TechViews News …..
The quote, “Why do I rob banks? That’s because that’s where the money is”, is attributed to bank robber Willie Sutton. In the same way, cybercriminals go where the users are. Office 365, which as of this writing has more than 100 million active monthly subscribers, has become a hotspot for compelling and personalized cyberattacks. Users trust emails from coworkers, especially those with an internal corporate email address.
By now most people are familiar with traditional phishing attempts. A phishing email you receive will usually contain red flags: suspicious attachments, bold requests, misspelled words, questionable email addresses. Informed users know how to handle these types of emails. But what happens when a phishing email is more personalized, with legitimate addresses and reasonable requests?
These have become more popular and tougher to spot, says Asaf Cidon, spearphishing expert at Barracuda Network Security. The company recently released a report on a threat he calls Account Compromise. Once they have an employee’s Office 365 account information, threat actors can craft realistic-looking messages and send them from an account their victims trust.
Attackers primarily steal credentials using traditional methods, he continues. Most rely on phishing or spearphishing to send victims to fraudulent websites, where they are prompted to reset their Office 365 credentials. We’ve seen multiple attacks on major corporations and banks that are now selling users’ credentials on the dark web.
“What’s new is what happens after they get access to the accounts,” Cidon says. Threat actors can conduct several types of attacks after they gain a foothold in an organization.
This attacker could be a disgruntled employee, a jealous coworker, even a casual friend who knows your business email address. If the sender is inside your company network, then the sender may have the ability to spoof network logins and credentials. Even large corporations with sizable internal IT divisions are vulnerable to this kind of phishing attack.
In one common scenario, an attacker sets forwarding rules on an Office 365 account to send emails to an account they control. From there, they can both steal data and monitor the user’s internal and external communication patterns so they can plan future attacks.
Threat actors also impersonate their victims and send emails to other employees with the goal of collecting data. Some send emails with PDF attachments that can only be opened with a username and password. Some send an invoice for payment that requires logging into a web portal, where they have to log in with a corporate email address and password.
Damage could potentially extend outside the organization. Cidon explains a scenario in which an attacker, impersonating an employee, used their access to request a wire transfer from a partner company. The employee in the scenario didn’t even realize the transfer was happening.
“This is an evolution of spearphishing – we’re seeing more and more sophistication,” he says. A couple of years ago, cyberattackers primarily targeted executive employees. These new Office 365 threats are putting all employees at risk.
“With this attack, they’re just trying to get in and once they’re in, a lot of the employees getting targeted are not high-level. It’s not just executive targets,” Cidon continues.
There are red flags that signify a company is targeted in one of these attacks. Oftentimes the IP addresses used to log into corporate accounts come from other countries, he says, and looking at the log can identify geographical anomalies. It also helps to keep track of your email account to see when emails are getting forwarded or sent to unfamiliar addresses.
Cidon advises security leaders to train employees on how to spot phishing attacks to prevent attackers gaining initial access. He also advises adding security layers like multi-factor authentication to Office 365 to lessen the chance of a break-in.
“Traditional email security systems are going to be almost useless in stopping this,” he says, noting how most tools look at the API of the email provider. “Once an attacker is in, they don’t see internal emails … only the external emails coming in.”
Be Safe – Backup Your Data Regularly!
And don’t forget to take advantage of our FREE subscription to the TechViews.org Newsletter. A must-read if you are interested in Internet Security.