Account takeover in Office365 is said to become the largest security threat in the cloud. Vectra acknowledges this and in an interview with Security MEA, Ammar Enaya, regional director – Middle East, Turkey & North Africa (METNA) at Vectra AI elaborates some of the key points related to cyber-attacks and Office 365.
What are the top three most suspicious behaviors in Office 365?
Attackers use several common techniques to get access to user’s Office 365 accounts including:
- Searching through emails, chat histories, and files looking for passwords or interesting data
- Setting up forwarding rules to get access to a steady stream of email without needing to sign-in again
- Leveraging the trusted communication channel — the email isn’t spoofing an email from the CEO; it is an email from the CEO — to socially engineer employees, customers or partners
- Planting malware or malicious links in documents that many people trust and use, again leveraging trust to get around prevention controls that may trigger warnings
- Stealing or holding files and data for ransom
How do attackers use native Office 365 services to enable attacks?
Smart cybercriminals can launch attacks that are far more sophisticated targeting legitimate tools and services such as Power Automate, Microsoft eDiscovery and OAuth
Power Automate – Microsoft Power Automate lets users create custom integrations and automated workflows between Office 365 applications. It is enabled by default and includes connectors to hundreds of third-party applications and services. Power Automate’s wide availability and ease of use also makes it a partially useful tool for attackers to orchestrate malicious command-and-control and lateral movement behaviors
eDiscovery – Microsoft eDiscovery is an electronic discovery tool that searches across Office 365 applications and data and exports the results. Attackers use eDiscovery as a powerful internal reconnaissance and data exfiltration tool.
OAuth – OAuth is an open standard for access authentication. It is utilized by third-party applications to authenticate users by employing Office 365 login services and the user’s associated credentials. Attackers are leveraging OAuth enabled malicious Azure applications to maintain persistent access to users Office 365 accounts
In fact, research from the Vectra 2020 Spotlight Report on Office 365 found, 96 percent of customers sampled exhibited lateral movement behaviours, 71 percent of customers sampled exhibited suspicious Office 365 Power Automate behaviours and 56 percent of customers sampled exhibited suspicious Office 365 eDiscovery behaviours.
Elaborate on the importance of ‘Cognito Detect’ for Office 365 in light of ‘Office 365 Spotlight Report’.
As the industry’s first network detection and response (NDR) solution for the cloud, Vectra Cognito Detect for Office 365 extends the proven platform that currently protects public clouds, private data centers, and enterprise environments to Microsoft Office 365. The award-winning approach leverages security research combined with data science to create an AI that understands real attacker behaviors and account privilege abuse in Office 365. By taking a cloud-native approach, Cognito Detect for Office 365 detects and stops known and unknown attacks before they lead to breaches, without relying on preventative security.
Vectra Cognito for Office 365 ingests activity logs from multiple services like O365, Azure AD, SharePoint/OneDrive, Teams, and Exchange. The Vectra Cognito AI has a deep understanding of Office 365 application semantics and leverages supervised and unsupervised Machine Learning models. By analysing events like logins, file creation/manipulation, DLP configuration, and mailbox routing configuration & automation changes, it accurately finds attacker behavior patterns across the entire Attacker Kill Chain. The result is high precision actionable detections instead of anomaly alerts that accurately expose even novel and never before seen attackers with high confidence. The detections are correlated to all accounts devices involved which provides the security team the prioritization and narrative to act quickly.
What are the key takeaways from the Office 365 spotlight report?
Attacks that target software-as-a-service (SaaS) user accounts are one of the fastest-growing and most prevalent problems for organisations, even before COVID-19 forced the vast and rapid shift to remote work. With many organisations increasing their cloud software usage, Microsoft has dominated the productivity space, with more than 250 million active users each month. Office 365 is the foundation of enterprise data sharing, storage, and communication for many of those users, making it an incredibly rich treasure trove for attackers.
Even with the increasing adoption of security postures to protect user accounts such as multifactor authentication (MFA), 40 percent of organisations still suffer from Office 365 breaches, leading to massive financial and reputational losses. In a recent study, analyst firm Forrester Research put the cost of account takeovers at $6.5 billion to $7 billion in annual losses across multiple industries.
Unfortunately, identifying user access misuse has been treated as a static problem using approaches that are prevention-based, policy control-centric or rely on manual entitlements that surface threats as they occur, leaving little time to properly respond. These approaches continue to fail. Security teams must have detailed context that explains how entities utilise their privileges — known as observed privilege — within SaaS applications like Office 365. Just as attackers observe or infer interactions between entities, defenders should think similarly about their adversaries. This translates into understanding how users access Office 365 resources and from where, but without looking at the full data payload to protect privacy. It is about the usage patterns and behaviours, not the static access. Ideally, when security teams have solid information and expectations about SaaS platforms, malicious behaviors and privilege abuse will be much easier to quickly identify and mitigate.