Mitigating the risk of Office 365 account hijacking

Office 365 – the online, subscription-based version of Microsoft’s Office application suite – is one the most widely used enterprise cloud applications/services, which makes it the preferred target of attackers looking to gain access to sensitive business information.

“Once an actor has obtained credentials for an O365 account, not only can the account access be used to access documents across a user’s O365 surface (SharePoint, OneNote etc.) but it can also be used as a launchpad to carry out further compromises within an organisation,” UK’s National Cyber Security Centre warns.

“(We are) aware of several incidents involving the compromise of O365 accounts within the UK, including the use of such methods in targeted supply chain attacks. The ultimate objective of this type of targeting is not clear and the attacks appear not to be limited to any particular sector or attributed to any single threat actor.”

A way in for attackers

Attackers are constantly finding new ways to bypass Office 365’s built-in security. According to Vircom’s threat intelligence, the majority of accounts compromised within Office 365 fall victim to previously compromised Office 365 accounts.

The attackers are after information and access that can be used to manipulate the movement of money, steal sensitive commercial information, distribute spear phishing emails, gain access to users’ other online accounts.

According to the NCSC, they usually opt for one of two approaches to break into O365 accounts: brute forcing or spear phishing.

The former is usually limited to specific individuals in organisations to reduce the chances of attack detection by the cloud service provider. The latter usually leads targets to a spoofed O365 login page designed to harvest entered account credentials.

Risk mitigation

Using a password manager can help minimize the effectiveness of both these approaches, as users can choose long, complex passwords that are difficult to brute force and the application will not work with spoofed login pages.

The NCSC advises organisations to implement another layer of security: multi-factor authentication (MFA).

“The O365 platform supports a number of different MFA mechanisms and depending on the subscription, organisations are able to use a mixture of different deployments,” they pointed out.

“To implement MFA effectively across an organisation’s O365 platform will require IT departments to understand the user group to which they are intending to roll it out. This is especially crucial when organisations are dealing with a diverse workforce. As an example, organisations that have employees deployed in locations with poor mobile phone coverage may have problems receiving SMS tokens, causing difficulties in access to the O365 platform. In this scenario, organisations should consider the different MFA mechanisms available to them to avoid reluctance in adoption across the wider organisation.”

The NCSC also advises enterprise admins to:

• Implement Microsoft’s published security best practices for Office 365, consider security hardening measures and to keep an eye on the organisation’s O365 configuration,
• Enable a type of MFA for all accounts and enforce it by Conditional Access (they can check what their peers are saying about Office 365 MFA and the approaches they are taking to improve security),
• Disable legacy authentication protocols that do not fully support MFA (as part of an organisation’s Conditional Access policy),
• Make sure that they are collecting audit data to give insight into any attempted or successful breaches, and
• Implement and keep on top od device hardening measures and efforts (ensure that devices are fully patched, are not using administrative privileges, have malware defences in place and are collecting security logs).