Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Security pros discuss the most typical ways attackers leverage Microsoft 365 and share their guidance for defenders.

Kelly Sheridan, Former Senior Editor, Dark Reading

June 2, 2021

7 Min Read
(Image: phloxii via Adobe Stock)

As more organizations have grown reliant on Microsoft 365, Google Cloud, and Amazon Web Services, cybercriminals have begun to realize that the shift benefits them and are consequently tailoring their attacks to take advantage of the major cloud platforms in use by organizations. 

More than 59.8 million messages from Microsoft 365 targeted thousands of organizations last year, Proofpoint reports, and more than 90 million malicious messages were sent or hosted by Google. In the first quarter of 2021, 7 million malicious messages came from Microsoft 365 and 45 million from Google infrastructure, far above per-quarter Google-based attacks in 2020.

"I think it aligns to a general pattern," says Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, of an increase in cloud-based attacks. While experts have seen cloud email services abused in the past, today's attacker infrastructure looks different.

"Now, if you're an attacker ... you can just compromise a few Office 365 or Google Workspace accounts and use that to do everything from launch your attacks to host your payloads," Kalember continues. "Frankly, it's a one-stop shop if you're an attacker. It's all you need from an infrastructure perspective." 

In Microsoft 365 or another major cloud platform, it doesn't matter whether an attacker wants to conduct research for a business email compromise or get someone to click a malicious link in the early stages of a ransomware attack. A compromised cloud account, especially a cloud email account, is useful for several different types of attack. From an attacker's perspective, it's a useful place to exfiltrate information from because it likely won't be blocked, Kalember points out. 

The sheer size of Microsoft 365's user base makes it even more appealing to attackers. While some companies may use platforms like G Suite as an alternative, Microsoft 365 is "the 800-pound gorilla in terms of that collaboration space," says Vectra CTO Oliver Tavakoli. Attackers know the value of data stored in the Microsoft platform and how they can effectively get to it.

Taking Aim at the Cloud
It's clear a compromised cloud account can prove fruitful to criminals. But how exactly are they abusing these platforms? And what do these attacks typically look like?

To learn more about this, Vectra researchers compiled the top threat detections in Microsoft Azure AD and Microsoft Office 365 that are most frequently seen among the company's clients. 

The most common, they report, is Office 365 Risky Exchange Operation: In these cases, abnormal Exchange operations detected may indicate an attacker is manipulating Exchange to gain access to specific data or further attack progression. More than 70% of Vectra's customer base has triggered this detection per week since the start of 2021, researchers discovered.

The second most-common threat detection involves suspicious operations in Azure AD. An abnormal Azure AD operation could indicate attackers are escalating privileges and performing admin-level operations after a regular account takeover. Attackers are doing "a lot of nips and tucks" in Azure AD, adding and removing people to and from groups and elevating privileges. 

"If I break in and have your credentials, merely by adding you to a particular group – the downstream effect of that might be in Office 365 – you now have access to a whole bunch of SharePoints that you didn't have," Tavakoli explains. "If I've stolen your account, then giving your account more rights and then using those rights in the application is a very interesting attack vector." 

A problem in Azure AD is there isn't a clean separation between the things that someone should be able to benignly do for themselves, such as set a profile picture in the directory, and fairly privileged operations that should be limited to admins, he says.

"Now we have to effectively sharpen the pencil and really figure out how to tease apart the operations that matter [to the attacker] from the ones that don't," Tavakoli says. 

Other common threat detections include attackers downloading an unusual number of objects in Office 365 and accounts sharing files and/or folders at a higher volume than normal, both of which could indicate attackers are using download and sharing functions to exfiltrate data. Vectra researchers also report redundant access creation in Azure AD and the addition of external accounts to Office 365 teams as threat detections organizations should watch for. 

Proofpoint's Kalember says attackers are also growing reliant on OAuth applications and other third-party applications that connect people to Office 365 and Google Workspace accounts. These Web apps don't necessarily phish credentials; they get people to trust them. It's not hard, he says, for an attacker to create a fake version of SharePoint Online and send a phishing email. If successful, they can get an OAuth token that represents a person's credentials.

"The attackers then leverage that access in all kinds of different ways," he says. "They'll leverage it in highly manual ways and read the contents of that inbox, send an email as that person, and conduct further attacks that way."

They can also use those tokens in automated larger campaigns to capture more credentials and compromise a greater number of accounts. 

Microsoft 365 Defense: Tips and Challenges
The vast majority (85%) of data breaches involve a human element, Verizon's "2021 Data Breach Investigations Report" (DBIR) recently reported, and 61% involve compromised credentials.

"This is how attackers work now. They don't hack in – they log in," says Kalember, who notes only 3% of attacks in the DBIR used vulnerability exploits. The steps organizations can take to protect credentials will become increasingly important as attackers rely on these techniques.   

He advises organizations to kill legacy protocols and add multifactor authentication "to everything facing the Internet," two steps he notes have been good advice for a long time and should be a top priority for organizations that haven't yet taken them. For organizations that can't afford a cloud access security broker (CASB) or other cloud security tool, he recommends a closer look at Microsoft Sentinel, a tool that organizations can use to access Office 365 logs.

"Being able to at least go back to the logs, if you can't afford to deploy a CASB or cloud security tool that will do that for you, is really, really critical," he adds.

Microsoft 365 is complicated for defenders, says Tavakoli of the roadblocks security teams face, because many of its different tools could also prove handy for attackers. Consider eDiscovery, a tool designed to help surface specific terms – for example, "password" – across email, Teams, and other communications. It's meant to help employees access different resources, but it could also help attackers looking for information. 

"When you have a very complex system that the defenders don't really grasp and you eject it outside your fortress walls, the attackers have an inherent advantage," he explains. "They'll spend the time to figure out that complexity and they will need to find some design patterns that tend to work for attacks, and then those design patterns tend to be incredibly reusable." 

Tavakoli emphasizes the importance of understanding policies within Office 365. Do you want this to primarily be a collaboration platform within the organization, or do you want to use it with external partners as well? If you are working with external partners, it's important to establish key demarcation points. A SharePoint shared with partners should be maintained differently than a SharePoint intended for internal collaboration, he points out. Which parts of the system and which data can be available to external partners? Are the expectations for this established internally as well?

Determining the number of policies is a tricky balance to strike. Tavakoli says you'll likely want at least 10 to 15 policies – not hundreds, but also not so few that they give people overly broad entitlements. The principle of least privilege remains key. 

"Give users only the amount of privilege they need to do their jobs," he adds.

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights