Email Security Intelligence - Microsoft 365 Account Takeover: How To Defend Your Deployment

Microsoft 365 users have recently experienced a spike in account takeover attacks, brought on by a surge in credential theft and successful phishing attempts. Last year roughly 20% of companies using Microsoft 365 faced at least one account compromise.

A compromised account can be extremely damaging, as cybercriminals will be able to steal your data from the cloud, compromise other accounts, impersonate you to execute financial fraud, infiltrate ransomware or other malware, and potentially impact your operations. Compromised accounts can also be used to launch effective attacks against customers, employees, and business partners. This article will discuss the process of account takeover, the limitations of built-in Microsoft 365 email security, and how to protect against these attacks.

Anatomy of Account Takeover

Account takeover (ATO) is a form of online identity theft where a third party illegally accesses a victim’s online account to turn a profit by changing account details, making purchases, and leveraging the stolen information to access other accounts. Threat actors utilize several different strategies to obtain the information they need to perform an account takeover including:

• Phishing: cyber criminals will typically create a false sense of urgency to convince a user to interact with a malicious attachment or link within an email. The user is then redirected to a fake website designed to pass for to their financial institution where their account credentials are stolen.
• Malware: this type of attack is both common and difficult to detect. Malware, or malicious software, is installed on a victim’s computer by an attacker so that they can capture the user’s information through keylogging or redirection to a fraudulent website.
• Man-in-the-Middle Attack: a man-in-the-middle (MITM) attack is a general term for when an attacker positions themself in a conversation between a user and an application to make it appear as if a normal exchange of information. The criminal then uses a rogue access point to intercept the customer’s data to gain access to their account. 
• Credential Stuffing: a type of attack in which the attacker collects stolen account credentials, and then uses them to gain unauthorized access to accounts on other systems through large-scale automated login requests against a web application. This is why it’s so important to have unique passwords for every account you own.
• Botnet Attack: an attack that involves the hacker deploying machines that are infected with malware, enabling hackers to control them and unleash a string of attacks. Sophisticated bots can take over a significant number of accounts before they are identified and can rotate between thousands if not millions of IP addresses.

Watch: Anatomy of an ATO Attack

The Process of Account Takeover

Cybercriminals will often purchase a list of credentials from the dark web, typically compromised through methods such as social engineering, data breach, and phishing attacks. The full process of account takeover includes:

Phase 1: The Breach

Cybercriminals find and exploit vulnerabilities in popular websites and forums to gain access to their user database. Publicized breaches have impacted over 1 billion people and exposed these users’ passwords, as well as other sensitive information like answers to account questions, dates of birth, and gender.

Phase 2: Targeted Attacks

Credentials are assets that criminals typically keep contained within their trusted network until data has been completely monetized, which can take up to 2 years. The attacker may identify wealthy or high-profile victims who should be treated differently than others and get creative in targeting them with manual account takeover, blackmail, and extortion.

Phase 3: The Sale

After a successful attack, cybercriminals will resell the compromised information to less sophisticated criminals, who can automate credential-stuffing attacks with minimal effort, expense or expertise. The stolen credentials are now considered commodities.

Phase 4: Credential Stuffing

Once a list of usernames and passwords has been purchased, attackers will attempt a process called credential stuffing, where they enter the same credentials on other websites with the use of automated botnets. Because so many people reuse passwords for multiple accounts, this hacking method can have a big payout and is relatively easy to execute. 

Vulnerabilities with Built-in Microsoft 365 Email Security Capabilities

Despite existing email protection from Microsoft Exchange Online Protection (EOP) in Microsoft 365, 85% of users have experienced an email data breach. Microsoft 365 email security falls short in safeguarding users and key business assets against credential phishing, account takeovers, and the other dangerous threats that cloud email users face daily.

Researchers have recently discovered a “potentially dangerous piece of functionality” and are now claiming attackers can abuse Microsoft 365 functionality to target files stored on SharePoint and OneDrive in ransomware attacks. Files are stored via “auto-save” and backed-up in the cloud, giving end users the impression data is protected from an attack. However, experts say files stored on SharePoint and OneDrive can be vulnerable to a ransomware attack as simple configuration errors can lead to their Microsoft 365 tenant being compromised, and even the experts can’t recover from the damage.

71% of Microsoft 365 deployments have suffered an account takeover on average seven times in the past year, according to a recent study. The survey consisted of 1,112 security professionals using Microsoft 365, with a majority saying they’re unable to stop it, even with MFA implemented. One expert said, “we’re regularly seeing identity-based attacks being used to circumnavigate traditional perimeter defenses like multi-factor authentication (MFA)... Account takeovers are replacing phishing as the most common attack vector and MFA defenses are speed bumps not force fields.”

Additionally, ongoing phishing campaigns can hack you even when you’re protected with MFA. Microsoft stated that even when protected with MFA, there were attacks that couldn’t be stopped on their own, and attackers are sitting on these compromised accounts for extended periods and using them to trick users by pretending to be colleagues.

How To Protect Your Email From An Attack

Cybercriminals are coming up with new ways to exploit a business’s vulnerabilities and breakingbreak into theirits systems. Some basic ways to spot harmful emails include:

• Check the sender's email address: an official lookingofficial-looking email address doesn’t necessarily mean that it’s official, but a random email address with no relation to the legitimate sender should be treated with caution.
• Look for spelling, punctuation, and grammar mistakes: official emails should be free from common mistakes. Pay particular attention to phrasing in the email, as many phishing scammers know English as a second language.
• Check links before clicking on them: hover over any links to have them displayed in your email client before clicking to verify they are actually going to the genuine website.
• Think about what the email asks for: legitimate organizations will never request your Social Security number or other account details via email.
• Don’t be provoked by a sense of urgency. Take your time. Think before you act.
• Avoid opening attachments in emails: opening an attachment in a phishing email can spread malware, such as ransomware, to activate locking up your computer and encrypting documents to block access. 

The best way to make email safe for business is with proactive, multi-layered supplementary defenses that bolster inadequate built-in cloud email protection and fortify Microsoft 365 against credential phishing and account takeovers. An effective security strategy offers superior protection through real-time updates and more secure, resilient technology developed with the collaborative, transparent open-source model applied to the development of email security solutions. Investing in fully-managed email security services and accessible support can also improve security, maximize productivity, simplify deployment and ease the load on your IT department by assisting with setup and providing the ongoing system monitoring and maintenance that will keep your organization safe online.

Keep Learning

The platform your organization uses to detect and prevent account takeover should adapt to increasingly sophisticated cyberattacks that target your business. A compromised account can lead to a loss of consumer trust and even permanent damage to your reputation.

• Learn more about how to make Microsoft 365 emails safe for businesses.
• Learn more about the phases of an account takeover (ATO) & lateral phishing attack.
• Get the latest updates on how to stay safe online.