Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/30/2017
02:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
0%
100%

Office 365: A Vehicle for Internal Phishing Attacks

A new threat uses internal accounts to spread phishing attacks, making fraudulent emails even harder to detect.

Cybercriminals go where the users are. Office 365, which has more than 100 million active monthly subscribers, has become a hotspot for compelling and personalized cyberattacks. Users trust emails from coworkers, especially those with the correct corporate email address.

Traditional phishing attempts have red flags: suspicious attachments, bold requests, misspelled words, questionable email addresses. Users know how to react to these. But what happens when attacks are more personalized, with legitimate addresses and reasonable requests?

These have become more popular and tougher to spot, says Asaf Cidon, spearphishing expert at Barracuda. The company recently released a report on a threat he calls Account Compromise. Once they have an employee's Office 365 account information, threat actors can craft realistic-looking messages and send them from an account their victims trust.

Attackers primarily steal credentials using traditional methods, he continues. Most rely on phishing or spearphishing to send victims to fraudulent websites, where they are prompted to reset their Office 365 credentials. Some buy users' credentials on the dark web.

"What's new is what happens after they get access to the accounts," Cidon says. Threat actors can conduct several types of attacks after they gain a foothold in an organization.

In one common scenario, an attacker sets forwarding rules on an Office 365 account to send emails to an account they control. From there, they can both steal data and monitor the user's internal and external communication patterns so they can plan future attacks.

Threat actors also impersonate their victims and send emails to other employees with the goal of collecting data. Some send emails with PDF attachments that can only be opened with a username and password. Some send an invoice for payment that requires logging into a web portal, where they have to log in with a corporate email address and password.

Damage could potentially extend outside the organization. Cidon explains a scenario in which an attacker, impersonating an employee, used their access to request a wire transfer from a partner company. The employee in the scenario didn't even realize the transfer was happening.

"This is an evolution of spearphishing - we're seeing more and more sophistication," he says. A couple of years ago, cyberattackers primarily targeted executive employees. These new Office 365 threats are putting all employees at risk.

"With this attack, they're just trying to get in and once they're in, a lot of the employees getting targeted are not high-level. It's not just executive targets," Cidon continues.

There are red flags that signify a company is targeted in one of these attacks. Oftentimes the IP addresses used to log into corporate accounts come from other countries, he says, and looking at the log can identify geographical anomalies. It also helps to keep track of your email account to see when emails are getting forwarded or sent to unfamiliar addresses.

Cidon advises security leaders to train employees on how to spot phishing attacks to prevent attackers gaining initial access. He also advises adding security layers like multi-factor authentication to Office 365 to lessen the chance of a break-in.

"Traditional email security systems are going to be almost useless in stopping this," he says, noting how most tools look at the API of the email provider. "Once an attacker is in, they don't see internal emails … only the external emails coming in."

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
EKFletcher
50%
50%
EKFletcher,
User Rank: Apprentice
9/4/2017 | 11:47:37 AM
IP addresses outside the US
Nice information.  Thank you. 

How can someone with a list of IP addresses showing where the users have signed in from take that and easily tell what IPs are from another contry?  If you have hundreds of IPs, it would be a daunting task to discover if any IPs were from another contry.

Thanks! 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.