Threat actors, advanced persistent threats, and simple cybercriminals are always looking for the latest way to get in or take advantage of potential victims. An avenue of approach is defined as a route of an attacking force leading to its objective. The latest and easiest avenue of approach is Office 365. Since this capability is relatively new and IT organizations have not put as much thought and expertise around defending this critical communications capability in the same ways they did with their on-premise Exchange infrastructure, the threat has been able to take advantage of this lack of attention.

Office 365 is complex and has many caveats without a lot of security guidance or documentation available. The initial vector remains to be primarily phishing. Although two-factor authentication has helped reduce phishing, there are many cases in the past several years where attackers phished the 2-factor code as easily as the normal credentials. There are even several open-source two-factor bypass frameworks that are being leveraged daily to compromise users. With all the available ways to continue to steal user credentials, the attackers continue to go after the O365 as a way to manipulate or execute social engineering to steal money.

In one scenario, an attacker gained access to an account on O365 and enabled send on behalf privileges, created administrator accounts, created inbox rules for certain individuals – all in attempts to hide malicious communication activity and spoofed emails. The attacker sent an email from a self-created email string with the response and forwards of legitimate company executives with instructions to wire funds.

In another scenario, attackers sent requests for payment with a PDF invoice that contained new, attacker-controlled, account information. All of these actions leveraged unauthorized access to the email environment. The activity went undetected for many weeks. The new norm for defenders must be to monitor and review activity, configuration changes, inbox rules, and account delegations. Hunting in real-time and watching not just for security events, but also suspicious or abnormal IT activity is a must for reducing the dwell time. Fraud and security teams must develop processes and playbooks for working together to combat this attacker technique.

So how do we impede or block the O365 avenue of approach? The playbooks must include what alerting is available by security teams and what use cases or non-security related activity a security and or fraud team may need to identify malicious activity. Ensuring there is a monitoring and hunting capability while doing configuration verification is simply a must. This includes a thorough review of current licensing and logging so that when an incident happens, administrators are not blind to attacker activity because logging was insufficient. An important report to review is the malware detections report. The ability to detect a security control failure and limit the impact of account compromises is paramount. Just like other systems, using multi-factor authentication for O365 helps protect the data and devices accessible by each individual, but is not the silver bullet. Limiting the number of global administrators and monitoring the activity of those administrator accounts identifies when the most valuable accounts are being used. Another good practice is turning on, consuming and eventing on mailbox auditing for all users allows for the visibility of unauthorized access of exchange online activity. Email is, of course, a normal phishing avenue of approach, so, understanding how your users within your O365 environment are being targeted by malware to then determine further mitigations or more aggressive malware defense actions is key.

Some other security actions are reviewing mailbox access by non-owners which identifies possible malicious activity and turning on Spam notifications. This allows you to see which accounts are blocked for sending spam, which is also an indication of an attacker using that account. Whatever actions you take, make sure there is a continuous periodic review. Never use a set it and forget it approach. Additionally, Microsoft has been rolling out more advanced security options for O365 within its Automated Investigations and Response (AIR) framework to include some Security playbooks for automation of opening investigations. The initial set of playbooks include User-reported Phish Message, URL Click verdict change, Malware ZAP, Phish ZAP, and email investigations.

O365 is complex and moving from on-premise exchange to O365 does not reduce your need for security activities and actions required to defend your environment. Attackers will continue to use this Avenue of Approach until we as security professionals force them to move to a different avenue in order to gain ground.  Making this lucrative objective a hardened target should be on everyone’s to-do list.

References

https://attack.mitre.org/software/S0018/

https://docs.microsoft.com/en-us/office365/securitycompliance/automated-investigation-response-office

Mark Mattei

Mark Mattei

Director of Managed Security Services for North America at Kudelski Security
Mark is the Director, Managed Security Services for North America, where he leads Kudelski’s Security’s Cyber Fusion Center in Phoenix, AZ and is responsible for the operational execution of Managed Security Services (MSS) business in the U.S. Mark has 15+ years of executive experience in IT and cybersecurity.

Mark is a retired U.S. Army Lieutenant Colonel, where he previously, held positions as the Deputy Director of the US Central Command (USCENTCOM) Joint Cyber Center, the Deputy Director for the National Security Agency/Central Security Service Threat Operations Center’s (NTOC) Counter Cyber Operations Office, and the Chief of Current Operations and Chief of Enterprise Services for what is now the Army’s Cyber Center. Mark has a MS from the University of Colorado in Telecommunications Engineering and a BS from Worcester Polytechnic Institute.
Mark Mattei

Latest posts by Mark Mattei (see all)