Office 365 Security: Exploring the Main Attacks and Exploits

3 min to read
Office 365 Security: Exploring the Main Attacks and Exploits

There’s no doubt that cloud computing is the current big trend in the Middle East. And while there are plenty of services, it’s evident that Office 365 has earned its place at the centre of all the buzz. Today, it is the most popular enterprise cloud service with utilization in an incredible 91.4% of organizations[1].
It’s no surprise then that this meteoric rise of Office 365 has been closely shadowed by an increase in the number of threats that organizations and users of this cloud service face. This is a trend that the Help AG Managed Security Services (MSS) team has been closely tracking and based on our observations and expertise, we’d now like to share the key Office 365 attacks that you need to protect your business against.
This is the most common attack against Office 365. With this, an attacker aims to impersonate a legitimate entity or individual to gain the target’s trust and obtain their identifiable information. This data could include Office 365 usernames and passwords and is generally captured either directly or through malicious links. And while traditional forms of phishing are well known, attackers continue to innovate and enhance their attacks. That’s why today, phishing comes in variety of forms, targeting users through emails, attachments, instant messages, hyperlinks, macros, and more.
Cloud to Cloud
The cloud-to-cloud approach involves executing brute-force attacks on a few accounts at a time. Also referred to as a “low-and-slow” attack, it assumes that a user was careless enough to use the same password across multiple accounts, especially Software-as-a-Service (SaaS) solutions such as the Office 365 platform. Often, over a period of several months – by trial and error and by using multiple IP addresses at a time on one account – hackers are able to breach a handful of high-value accounts.
Password Spraying
A normal brute force attack will try to log in to a single account with a trial and error approach that attempts to input multiple username/password combinations per second. This is not very effective as Microsoft has implemented built-in security policies that will lock out the attacker after a certain number of incorrect attempts have been made.
To circumvent this security feature, attackers have devised a more sophisticated attack that involves harvesting a large list of target usernames. They accomplish this through a variety of means such as probing attacks, IP sniffing, or scraping social media sites like LinkedIn. They then attempt to gain access to all these accounts at once with a single password combination. Furthermore, they ensure that these attempts on multiple accounts have a time delay to avoid detection.
Office 365 has been observed to be targeted in a ransomware campaign that infiltrated the communal Office 365 network by pretending to be a private Office 365 mail account. Ransomware can easily spread to Office 365 via ActiveSync or via Google Drive’s sync capability.
Far from being a joke, the Knock-Knock botnet attack makes it into our list of Office 365 attacks as it doesn’t target any user account. Rather, this attack looks for service accounts, automation accounts, machine accounts, marketing accounts, and internal accounts. The reason for this is that these accounts are not monitored by anyone, they have higher privileges that the average account, and they don’t work well with security systems such as two-factor authentication or single sign-on policies. The botnet performs its attack by ‘knocking’ softly on these accounts without revealing itself or drawing attention. Once it gains access, the attack creates new inbox rules to divert emails and incoming messages before beginning to distribute phishing attacks.
Needless to say, there are there are multiple tools and techniques such as MailSniper, Harvest, SensePost Ruler, Evilginx2 which can effectively exploit Office 365 vulnerabilities and weak configurations. However, what we’ve outline above are the top threats we believe you should be aware of.
In our next blog post of this series, we’ll look at another key reason Office 365 accounts get hacked – mis-configuration. And of course, since Help AG is the region’s trusted cybersecurity adviser, we’ll provide our top tips and recommendations to help you take advantage of this great cloud service without compromising security. So, stay posted!

Share this article

Upcoming event

Black Hat MEA 2024

  • KSA
  • Riyadh