Attackers compromised Office 365 accounts via ATO attacks and used them in BEC scams

• Almost 29% of the monitored organizations had their Office 365 accounts compromised.
• Attackers have delivered over 1.5 million phishing emails via almost 4000 accounts that were compromised in ATO attacks during March 2019.

What is the issue?

Attackers compromise Microsoft Office 365 accounts via ATO (Account Takeover) attacks and use the compromised accounts for various phishing campaigns, malvertising campaigns, and Business Email Compromise (BEC) scam campaigns.

Barracuda research findings

Barracuda researchers analyzed ATO attacks and found out the following,

• Attackers have delivered over 1.5 million phishing emails via almost 4000 accounts that were compromised in ATO attacks during March 2019.
• Once the accounts were compromised, attackers have added malicious mailbox rules to hide their activity in almost 34% of the nearly 4,000 compromised accounts.
• Almost 29% of the monitored organizations had their Office 365 accounts compromised.

More details on the analysis

Attackers execute ATO attacks via brand impersonation, social engineering, phishing, credential stuffing, and brute-force methods.

• Credential Stuffing

Researchers said that attackers leveraged ‘usernames-passwords’ stolen from previous data breaches to compromise the accounts as victims reuse passwords across multiple accounts. This also helped them gain access to additional accounts.

• Brute-Force

Researchers noted that attackers were able to successfully take over Office 365 accounts via brute-force attacks because users employed simple passwords that were easy to crack.

• Brand Impersonation

Attackers also used ‘Brand Impersonation’ tactic to trick email recipients into visiting a phishing page and provide their login credentials. The most impersonated brand is ‘Microsoft’ with 1 in 3 attacks impersonating Microsoft.

Once the account is compromised, attackers monitor and track activity to understand the company’s business process, its financial transactions, and how they use the email signatures, so that they can launch successful attacks, including stealing additional login credentials from various accounts.

How to stay protected from such attacks?

• It is best to install ATO detection and protection solutions that use artificial intelligence to detect compromised accounts and remove the malicious emails sent from these accounts.
• In order to avoid such attacks, it is always best to monitor suspicious logins and email accounts for malicious inbox rules.
• Experts recommend using multi-factor authentication while logging in to email accounts.
• Researchers also suggest educating employees and users on recognizing such attacks.

“Use technology to identify suspicious activity, including logins from unusual locations and IP addresses, a potential sign of a compromised account. Be sure to also monitor email accounts for malicious inbox rules, as they are often used as part of account takeover,” researchers said in a blog.