Defending Against Microsoft 365 Account Takeovers
December 13, 2023
Understanding the M365 Account Takeover Threat Landscape
As our dependence on digital platforms grows, so does the risk to our data and online accounts from unauthorized access and exploitation. The cybersecurity firm Expel reported that identity-based attacks such as account compromise, account takeover, and access key theft accounted for 57 percent of all cybersecurity incidents identified in their first quarter threat report in 2023.
Understanding that account-based attacks account for over half of the 2023 cybersecurity incidents, the darknet is a thriving marketplace for stolen data and credentials. SpyCloud's 2023 Annual Identity Exposure Report disclosed a trend: an annual analysis of recaptured data from the darknet showed a 72 percent password reuse rate for users exposed in two or more breaches in the last year, marking an 8-point increase from 64 percent the previous year. Notably, this habit of password reuse was identified as the primary culprit in the notable 23andMe data breach reported in October 2023.
A less discussed aspect of the ATO threat landscape is the perception of responsibility and notification. According to Sift's Q3 2023 Digital Trust & Safety Index, 73 percent of consumers believe that brands are responsible for ATO attacks and should protect account credentials. Despite this expectation, the same report found that only 43 percent of victims were notified by companies when their information was compromised, highlighting a disconnect between consumer expectations and corporate practices in handling ATO incidents.
ATO Tactics
To defend against ATO attacks effectively, understanding the tactics employed by cybercriminals is crucial. Below is an overview of the most prevalent pre- and post-compromise methods.
Account Compromise and New Inbox Rules
Cybersecurity firm Expel reported that account compromise and new inbox rules designed to hide malicious activity are among the most popular hacking tactics 2023. Once threat actors successfully compromise email accounts, they create inbox rules to automatically delete or hide certain emails from the compromised account. This tactic reduces the chances of the victim or IT administrator spotting unusual activity.
Multifactor Authentication Bypass
Another common hacking tactic is the bypass of multifactor authentication (MFA). Attackers target Software as a Service (SaaS) applications like Okta and M365 by stealing session cookies, registering malicious OAuth applications, and authenticating using legacy protocols. This tactic represents a significant shift in threat actor tactics, with attackers moving away from authenticating using legacy protocols to bypass MFA in M365 and adopting frameworks to launch Attacker-in-the-Middle (AiTM) phishing campaigns.
Vulnerabilities and Insider Threats
Software vulnerabilities are often exploited to gain initial access. However, these security bugs leveraged by threat actors tend to be at least a year old, indicating organizations' struggle to prioritize and patch vulnerabilities. Additionally, there's a rise in insider threats, with misuse of cloud storage and file synchronization services like Google Drive and OneDrive.
Strengthening Office 365 Security Measures
While no security control is absolute, organizations can take steps to proactively harden their environments and reduce exposure. Per Microsoft’s playbook, Organizations should adopt a review frequency of the following:
- Keywords: Look for suspicious criteria in the rules, such as specific keywords (e.g., "invoice," "phish").
- Destination Folder: To avoid detection, attackers may move the emails to a less visible folder and mark them as read. If the "MoveToFolder" and "MarkAsRead" actions are applied, the destination folder should be checked for any relation to the keywords in the rule.
- Delete All: A rule to delete all incoming emails without any keyword filter is often a sign of malicious activity.
If suspicious activity is detected, organizations must adhere to internally adopted Incident Response Playbooks, which should include, at a minimum:
- Disable the malicious inbox rule.
- Reset the user account’s credentials.
- Identify the IP address and underlying attributes used to create the rule and check for other suspicious activities within the cloud environment.
- Investigate user activities before the rules were created, looking for indicators of compromise. Validate login activities and check for any alerts the user receives, which might suggest a compromised account.
Additional Security Measure Considerations
While the strategies mentioned earlier for monitoring and responding to suspicious activities in Microsoft 365 are essential, organizations should also consider adopting additional security measures such as FIDO2 and certificate-based authentication to further harden credentialed access within your environment. More information regarding FIDO2 can be found at https://fidoalliance.org/how-f....
Conclusion
The increasing prevalence of ATO attacks underscores the critical importance of comprehensive and evolving security measures. Organizations must stay informed about the latest threats, understand the tactics employed by cybercriminals, and implement robust, proactive defense strategies, ensuring that policies and security controls reflect the current environment and best practices. Best practices should include, at a minimum, adopting strong password policies or implementing FIDO2 and certificate-based authentication, regularly reviewing alerts and user-created rules, and ensuring transparency from service providers. This approach underscores the shared responsibility between organizations and their partners in hardening your environment.
Resources
Sift’s Q3 2023 Digital Trust & Safety Index https://pages.sift.com/rs/526-...
Expel Quarterly Threat Report Q3 2023 https://expel.com/thanks-expel...
SpyCloud 2023 Annual Identity Exposure Report https://engage.spycloud.com/rs...
Security.org https://www.security.org/digit...
Microsoft.com https://learn.microsoft.com/en...