Confense, a security company that focuses on phishing attacks, released a report on September 3rd, 2019 that outlines a new phishing campaign that leverages hijacked Office 365 accounts to bypass security vendor scans.
The initial phishing e-mail asks the recipient to review a document. The link to the document in the e-mail takes the recipient to a compromised SharePoint Online or OneDrive for Business site where a OneNote document is being hosted. The OneNote document has an image preview of the document to be reviewed with a link to download the document. When the recipient clicks on the link they are taken to an fake Microsoft login page. When the user tries to login, the credentials are harvested and can be used to replicate the attack within a newly compromised Office 365 tenant. While Confense does not provide information about other attack scenarios, we can assume this same campaign can be used to deliver a malicious payload in conjunction with harvesting Office 365 accounts.
How do you stop these types of attacks?
Enabling multifactor authentication (MFA) and disabling classic authentication in Office 365 is the best answer to this question. Users with MFA enabled may divulge their account credentials, but with modern auth and the lack of an MFA token, they will not have access to the Office 365 identity.
In addition, employee education is always a great way to mitigate the risk of these types of attacks. This phishing attack has many of the typical indicators of malicious intent. If employees are checking e-mail addresses, link destinations, URL bars, and listening to competent end point protection, these attacks should be unsuccessful. Check out Microsoft’s Office 365 Attack Simulator for more information on how you can proactively test your user base.
How do you know if one of your users has been compromised?
If you have licensing for Microsoft’s Security and Compliance center, check to see if the default alerts have picked up on abnormal activity. Additionally, you can create custom alerts that may help you filter out the noise based on your organizations typical activity.
As an example of abnormal activity to look for, the links to OneDrive that is created are public, so that anyone with the link can access it. Audit your Office 365 environment for public links that have received a lot of external user activity.
Call to action:
If you have questions about how to perform any of these tasks, please don’t hesitate to contact ZAACT. We have engineers that can help you review audit logs, create alerts, setup MFA, and disable classic authentication. Some of these actions have repercussions, for instance disabling classic auth will break some e-mail clients, so don’t start pressing buttons just yet. I’m happy to jump on a call to help you understand those repercussions.
Author: Chris Weidemann, VP of Client Services: Chris has over 17 years of experience in technical leadership, system architecture, software development, and product management. He holds an MS from the University of Southern California and is a published technical author in both academic journals and books. His enterprise experience includes custom application development, business process management, IT infrastructure, information security, strategic planning, distributed computing, large scale system integrations, geographic information systems, and cloud infrastructure migration/adoption. He has worked as a consultant servicing federal and state government entities, along with large multinational companies. Chris acts as a surrogate technical executive for many clients, helping engage with other executive level champions, or critics, to ensure the best business decisions are being made while implementing progressive technology.