Beware: Five Innovative Cyberattacks on Office 365
Last year witnessed unprecedented ingenuity in the methods hackers used to infiltrate email accounts in major companies worldwide. Microsoft Office 365 is one of the most widely used and fastest-growing email and productivity suites, so when Microsoft unveiled its most powerful iteration to date, there’s no wonder that hackers took to their battle stations.
Office 365 was built in the Trusted Cloud and is secured by robust policies, controls, and systems built into the platform to keep clients’ information safe. Accordingly, Microsoft has worked hard to keep the platform secure, continuously adding and enhancing security features since introducing Office 365 nearly seven years ago.
No advance in technology exists in a vacuum; every revolutionary idea invites imitators, followers, naysayers, and attackers. Cybercriminals have adapted to this new status quo in cloud security as well. Notably, they’ve shifted from automated attacks to social engineering techniques. Now, it is more common for attacks to exploit human error or security lapses, rather than using brute force.
Five types of cyberattacks on the Office 365 environment shed light on how cybercriminals are working to acquire personal information through email hacking—and demonstrate how important adding multiple layers of security to Office 365 is to keeping your enterprise safe.
#1 | Ransomware Attacks
In June of 2016, millions of Office 365 users woke up to find they had been attacked by the ransomware virus, Cerber, and all of their data was encrypted and inaccessible. A ransom note and audio warning appeared in their inbox demanding roughly $500 in cryptocurrency per mailbox in return for the decryption key. According to Steven Toole, a researcher from Avanan, “Cerber was widely distributed after its originator was apparently able to […] bypass the Office 365 built-in security tools through a private Office 365 mail account.” However, Microsoft was able to take steps to block the virus within hours. Customers using some third party security tools were protected from the attack and never at risk.
Ransomware viruses like this one are commonly used by hackers. They are especially difficult to catch because new strains pop up as soon as old ones are defeated. Often these viruses will go unnoticed because a company’s IT is stretched too thin to proactively monitor their entire email environment effectively while still accomplishing core tasks.
#2 | Botnet Attacks
The KnockKnock attack took a different approach to harvesting data from Office 365 accounts. Using a small botnet with 83 IP addresses registered in more than 15 countries, KnockKnock slowly and methodically “knocked” on backend Office 365 accounts. The accounts targeted were those with elevated privileges that aren’t attributed to any single user.
KnockKnock targeted less than 2% of each account base and only attempted 3-5 infiltrations per account, making it extremely difficult for internal IT teams to detect. Attackers often find service or admin accounts are “set it and forget it,” but organizations need to remember that these are now internet accessible and need the same proactive monitoring and protection as the rest of their environment.
#3 | Cloud-to-Cloud Brute Force
This new kind of brute force attack uses the infrastructure of public hosting services to launch attacks on SaaS services like, but not limited to, Office 365. In 2017, hackers deployed a new “slow and low” approach. Assuming that users used the same password across multiple accounts, they focused on one username at a time, used more than one IP, and targeted only a handful of high-value accounts at each organization for over seven months.
Though this kind of brute force attack claimed many victims, it could have been easily prevented with features like single sign-on (SSO) and multi-factor authentication (MFA) that third-party security providers like Proofpoint build into their solutions.
#4 | Domain Spoofing
Domain spoofing uses malicious URLs to lead end-users to expertly disguised domains—like an Office 365 log in page or a DocuSign request—in order to harvest valuable personally identifiable information (PII).
According to the FBI, between 2013 and 2015, more than 7,000 US businesses fell prey to these types of email scams, costing an estimated $747 million. These scams include the domain spoofing trick of faking your CEO’s email address to trick your CFO into transferring money. This is an example of the larger trend of taking a social engineering approach to stealing information.
#5 | Banking Trojans
Our fifth notable trend in email cybercrime involves Banking Trojans (BT)—malware designed to steal victims’ bank login credentials using domain spoofing or by injecting fake login forms into real bank websites. This kind of attack represented 24% of all malicious email volume in Q3 of 2017, according to Proofpoint’s Quarterly Threat Report.
The most common and effective BT today is a strain called The Trick, which accounts for 70% of all BTs. The Trick uses look-a-like domain email addresses and subject lines that will scare users into reading the email and opening an attachment.
This threat to enterprises has gained a foothold as more and more employees work from multiple devices—even conducting online banking on the same mobile phone they use to email co-workers. On mobile phones and tablets, many email clients only show the “name” in the “from” field, further enabling this kind of attack.
You Can Fight Back
Enterprises with hundreds to thousands of users often look to a Managed Service Provider (MSP) to support their internal IT by proactively monitoring, detecting, and mitigating advanced threats to their Office 365 environment. An MSP can help you:
- Run malware defenses in real-time to stop ransomware attacks before they can do harm
- Update patches and run antivirus software
- Ensure backups are current and secure
- Deploy features like multi-factor authentication, email authentication, single sign-on, and data-loss prevention
- Add a third party security partner to wrap Office 365 in multiple layers of fortification
With a trusted MSP as a partner, enterprises don’t have to suddenly add expertise at recognizing cyberattacks to their core responsibilities.
Security with Navisite, Powered by Proofpoint
In the face of innovative hacking techniques by cybercriminals, Navisite and our security partner, Proofpoint, use the most current and effective measures to detect and mitigate threats to our clients’ data. We help hundreds of enterprises experience peace of mind while boosting business productivity with the cloud. How can we help you achieve your goals?