of stolen credentials into online accounts in an attempt to gain access to accounts or systems. Sites such as haveibeenpwned.com allows users to determine if their email address account has been compromised from discoverable past breaches.
Once an attacker has access to the O365 environment, it is easy to view email within the account to identify any information of value. Additionally, the attacker may try to gain access to other systems in the environment or launch other phishing attacks using the compromised account to make the phishing emails look legitimate. If the attacker has or gains administrative access to O365, the attacker may even modify rules within the system to forward emails to an external email account or even create her/his own email account on the system.
The end goal of the attacker is typically monetary gain. There are several methods, many of which are often very creative and are used to obtain money from the company. The first involves fraudulent wire transfers where the attackers attempt to impersonate an executive in the office via email instructing someone in finance to wire money to a particular account usually for the alleged reason of paying an invoice. The second method often used (if sufficient anti-fraud procedures are in place to prevent the wire transfer) is to obtain and modify invoices that have not been issued with payment instructions redirecting the funds to an account the cybercriminal has set up. The attacker then issues the modified invoice to a client of the company from the company’s O365 email, thus making the invoice look legitimate. Here, the attacker relies on the client paying the invoice without verifying the modified bank information.
Unfortunately, these attacks are often successful despite having security practices in place to prevent them. For example, most users do not have administrative rights to O365. Restricting rights is one of the basic components of security, called the principle of least privilege (POLP). But attackers have ways of escalating privileges by searching for cached credentials, using key loggers that track users’ keystrokes, and a variety of other means. Once the administrative credentials are located, the attacker can then escalate their compromised accounts to higher levels and set rules that are not obvious to the average user. This allows the attacker to move throughout the O365 environment without being noticed and helps them to easily cover her/his trail.
Now that the attacker has the proverbial “keys to the kingdom,” the attacker will typically modify rules so that she/he can monitor the organization’s email content and traffic. Oftentimes, this includes having email of key personnel, such as the CEO, CFO or HR personnel forwarded to the attacker. At present, most attacks involve locating banking credentials and information to help attempt wire fraud, but as companies get better at prevention, attackers will likely morph their methods for other financial gain. For example, email communications may provide attackers with information to attempt to extort an organization or an employee.
Most organizations discover an attacker’s presence only after the attacker has executed some fraudulent activity; however, there are times when perceptive IT personnel may see evidence of the attack such as modified rules or the addition of email accounts. Once an attack is detected, the company should start an investigation.
While investigating, it is important to make sure the attacker is no longer in the environment, and then the focus can turn to what information may have been compromised. As a first step, the company should change passwords and enable two-factor authentication. Additionally, the settings, including whether any forwarding rules are in place should be reviewed. Unfortunately, even if the attacker was unsuccessful in achieving financial gain, the company’s information, potentially including personally identifiable information (PII), or protected health information (PHI) may have been exposed.
Reporting requirements for exposed PII varies among states. In some states, access to PII may be reportable even if there is no evidence the information was acquired. So, it is important to involve outside counsel to examine if there are reporting requirements. Use of forensic experts can also prove beneficial in understanding how the attacker got in, whether they are still in the environment and what information was accessed or acquired while they were in the O365 environment.
As Ben Franklin said, “an ounce of prevention is worth a pound of cure.” This holds true when it comes to cyber security. It is difficult to build a house that is impenetrable because people need to get in and out and commerce needs to continue. However, there are some actions that should be considered by IT security, including:
- Using dual factor or two-factor authentication (2FA);
- Reviewing O365 security settings to ensure adequate controls;
- Monitoring traffic for unusual activity – consider using an email gateway to help monitor traffic;
- Keeping O365 authentication and trace logs for as long as possible;
- Training employees to recognize phishing attacks.
As companies continue to migrate to the cloud, cybercriminals will continue to target the cloud as a gateway to commit crimes. Prior to migration, companies should consider these risks and make sure the security measures in place are as strong as possible. Doing so will help make the cloud, including O365, a less lucrative target and can help reduce the volume of attacks. Until then, the Rolling Stones song “Get Off of My Cloud” seems to be a fitting warning to cybercriminals: “hey, you, get off of my cloud.”
 Since use of the term hackers is often considered offensive by the security community, because hacking can be used for the good, e.g., “white hat hackers” who conduct penetration testing to help identify security gaps, the term cybercriminals is used throughout the article. Cybercriminals are also often referred to as “black hat hackers.”
 Phishing is the act of sending emails that entice the recipient to click on an attachment or link contained within the email in order to gain access to information or systems.
 Spear phishing is a socially engineered phishing email targeting individuals in order to increase the likelihood the recipient will open and attachment or click on a link contained within the email. The end goal is the same as phishing, e.g., to gain access to information or systems.
 Malware is short for “malicious software” and refers to software that is designed to gain access to or disrupt or harm computer systems.
Authored by: Judy Branham