As the use of Microsoft’s Office 365 grows – encompassing services including Exchange, Teams, SharePoint, OneDrive and more –the sheer amount of data stored in the cloud is proving to be a tempting target for some of the most sophisticated hacking operations in the world, according to cybersecurity researchers at FireEye Mandiant.
“The amount of data in Office 365 is just huge and attackers are obviously interested in data. But also they can now access that data from pretty much anywhere in the world,” Doug Bientock, principal consultant at Mandiant told ZDNet, ahead of the research being presented at the Black Hat USA security virtual conference.
“Office 365 is also a gateway for organisations to access other applications as a single sign-on platform,” Bienstock explained.
SEE: Can Russian hackers be stopped? Here’s why it might take 20 years (TechRepublic cover story) | Download the PDF version
It often doesn’t take much for hackers to compromise the networks of organisations they’re targeting; it’s possible to acquire lists of email addresses of employees at a company, and attackers will attempt to use brute-force attacks to crack any common or weak passwords. It doesn’t even have to involve a spear-phishing attack. Some attacks, however, are significantly more sophisticated.
“The attacker will take those valid credentials, login to the VPN and they will move around the network with the intent of escalating their privileges to a global admin account for Office 365,” Josh Madeley, principal consultant at Madiant and co-author of the presentation, told ZDNet.
It’s believed that a significant majority of – if not all – state-backed advanced persistent threat (APT) groups are interested in deploying this kind of attack, but one that definitely has is APT35, a hacking operation working out of Iran, which Madeley described as “notorious” for exploiting cloud services to gain access to the sensitive information it wants to see.
“They’ll gain access to your Office 365 environment then use the security tooling to search the contents of every mailbox, every Teams chat, every SharePoint document,” he explained.
From there, APT35 search for credentials that’ll give them access to other departments, even other companies, and anywhere they can extract sensitive information from.
The hackers are not trying to exploit a weakness in Office 365; simply the way in which it has become a core part of corporate IT infrastructure makes it an attractive target. But the way corporations and users are securing Office 365 could be improved to protect against attacks of this kind. The first step organisations can take to prevent attacks is to make sure that common, easily guessable passwords aren’t being used.
Organisations should also ensure that multi-factor authentication is applied to as many employee accounts as possible, so in the event of a password being stolen or beached, there’s an additional layer of defence to stop attacks.
“The biggest two things we recommend are enabling multi-factor and doing it intelligently with as few exceptions as possible. So everyone in the organisation and every application needs to apply multi-factor – and think about how often you want to prompt that,” said Bienstock.
It’s also recommended that organisations take the time to understand activity on their networks, so it’s possible to detect and stop suspicious activity before it can do significant damage.
“There’s good security out of the box in Office 365, but if you need to protect against APTs, there needs to be some time and effort into understanding the logs and building up robust monitoring so you can see something is happening when it shouldn’t be so you can cut them off,” he said.