The NTT October GTIC report is out. This month it looks at how and why your Office 365 email is an attractive target for cybercriminals. Next month, it will look at how to protect Office 365 to reduce the risk of a successful attack. It also reveals some new facets of the activity of APT29 and the changing nature of ransomware.
In this first part of a drill into Office 365, Zaza Handy, Senior Consultant, Digital Forensics and Incident Response, UK, takes a look at what is in our email. She writes: “HR information, sensitive client data, payment card data, business trade secrets, passwords and even juicy gossip that could embarrass people or expose them to blackmail.”
Such an extensive list of sensitive data raises an immediate question. When did your organisation last do a risk assessment of the contents of email? For many businesses, the answer is probably never. Email has become such a widely used element of communication and few people think about what they send and who they send it too.
It also seems to be widely accepted that business email addresses are fair game for non-work related use. As Handy commented, email contains: “juicy gossip that could embarrass people or expose them to blackmail.” Too many people use business email addresses as their personal email. They communicate with banks, credit card companies, doctors, dentists, their best friends. As such, corporate email systems contain swathes of highly personal data that should never have been there in the first place.
User credentials are gold dust to an attacker
Three years ago, the UK National Cyber Security Centre (NCSC) warned about Office 365 compromise. Since then, there has been a significant increase in the number of reported attacks. In August 2021, Microsoft warned of a widespread credential phishing campaign that was affecting Office 365. It is just the latest warning that Microsoft has issued.
Getting valid credentials to Office 365 is gold dust to an attack. As Handy writes: “With successful intrusion into an organization’s mail system using stolen credentials, an attacker doesn’t need malware to take over email accounts, steal data and impersonate your employees to commit financial fraud or other nefarious activities. Worse yet, if the attacker can use a valid password, the organization is more likely to trust their actions since they appear to act as the employee. An attacker with valid credentials won’t raise the same alarms as unauthorized activity would.”
Not just a single attacker
One of the things that Handy calls out is that attacks are rarely carried out by a single individual. From reconnaissance to compromise, exfiltration of data and eventually exploitation, multiple groups are often involved. This is all about a business supply chain where Office 365 credentials are gathered and traded for different uses.
Handy goes on to describe the way mailboxes are compromised and how the credentials are used. Some are used to extort victims, others to launch new attacks such as spear-phishing of contacts or business email compromise. The latter is especially effective if the attacker can gain full control of a users email. Handy gives an example of how this plays out saying: “The most common motive in most of our engagements was financial, where the attacker actively attempts to convince the receiving party to amend payment details on invoices.”
It will be interesting to see what strategies Handy suggests next month in how to detect and prevent these attacks.
Enterprise Times: What does this mean?
Attacks on Office 365 mailboxes are set to be part of the background cybersecurity threat noise. There is no question that mailboxes are a hugh source of intelligence. It raises the question as to why so few companies spend time cleaning up mailboxes and doing more to control the type of data in them. From a business perspective, there is a financial incentive to do this. Not just to protect data and avoid a costly breach fine but to help prevent other attacks.
At a more personal level, losing personal data on employees or customers is deeply embarrassing. It is the sort of thing that has long term reputational damage for a company. If the email account also leads to an attack that compromises others, that can be extremely damaging to a business.
Before Handy publishes her guide to prevention and protection of Office 365, perhaps it’s time to take a closer look at what’s in your email.