Cyber criminals hijacked Office 365 accounts of employees at 29 percent of organisations in March alone, signifying the pace at which Office 365 accounts have been breached over the past year and then leveraged by fraudsters to target more organisations and vendors.
Earlier this year, a report from Proofpoint revealed how cyber criminals were using millions of credentials that were leaked/stolen in the recent past to carry out a large number of brute-force attacks on popular cloud applications including Office 365 and Google G Suite.
Proofpoint's analysis showed that the Collection #1 data breach, that involved the exposure nearly 773 million unique email addresses and over 21 million unique passwords through an unsecured database, drove a 60% increase in breached user accounts as hackers used usernames and passwords from the database to carry out brute-force attacks on cloud applications including Microsoft Office 365 and Google G Suite.
Leaked credentials & legacy protocols used in AOT attacks
Even though leaked credentials for Office 365 accounts have served as the most powerful weapon for cyber criminals for infiltrating corporate networks and accessing internal email, they are also using a variety of other methods to infiltrate Office 365 accounts or luring employees into revealing their credentials.
According to Proofpoint, hackers have also been leveraging legacy protocols such as IMAP to bypass multifactor authentication. As many as 60% of Microsoft Office 365 and G Suite users were targeted using IMAP-based password-spraying attacks and 44% of accounts at targeted organisations were breached using this technique. These attacks also successfully breached one in four cloud accounts owned by Office 365 and G Suite tenants.
A new report from Barracuda also states that cyber criminals are now using a combination of "brand impersonation, social engineering, and phishing" to lure targeted employees into visiting phishing pages and typing in their account credentials. Using this combination as well as leveraging credential leaks via unsecured servers, cyber criminals have been able to breach roughly 4,000 Office 365 accounts via account takeover attacks (ATO).
The firm revealed that in March alone, 29 percent or organisations had their Office 365 accounts infiltrated by hackers and the latter used these compromised accounts to deliver more than 1.5 million malicious and spam emails in the same month to target more employees, organisations, and vendors.
Considering that the report only contains data obtained from a limited number of organisations, the true number of Office 365 accounts infiltrated and used for malicious purposes could be much, much higher if data from across the UK are collated.
"With more than half of all global businesses already using Office 365 and adoption continuing to grow quickly, hackers have set their sights on taking over accounts because they serve as a gateway to an organisation and its data — a lucrative payoff for the criminals," the firm said.
Fraudsters leverage the human factor to hijack Office 365 accounts
The firm added that cyber criminals usually focus on breaching business accounts of executives and finance department employees and they do this by harvesting their credentials through spear phishing and brand impersonation. They also use compromised accounts to steal personal, financial, and confidential data and use such data to commit identity theft, fraud, and other crimes.
"The most important thing to remember in light of the percentage of Office 365 compromised by ATO attacks is that even known senders should not be trusted by default. Barracuda Networks’ findings should come as a reminder that we are all likely to receive at least some form of phishing email in our inbox, and that caution is a requirement when opening any email," says Corin Imai, senior security advisor at DomainTools.
"Most criminal groups running these campaigns are refining their techniques in an attempt to make their emails seem legit. However, there is usually at least one detail that gives away that the message might be a scam, being that an unusual phrasing or a link with a suspicious URL.
"Although it may sound trite to repeat this, phishing attacks are counting on an oversight from the human component of an organisation’s security posture. This is a vulnerability we would love to patch, meaning we need to take education seriously and ensure that phishing prevention is part of each employee’s training package," she adds.