Office 365: A Treasure Trove for Cybercriminals
Office 365 has more than 250 million monthly active users, making it an attractive target for cybercriminals. Recently, a report Vectra revealed that cybercriminals are frequently abusing built-in Office 365 services to launch cyberattacks on enterprises.
What has been revealed?
Because account takeover in Office 365 can give easy access to the organization’s inside network, such attacks are now becoming common.
- Most exploited key features in the Office 365 suite include OAuth — for establishing a foothold, power automation, command & control, lateral movement, and eDiscovery for reconnaissance, and exfiltration.
- The attackers would sign up for free trials to access premium connectors (a collection of instructions) that provides them with advanced capabilities. In addition to this, individual connectors can not be disabled.
- The report highlighted that around 96% of sampled customers showed lateral movement behaviors, 71% showed suspicious Office 365 Power Automate behaviors, and 56% suspicious Office 365 eDiscovery behaviors.
- Around 40% of organizations were targeted by Office 365 breaches, which lead to massive financial and reputational losses. According to Forrester Research, account takeover attacks cost between $6.5 billion and $7 billion in annual losses.
Several attacks have been observed exploiting Office365 to compromise targeted organization networks.
- Cybercriminals launched an Office365 credential-phishing attack to target the hospitality industry. They used visual CAPTCHAs to evade detection and look legitimate.
- Last month, a business email scam campaign was found that netted at least $15 million in illicit proceeds. They impersonated senior executives using Microsoft Office 365 email services.
Such attacks have been ongoing for quite some time now, causing billions of dollar revenue losses. For prevention, experts suggest having real-time threat detection of reconnaissance, along with credential theft activities. Furthermore, users are recommended to enable multi-factor authentication and activity alerts.