office-365-account-takeoverImagine someone on your team accidentally clicks on a link or logs into what they perceived to be a legitimate login to their O365 account? Or maybe someone had been laying dormant on your machine, waiting for that moment when you’re forced reauthenticate your login.

Whatever the case, Office 365 account takeovers are showing no sign of slowing down this year. If your organization is responding to these attacks, you probably will deal with compromised credentials, wire transfers and other more expensive remediation efforts.

But how do these takeovers even happen?

First, a criminal sends a phishing attack, normally a request for an employee to use a link to review a document (you know how commonplace it is to share a link to a document within OneDrive or SharePoint). That link redirects to a page requesting to log in with their O365 credentials. Seems harmless enough—especially since the request was to review an O365-based document.

After handing over credentials, the cybercriminal starts to leverage access to the account.

They are looking for information on wire instructions, electronic payments, or vendor invoicing.  They may undertake months or weeks of reconnaissance, monitoring your inbox, flagging, or even redirecting emails with keywords such as wire instructions or payment. Or they may simply observe what comes in and out of your inbox to find a way to exploit your account most effectively. They may then issue fraudulent payment instructions, impersonate a vendor, or direct your employee’s direct deposits to an alternative account.

You might be thinking, “but most of my team doesn’t have responsibilities to bill or make payments”.

A criminal will exploit this type of email box to find key people within your organization who likely have those responsibilities or whose data is most valuable.

They will dive into your organization’s address books and figure out exactly who to target and how. After observing how your employee uses their account and the language they typically use in email, the attacker will be quite convincing to get others to act.

And remember, if you aren’t cleaning up your inbox, it probably has years’ worth of emails to sift through—some of which are destined to have sensitive information in them. (All of this is happening with no one being the wiser).

Now, how can you harden your and your client’s O365 configurations to reduce these account takeovers from happening?

Generally I recommend the following high-level steps:

  1. Require multi-factor authentication (MFA)—I’d say one of the most important things you can do is requiring MFA for logging into an O365 account. Microsoft provides guidance on how to do this for Office 365 administrators. Essentially you need to:
    • Set up MFA for all of your O365 users
    • Plan on MFA for all O365 deployments
    • Require the MFA mobile app for authentication
  2. Limit or disable remote access—most compromises occur from Outlook’s web access (OWA). You may want to consider disabling OWA for your organization or only enabling it on a per user basis to protect your organization from takeovers.
  3. Consider using Microsoft’s Secure Score—the Secure Score analytics tool looks at security setting you have enabled and suggests any improvements, walking you through how to implement may of the changes. An addition consideration is to run our O365 vulnerability assessment, which takes a deeper dive into how hackers are currently searching for data in O365 and exploiting cloud accounts via Azure (Azure attacks are tactics your firewall likely won’t block).
  4. Manage message forwarding—cybercriminals often set up inbox rules to forward messages to an external account or delete specifically labeled emails. Often, the only sign of account takeovers are unauthorized mailbox rules. This is one of the reasons why I discourage techs from setting up many filters, forwards and other rules to automatically handle inboxes. In my opinion, developing a process for cleaning up your inbox where you are actively observing and cleaning it up can be fast and is one of the best ways to ensure you understand what is going on within your inbox.
  5. Turn on audit logging and mailbox auditing—in the event one of your accounts is taken over, it will be essential to have access to the right logs. Without them, you probably will have to assume the hacker has accessed everything, leading to many more notifications to your clients and vendors that that individual worked with. To have useful logs you need to (1) turn on log auditing and (2) enable mailbox auditing for every user within your organization. By default, auditing is not turned on for O365.

These are a couple of tricks I’ve learned along the way—from having to clean up O365 account takeovers—that I hope you will seriously consider for your IT team (and clients). If you want a more thorough assessment of your O365 accounts and are concerned about what hackers may have access to if an account takeover occurred, we provide a comprehensive look through our mini penetration tests.