Blog Post Resource November 3, 2022

Protecting Microsoft Office 365 from Cyberattacks

Protecting Office 365

By: Mark Sangster, VP, Chief of Strategy, and Will Ledesma, Director of Managed Detection and Response

Cloud adoption is universal, as is the move to SaaS applications like Microsoft Office 365 (O365). Cloud architecture simplifies management while increasing business access and collaboration. Yet, the open and available nature of tools like O365 expands your threat profile. Cybercriminals are adept at exploiting these systems, often called Living Off The Land (LOTL). Adopting services like O365 only reinforces the notion that the threat landscape is an ever-moving sea of dunes that provide cover for criminals to move undetected and easily infiltrate your business.

As you migrate to Office 365 (amongst other SaaS applications) and increase user access, does it come at a cost? Are you losing security protection? This post discusses the move to Office 365, the risks, and ways to secure your SaaS applications from cyber threats.

Office 365 Overview

In the following blog, when Office 365 is mentioned, we are referring to the collection of Microsoft web applications and cloud-based services¹. It includes Outlook, OneDrive, Microsoft Teams, and Microsoft Office (Excel, Word, and PowerPoint). These services further integrate with Microsoft Exchange Server, SharePoint, and others. Authentication is driven via Hybrid Azure configurations or full Azure Active Directory Server integration. Adlumin’s platform ingests the various logs produced by these applications, servers, and authentication services.

Real Threats in the O365 Trenches

Today’s IT (Information Technology) open and accessible infrastructure means companies cannot turn a blind eye to threats lurking in plain sight. Cybercriminal groups such as Gootloader actively seek and exploit Office 365 vulnerabilities.

Like other SaaS applications, Office 365 contains mission-critical, often confidential, and damaging information if exposed through unauthorized channels. Proprietary intellectual property, business plans, customer contracts, and financial data are stored and shared through Office 365. Cybercriminals are attracted to any source of critical assets, and the open nature of Office 365 creates double jeopardy in terms of cyber threats.

Add to that the complexity of any expansive ecosystem of services and applications, and it is no wonder the Office 365 family has a plethora of known vulnerabilities² that exploit services, including remote code execution, spoofing, bypassing controls, and information exposure.

Threat actors will look to identify any way into a system. Many use password spray techniques, while others attempt phishing tactics. Regardless of the vector, every attack angle must be observed.

Many of these exploits are easy for criminals to deploy. For example, Microsoft modified Azure authentication protocols to prevent unauthorized parties from intercepting or spoofing authentication requests, harvesting credentials and then passing these credentials to the Azure servers to complete the user’s login request³.

Office 365 Login

Convincing phishing emails that launched customer-branded log-in portals left the user unaware of the fraudulent nature of the act. And the successful sign-on offers no signs of suspicious or at least unexpected behavior.

Most organizations rely on Single Sign-On (SSO) servers to authenticate users. At the same time, they have been deployed for their simplicity and ease of use, and adversaries tailgate on these advantages to gain initial access to organizations.

Let’s dive into a real-world example that Adlumin’s Managed Detection and Response (MDR) team discovered. The Adlumin platform alerted on suspicious activity in the form of impossible travel, which is the notion that a user cannot log in from two geographical locations in a period in which they could not physically traverse. The adversary leveraged an older vulnerability against Oauth 2.0 that exploits cloud Azure authentication server misconfiguration. The threat actor was able to take ownership of the targeted account but was rapidly stopped by Adlumin.

Adlumin’s investment in machine learning algorithms solves the conundrum of analyzing the enormous volume of logs generated by O365 services and serves in this class of exploit. False positives are eliminated, and vetted alerts and events are presented to MDR analysts for complete analysis and containment.

Take the previous example of impossible travel authentication. A user cannot log in from New York and London at the same hour, but Microsoft load balancing might send an authentication request from a New York user to a server in London, given current Internet traffic. On the surface, the concurrent login looks suspicious, but it is not. Additional contextual information allows one to confirm the event and determine if it is malicious.

In this case, User and Entity Behavior Analytics (UEBA) solve this dilemma. UEBA baselines normal user and device activity and flags anomalies. Where does the user normally log in from? What are the normal behaviors of the user? What machine do they typically use? Adlumin UEBA paired with our MDR analysis provides a Zero Trust approach to identify the outliers, investigate, and contain them. It is about identifying threats before they turn into business-disruptive incidents.

With Microsoft SSO, attackers have a single portal to a world of applications: OneDrive, SharePoint, emails, confidential information, etc. Access to these systems additionally provides a vector for distributing malicious binaries like ransomware to other users and systems.

Alert and Response Example:

Adlumin’s MDR team has several containment actions. In this case, the analyst disabled the user account and implemented a firewall IP block via Adlumin’s SOAR (Security Orchestration, Automation, and Response) to provide machine-to-machine invoked protection actions.

The Alert

Alert in details showcasing the impossible actions:

A machine learning algorithm detected Office 365 activity originating from an anomalous

The Adversary’s Actions

The first move:

Once the adversary gains access, they set up a forwarding rule against an admin account.

Suspicious inbox forwarding rule\

The second move:

The adversary then looks for and collects an expense report.

collects an expense report

The third move:

In this case, the client had disabled automatic blocks against suspicious activity, including the compromised account, remote access, and source IP blocking. In response, Adlumin’s MDR team takes containment actions:

Security Orchestration Automation and Response (SOAR)

IP blocks were also implemented via SOAR:

IP blocks were also implemented via SOAR

At this point, the initial attack is contained. Adlumin’s MDR team continued to monitor for further intrusions against the customer.

Take Aways

Today’s risk equation includes sophisticated threat actors, growing accountability and compliance requirements, and the protection of emerging technology. Office 365 is not new, but attacks against SaaS applications will continue to grow. The pandemic shifted much of the global workforce to a remote model.

Distributed (cloud) storage, remote access, and expanding user privileges have created new challenges for system administrators. They can no longer control access through on-premises services and restricted devices. In the battle to protect your business from cyberattacks while moving with technology trends, Adlumin provides the confidence you need to adopt and protect emerging technologies and services like Office 365.

  1. https://en.wikipedia.org/wiki/Microsoft_365
  2. https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-80308/Microsoft-365-Apps.html
  3. https://docs.microsoft.com/en-gb/microsoft-365/admin/setup/customize-sign-in-page?view=o365-worldwide