The rise of Office 365 phishing scams: How one compromised account can cost millions

The rise of Office 365 phishing scams: How one compromised account can cost millions
Mark Nicholls is CTO at Redscan.

More businesses than ever are now choosing to use cloud services. Despite the many benefits of doing so, such as reduced maintenance costs and improved scalability, there are a number of cyber security risks than organisations need to be aware of – including sophisticated phishing scams that intentionally target SaaS applications.

With more than 155 million active commercial monthly users, Office 365 is among the most widely used cloud hosted email and productivity suites – and consequently a prime target of cybercriminals. As threats intensify, organisations must ensure that their cloud security is suitably hardened.

Beware of BEC attacks

A business email compromise, or BEC for short, is a type of advanced phishing scam that has become prevalent in recent years. Such attacks involve cybercriminals posing as an employee, usually a C-level executive, in order to trick an associate of that person into wiring payment for goods or services into a substitute bank account.

To conduct a BEC attack, criminals will seek to either compromise a user’s account through a traditional credential harvesting phishing attack, or spoof the person’s email address so that it appears almost identical to the targeted account. Attempts will then be made to leverage the person’s identity to send phishing emails to others.

Italian football club, Lazio, is one the most high-profile victims of a BEC attack, having inadvertently wired a £2 million player transfer fee to a cybercriminal instead of the player’s former club. However, the fact that BEC attacks are reported only a fraction of the time – largely due to the reputational damage they can inflict – means that they are often left to thrive in anonymity.

A smarter breed of phish

To dupe their targets, BEC fraudsters conduct meticulous research. This entails monitoring company news, investigating supply chains and technology usage, plus undertaking reconnaissance – with any information gathered used to design more creative, custom and elaborate campaigns that are difficult for recipients to identify as malevolent.

Gone are the days of brazen scams with email subject lines such as ‘Congratulations you’re a winner’. To compromise Office 365 users, for example, criminals now use a range of fake requests and notifications, such as security alerts, non-delivery reports and meeting appointments. To instigate BEC attacks, hackers will seek to build victims’ trust by sending a sequence of emails.

It’s not just suspicious links that people need to look out for. Techniques to distribute malicious attachments are also becoming more sophisticated. One recently identified technique involves the use of PowerShell to inject malware when users preview files in Outlook – now it’s not always necessary to open a document to trigger an infection.

To evade firewalls and email gateways, hackers are hosting content on SharePoint and other trusted platforms. This makes unknown content harder to blacklist. Another attack technique, known as ‘NoRelationship’, exploits a weakness in Microsoft’s file filtering technology.

How to protect your employees

If your business subscribes to or is thinking of subscribing to Office 365 or another cloud service, then protecting against BEC and other phishing threats should be an important security consideration. Employee education is an important step but shouldn’t be relied upon to fully mitigate risks. People continue to be a weak link in the security chain.

Enforcing multi-factor authentication across all user accounts is highly recommended to provide an extra layer of protection should password credentials be cracked or stolen. Authentication technologies such as SPF and DMARC can also be implemented to help reduce receipt of emails from unknown senders.

Key to securing Office 365 and other cloud environments is also obtaining greater threat visibility. After all, businesses cannot secure what they cannot see. Next-Gen SIEM (Security Information and Event Management) and Endpoint Detection and Response (EDR) tools that support centralised log monitoring, behavioural analysis and incident response can be incredibly effective at helping to significantly reduce the time it takes to identify suspicious events as well as contain and shut down attacks before they spread.

Examples of behaviours that could indicate something anomalous include: account and infrastructure changes, unauthorised network connections, privilege escalation, and automatic forwarding of emails to other accounts.

Embracing the cloud with confidence

While it’s impossible to completely eliminate the possibility of employees failing victim to BEC scams or opening malicious attachments, having a multi-layered approach to cyber security incorporating prevention, detection and response will certainly go a long way to reduce the risk. By implementing just a few extra controls and procedures, your business will be better placed to avoid suffering operational disruption and avoid serious financial and reputational damage should an incident occur.

(c) in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *