[BreachExchange] Mitigating the risk of Office 365 account hijacking

[Destry Winant]

https://www.helpnetsecurity.com/2018/12/10/office-365-compromise-prevention/

Office 365 – the online, subscription-based version of Microsoft’s
Office application suite – is one the most widely used enterprise
cloud applications/services, which makes it the preferred target of
attackers looking to gain access to sensitive business information.

“Once an actor has obtained credentials for an O365 account, not only
can the account access be used to access documents across a user’s
O365 surface (SharePoint, OneNote etc.) but it can also be used as a
launchpad to carry out further compromises within an organisation,”
UK’s National Cyber Security Centre warns.

“(We are) aware of several incidents involving the compromise of O365
accounts within the UK, including the use of such methods in targeted
supply chain attacks. The ultimate objective of this type of targeting
is not clear and the attacks appear not to be limited to any
particular sector or attributed to any single threat actor.”

A way in for attackers

Attackers are constantly finding new ways to bypass Office 365’s
built-in security. According to Vircom’s threat intelligence, the
majority of accounts compromised within Office 365 fall victim to
previously compromised Office 365 accounts.

The attackers are after information and access that can be used to
manipulate the movement of money, steal sensitive commercial
information, distribute spear phishing emails, gain access to users’
other online accounts.

According to the NCSC, they usually opt for one of two approaches to
break into O365 accounts: brute forcing or spear phishing.

The former is usually limited to specific individuals in organisations
to reduce the chances of attack detection by the cloud service
provider. The latter usually leads targets to a spoofed O365 login
page designed to harvest entered account credentials.

Risk mitigation

Using a password manager can help minimize the effectiveness of both
these approaches, as users can choose long, complex passwords that are
difficult to brute force and the application will not work with
spoofed login pages.

The NCSC advises organisations to implement another layer of security:
multi-factor authentication (MFA).

“The O365 platform supports a number of different MFA mechanisms and
depending on the subscription, organisations are able to use a mixture
of different deployments,” they pointed out.

“To implement MFA effectively across an organisation’s O365 platform
will require IT departments to understand the user group to which they
are intending to roll it out. This is especially crucial when
organisations are dealing with a diverse workforce. As an example,
organisations that have employees deployed in locations with poor
mobile phone coverage may have problems receiving SMS tokens, causing
difficulties in access to the O365 platform. In this scenario,
organisations should consider the different MFA mechanisms available
to them to avoid reluctance in adoption across the wider
organisation.”

The NCSC also advises enterprise admins to:

- Implement Microsoft’s published security best practices for Office
365, consider security hardening measures and to keep an eye on the
organisation’s O365 configuration,
- Enable a type of MFA for all accounts and enforce it by Conditional
Access(they can check what their peers are saying about Office 365 MFA
and the approaches they are taking to improve security),
- Disable legacy authentication protocols that do not fully support
MFA (as part of an organisation’s Conditional Access policy),
- Make sure that they are collecting audit data to give insight into
any attempted or successful breaches, and
- Implement and keep on top od device hardening measures and efforts
(ensure that devices are fully patched, are not using administrative
privileges, have malware defences in place and are collecting security
logs).