Microsoft 365 (M365) has changed the way organizations implement email services. The platform ties in with existing Windows authentication schemes, is available from anywhere, requires no patching, and is scalable nearly to perfection. But if enterprises don’t take advantage of the security features offered, the convenience of email everywhere also extends to hackers.
Cloud-based email allows organizations to give access to employees providing they have an internet connection. But they can often fail to meet the security standards that will help them keep up with hackers. In an article written last year, even before COVID-19, anti-spam application maker Barracuda reported a staggering statistic:
In an analysis of account takeover attacks targeted at Barracuda Networks customers, their researchers found that “29% of organizations had their Microsoft 365 accounts compromised by hackers in March 2019.” 1
To understand why this happens and continues to happen, it may help to understand attackers better.
Attackers are inventive and entrepreneurial. And current times have seen some of the best demonstrations of this creativity. In the early days of COVID-19, phishing email lures took the form of vaccine information, offers on short-supply commodities (e.g. hand sanitizers and facemasks) and other COVID-19 related goods and services. As the pandemic progressed, attackers switched tactics to more indirect lures. These include updates for video conferencing tools or collaboration environments, payments from government assistance programs, and even CV attachments for in-demand job applications.
In an incident that KPMG investigated, a hacker compromised a vendor that worked closely with the target organization. The hacker sent emails to identified accounts payable personnel stating their banking information had changed. Since the email was sent from the vendor's domain and the email address familiar, the target organization did not question the account change. As a result, the target organization sent money to a bank account controlled by the perpetrators. The funds were never recovered.
In this case, the email account was used as an authoritative credential protected by a password and is suspected of having been typed into a credential-harvesting website due to a phishing email.
Adversaries have several methods at their disposal for compromising unsecured M365 email accounts. Understanding these attack vectors can help inform how to tailor the M365 security suite to beat them.
Credential harvesting sites
Credential harvesting websites begin with the basic premise — if you want a user’s password, just ask nicely. Attackers commonly set up credential harvesting campaigns, consisting of phishing emails claiming someone sent a document to view, via a link. Clicking the link will send the user to a fake Microsoft 365 login page resembling the target organization’s page. Once credentials are entered, bad actors will either use them to perform further attacks or sell the credentials on hacking forums.
According to McAfee, “92% of companies have cloud credentials for sale on the Dark Web.” 2
Password spray attacks
Password spray attacks3 occur when a common password such as “June2020!” is used with a set of usernames acquired while performing reconnaissance. These usernames, commonly found on social media or hacking forums, and the resulting email address formation is trivial based on an organization’s email structure (i.e. firstname.lastname@example.org). These attacks are even more successful when attackers are aware of helpdesk defaults for assigning new passwords.
When hackers acquire a list of usernames and passwords on the internet and attempt to use them against an online login page, credential stuffing occurs. These lists are often from a password dump of a third-party data breach. Also, attackers may try common modifications that people make to their passwords when required by their organization. For example, if an account has a password of “P@$$w0Rd1”, attackers might also attempt “P@$$w0Rd2”. Password spray attacks are successful because of poor password hygiene — a common issue, difficult to detect.
According to LastPass’s 3rd Annual Global Password Security Report, employees reuse passwords 13 times, on average.4
Once a hacker has gained access to a user’s email and successfully logged in, activity logs can inform investigators on the hacker’s objective and impact.
Creating new mailbox rules
A hacker can develop new rules to forward or delete targeted information. Forwarded email rules may allow the forwarding of data to a remote email under their control. Or they may target specific emails, such as those containing the word “invoice” or “patient number” (depending on the objective). Deletion rules target emails that can be warnings of compromise, such as responses to spam emails a hacker sends or messages from the helpdesk.
A hacker may want to quickly take the desired information and leave little in the way of tracks. Targeted information may include passwords, financial information or confidential data. The information may also confirm the nature of the compromised user’s position at the company and help determine how the hacker can leverage impersonation tactics to commit fraud or send phishing emails. Unless security settings are properly configured, Microsoft’s logs will not identify email items accessed during a mailbox compromise. However, if the hacker forwards specific messages to a remote email, the activity will be logged if auditing is activated. Microsoft has now updated its email forwarding controls to block emails forwarded outside of the organization by default.
Sending additional phishing emails
Once a hacker gains a foothold within a business email environment, they often attempt to phish internal and external colleagues, using the compromised account's apparent legitimacy to increase trust. In most cases, this will give the attacker's presence away, so before attempting this, the hacker will have already exploited the mailbox in ways previously described. Phishing emails may take the form of links to credential harvesting sites or employ a tactic that results in malware infection.
Phishing emails target popular wording and tactics and create huge campaigns. Once user awareness catches up, a specific campaign’s success rate will drop, and tactics will change. Most of these emails are designed to call for immediate action, particularly resonating with employees who handle financial matters. For example, of the ten most popular keywords used in business email compromise (BEC) schemes, "Transaction request" topped the list, followed by "Important" and "Urgent." Also, three iterations of "Payment" rounded up the top 10, including "Outstanding payment" and "Notification of payment received." 5
There are several options an organization has to reduce the risk of an M365 compromise.
Two-factor authentication (2FA) is a must
Adding another layer of protection to a user’s account, 2FA can significantly decrease the effectiveness of password spraying attempts, phishing email sites and credential stuffing attacks. The attacker needs to know the target’s username and password, but they also need to compromise the second form of authentication used to log into the target’s account successfully. Keep in mind that some sophisticated operations request the current token code to log into a fake website, which is immediately used for logging into the actual M365 account. The use of this tactic has increased and is expected to take off in the coming months.
Monitoring and responding to suspicious activity alerts can catch adversaries and increase awareness of normal activity for an organization’s M365 tenant. Microsoft Cloud App Security (MCAS) is an M365 add-on that provides the best native analytics for M365. Some commonly implemented rules include:
Monitoring rules can be a great way to detect malicious activity. However, they should be routinely maintained to limit the number of false positives.
Consider IP-based restrictions
At the strongest level, organizations can limit the likelihood that a bad actor will perform attacks by only allowing access to the M365 tenant from within the corporate network (i.e. through a VPN). This forces the attacker to compromise an internal endpoint first before gaining access to any accounts. While this removes the benefit of a globally accessible email, it does reduce risk. Alternatively, clients can restrict access by whitelisting IPs requested by employees, such as trusted home computers and mobile devices. Clients with IP-based restrictions suffer far fewer email-related compromises
Capabilities in M365 monitoring are still advancing and monitoring and detection platforms must adapt to new techniques. KPMG professionals have developed the KPMG Intelligent Cyber Analytics Program which is applied to clients’ live M365 logs. Anomalous logins and messages are flagged based on a history of “normal” activity. Alerts generated may be due to logins by multiple mail accounts from a new IP address, use of an atypical platform (e.g. an employee usually uses an Android device to remotely access email but suddenly logs in using Thunderbird), or a user sets up a forwarding rule to a strange email address while logged in from an unfamiliar location.
In case of compromise
Every day organizations are surprised to find they’ve been victimized by an email compromise. Knowing how to proceed is essential to understanding the impact and ending the access. Four important considerations to keep in mind:
Microsoft 365 has delivered ubiquitous email capabilities at scale for almost every organization in the world. But organizations need to build M365 tenants with security in mind,6 tailoring its versatile preventative and detective security suite to the specific types of threats they face and the culture and working model of their organization.
Security as an afterthought is disruptive, expensive and leaves organizations vulnerable to the threat landscape. We’ve all had to take some shortcuts to implement new cloud services during the pandemic. Now is the time to secure what we’ve implemented, streamlining our security-by-design processes to make sure we can keep pace with future configuration changes.
1 Asaf Cidon, “Threat Spotlight: Account Takeover,” blog.barracuda.com, May 2, 2019.
2 2019 Cloud Adoption and Risk Report, McAfee, 2019.
3 Diana Kelley, “Protecting your organization against password spray attacks,” Microsoft.com, April 23, 2020.
4 The 3rd Annual Global Password Security Report, LastPass, 2020.
5 Security Response Team, “BEC Scams Remain a Billion-Dollar Enterprise, Targeting 6K Businesses Monthly,” Symantec-enterprise-blogs.security.com, July 23, 2019.
6 Girish Chander, “Top 6 email security best practices to protect against phishing attacks and business email compromise,” Microsoft.com, October 16, 2019.
Throughout this website, “we”, “KPMG”, “us” and “our” refers to the global organization or to one or more of the member firms of KPMG International Limited (“KPMG International”), each of which is a separate legal entity.
Gain access to personalized content based on your interests by signing up todaySign up today