As Microsoft’s use of Office 365 grows – encompassing services like Exchange, Teams, SharePoint, OneDrive, and more – the amount of data stored in the cloud is proving to be a tempting target for some of the operations. world’s most sophisticated hackers, according to cybersecurity researchers at FireEye Mandiant.
“The amount of data in Office 365 is just huge and attackers are obviously interested in that data. But they can also access this data just about anywhere in the world, ”Doug Bientock, senior consultant at Mandiant, told , following research presented at the Black Hat USA virtual security conference.
“Office 365 is also a gateway for organizations to access other applications as a single sign-on platform,” Bienstock explained.
It often doesn’t take much for hackers to compromise the organization networks they target: it is possible to acquire email lists of employees in a company, and attackers will attempt to use brute force attacks to crack any common or weak passwords. It doesn’t even have to be a spear-phishing attack. Some attacks, however, are much more sophisticated.
“The attacker will take valid credentials, connect to the VPN and roam the network with the intention of elevating his privileges to a global administrator account for Office 365,” says Josh Madeley, senior consultant at Madiant and co-author of the presentation.
It is believed that a large majority – if not all – of state-backed Advanced Persistent Threat (APT) groups are interested in deploying this type of attack. But APT35, a hacking operation in Iran, has made this one of its common techniques: Madeley explains that exploiting cloud services to access sensitive information has become a hallmark tactic of APT35.
“They will have access to your Office 365 environment and then use the security tools to find the contents of every mailbox, every Teams chat, every SharePoint document,” he explained.
From there, APT35 searches for credentials that will give them access to other services, even other businesses, wherever they can extract sensitive information.
Hackers aren’t trying to exploit a specific weakness in Office 365, but the fact that it has become a central part of the company’s IT infrastructure makes it an attractive target. The way businesses and users secure Office 365 could be improved to protect against such attacks. The first step organizations can take to prevent attacks is to ensure that common, easily guessed passwords are not used.
Organizations should also ensure that Multi-Factor Authentication is applied to as many employee accounts as possible, so that in the event of theft or exposure of a password, there is an additional layer of defense. to stop the attacks.
“The two most important things we recommend are to enable MFA and do it smartly with as few exceptions as possible. So everyone in the organization and every application should apply MFA – and think about it. at how often you want to do it, ”Bienstock says.
It is also recommended that organizations take the time to understand the activity on their networks, so that it is possible to detect and stop suspicious activity before it causes significant damage.
“There is good out-of-the-box security in Office 365, but if you need to protect yourself against APTs, it takes time and effort to analyze the logs and put robust monitoring in place so you can see that something suspicious is going on so you can cut them off, ”he says.