Attackers Know Microsoft 365 Better Than You Do

Attackers Know Microsoft 365 Better Than You Do

Users have taken to Microsoft Office 365’s tools, but many are unaware of free features that come with their accounts — features that would keep them safe.

Organizations have quickly adopted the full-featured set of productivity and collaboration tools offered by Office 365 (O365), which was moved under the Microsoft 365 umbrella this spring. They’re leveraging Microsoft Teams, SharePoint, OneDrive, and other file storage systems to store and collaborate on sensitive documents and data. However, with the exponential increase of usage in the last few months, the platform has become an enticing and fruitful target for attackers of all types.

In 2019, 85% of all incident response investigations conducted by the Kudelski Security Incident Response team started with a compromised Office 365 account. While reviewing the results of those investigations, one thing quickly became apparent: Attackers know the productivity suite better than most IT administrators and defenders.

How Attackers Are Attacking
This year, we saw attackers leverage a multitude of attack techniques, most of which could have been easily prevented by turning on features included with most Office 365 Enterprise plans. As organizations strategize for 2021, it is paramount to know and understand how malicious actors are capitalizing on their knowledge of these environments to compromise, persist in, and exfiltrate data. 

Here are the three most common ways attackers are leveraging Microsoft’s platform: 

1. Brute Force and Password Stuffing
Credential stuffing is still one of the leading causes of account compromise. Attackers take advantage of the fact that most organizations don’t enable multifactor authentication (MFA), a free feature offered to all Microsoft 365 tenants, which, according to Microsoft, could have prevented 99.9% of account compromises it saw across users’ environments. 

The vast majority of “password stuffing” attacks aren’t targeted. Attackers get a hold of a password dump from a third-party source and attempt to “stuff” these passwords into Microsoft 365 login prompts. Such attacks rely heavily on users reusing passwords across software-as-a-service providers and websites, including their corporate accounts.

Another challenge is the “legacy protocol” support. Through this, attackers can brute force MFA-protected accounts by attempting to authenticate via protocols that don’t support MFA, such as SMTP, IMAP, and POP3. These provide an avenue to freely brute-force account passwords without having to deal with further verification prompts. Today, there are at least four different open source tools that abuse these legacy protocols, including LyncSniper (targets Skype for Business), SensePost Ruler (targets Exchange Server), MailSniper (targets Outlook Web Access/Exchange Web Services), and SprayingToolkit (targets Lync/Outlook Web Access).

This problem is compounded by organizations allowing users to reset MFA devices or applications simply through a confirmation link sent to the compromised email accounts. Attackers reset MFA tokens and leverage these newly registered applications to log in to others that rely on Microsoft 365 Single Sign-On, potentially gaining access to more sensitive data. 

Organizations should work to limit the usage of legacy protocols with Azure Active Directory conditional access as well as take advantage of the MFA feature to add another layer of security for users.

2. OAuth Consent Grants
Attackers are also phishing users with links to OAuth consent grant screens designed to trick users into granting access to their Microsoft 365 accounts to malicious applications. Those consent screens are real, hosted by Microsoft, and request that users provide access to their email inboxes and other data. Once malicious applications are granted access, attackers have unrestricted access to the accounts without the need for passwords or MFA. Because OAuth 2.0 grants don’t expire, attackers will retain that access until that specific grant is revoked. Even changing a user’s password won’t revoke these tokens automatically. 

There are several open source tools that enable attackers to easily create fake applications that need to be considered, including MdSec Office 365 Attack ToolKit and FireEye PwnAuth.

We have seen an uptick in the abuse of OAuth grants. To prevent these attacks, organizations can require that only specific preapproved applications be allowed to leverage OAuth 2.0 or leverage publisher verification, or administrators can choose to limit access to “sensitive” OAuth 2.0 grants. 

3. eDiscovery and Microsoft Flow Abuse
Attackers know that the eDiscovery features included in the platform’s security and compliance center can be leveraged to easily identify documents of interest across applications, including Microsoft Teams, SharePoint, OneDrive, and Exchange email servers. They also know that most organizations haven’t even taken the time to turn on audit logging (turned off by default) or aren’t monitoring their Azure Active Directory environments. These organizations won’t be able to detect attackers granting themselves the permissions necessary to leverage eDiscovery tooling.

The productivity suite also grants users access to Microsoft Flow, a workflow automation tool that enables users to automate tasks based on certain triggers. Malicious actors take advantage of the fact that once they gain access to eDiscovery, they can leverage Microsoft Flow and completely automate sensitive document discovery and exfiltration. 

Attackers know this platform better than most defenders and have become very effective at compromising tenants easily without having to bypass the multitude of Microsoft-offered security capabilities. Part of the issue is that organizations aren’t taking full advantage of the free features included with their subscriptions. In fact, attackers are abusing Microsoft features that IT administrators aren’t even aware exist.

IT and security teams must know what they have available already and enable all the features that will help them close the door to potential threats. 

This article was originally featured in Dark Reading.

5 Things You Can Do Right Now to Improve Office 365 Security

5 Things You Can Do Right Now to Improve Office 365 Security

The Microsoft Office 365 productivity suite counts around 200 million active users per month, making it an incredibly attractive target for cybercriminals. In fact, 85% of security incidents investigated by the Kudelski Security Incident Response team in 2019 can be attributed to an Office 365 email compromise.

Of course, email isn’t the only asset at risk. The Office 365 suite hosts critical documents and information for the entire organization in tools like Sharepoint, Teams, and OneDrive. In many cases, it’s a single source of truth, especially with Office 365’s reliance on Azure Active Directory and the integrated SSO capabilities for 2,800+ SaaS applications.

This interconnectivity creates a high-risk environment where a compromise of a user’s “email account” can result in widespread access to sensitive data and systems. Increasing the costs (either in terms of financially or in terms of effort) required to attack office 365 tenants is critical. We’ve compiled five actionable steps that security teams can take to prevent Office 365 attacks across the (abridged) kill chain—reconnaissance, compromise, persistence, and action on objectives.

Note: Conducting reconnaissance against an Office 365 tenant is fairly easy. Through DNS and TLS certificate transparency logs, you should assume that an attacker will be able to find out whether or not your organization uses Office 365. Additionally, there are several tools that enable attackers to enumerate valid user accounts ever attempting to authenticate (via timing attacks). Therefore, instead of looking for signs of potential recon, we recommend organizations focus on identifying signs of compromise and/or post-exploitation activity.

Turn on audit logging for your Office 365 tenant as soon as possible.

This may come as a surprise, but detailed audit logging is not turned on by default in Office 365 tenants. It’s an incredibly valuable source of information that can help you identify Office 365 attacks. If possible, send the logs to a SIEM, so you can start to build detection capabilities around it.

Turn off / restrict access to legacy protocols.

Legacy protocols (POP3, SMTP, etc.) allow attackers to perform brute-force attacks without being prompted for multi-factor authentication. This is by design. Legacy protocols exist for devices like office printers, legacy chat applications like Lync and Skype for Business, or older versions of Outlook that do not support the latest communication protocols that can prompt users for MFA.

There are a couple of options to disable legacy protocols for your Office 365 tenant. By using Azure Active Directory, you can set up conditional access rules to limit which IP addresses or accounts can authenticate, leveraging legacy protocols for devices that don’t support more modern protocols. We recommend that organizations create a set of service accounts that are used exclusively to send email from devices that don’t support modern email protocols and closely monitor those accounts.

Pre-approve applications that can request OAuth grants.

OAuth is the protocol that powers the “sign in with Facebook/Google” capabilities as well as other SSO and Active Directory integrations. These requests specify the type of access you want to grant an application—e.g. your email address and account name. However, attackers have started creating fake applications that request email read and write access without a user ever providing a password and it allows attackers to retain access even if account credentials are changed. This is especially problematic if a global admin is the target of an attack. Without knowing it, the admin could grant access to the entire Office 365 tenant (including all files, applications, etc).

Microsoft Office 365 has built-in tools that enable organizations to look for these fake applications used to generate Illicit OAuth grants. Additionally, as an admin, you can create a pre-approved list of applications that are able to request OAuth access to avoid illicit grants.

Clear outlook mail rules immediately if an attack is suspected or identified.

Attackers use email forwarding (and other) rules to persist in an environment even after an attack has been detected and “mitigated”. An attacker can create rules that could automatically forward emails to a third party or auto-delete “red flag” emails or replies. For example, if a user notices a suspicious email and emails the owner of the account, the rule could automatically delete that email, leaving the account owner none the wiser.

Complicating matters, there are tools that can abuse exchange message APIs to hide email rules from admins and users. This is why in addition to changing email passwords, it’s important to also clear all email rules after an account has been compromised.

Closely monitor access to eDiscovery and set up alerts that trigger every time the tool is used.

eDiscovery allows users to search for data across all applications in the Office 365 tenant using keywords or a specific set of criteria. This access, coupled with a tool like Microsoft Flow, which enables the automatic download and upload of eDiscovery results, can allow attackers to automate the discovery and exfiltration of sensitive data.

By default, global admins do not have access to the eDiscovery tool. You must request to be added to the user group that has access. Once you have access, monitor every addition to that tool. A new addition to user groups used to grant access to eDiscovery should be investigated as it’s possible an attacker is attempting to abuse the tool to find sensitive data. The easiest way to do this is to set up alerts that trigger every time eDiscovery is used. Over time, you can tune the alerts to specific scenarios.

Last, but not least, it’s safe to assume that attackers know more about Office 365 than you. They know about all the capabilities, the legacy protocols, eDiscovery, and other above and below board services that can be leveraged to enumerate users and automate data exfiltration