Migrating to Microsoft 365 offers undeniable benefits, but it also creates a new attack surface. However, the unmatched convenience of Microsoft 365 can be undermined if attackers exploit weaknesses that bridge the gap between your on-prem environment and the cloud. This blog post dives into the tactics real-world attackers use to infiltrate Microsoft 365 through on-prem vulnerabilities. We’ll also equip you with actionable strategies to bolster your defences and keep your cloud data safe.
Don’t Let Your Cloud Become Ground Zero.
Read On.
Top 10 Attacks Against Microsoft 365
1: Data Breach on Okta: This was a breach in the customer service system as a result of stolen credentials, exposing support case information.
2: Air Europa Data Breach (October 2023): The attackers accessed the customers’ financial information, and they recommended that customers cancel their credit cards.
3: 23andMe Data Breach (October 2023): Unauthorized access to customer accounts due to a credential stuffing attack, exposing genetic data.
4: SONY Data Breach (September 2023): Ransomware group Ransomware.vc allegedly exfiltrated over 6,000 files from SONY and threatened to sell the data.
5: Topgolf Callaway: Over One Million Customers Hit by Data Breach That Exposed Personal Information.
6: IBM MOVEit Data Breach: A vulnerability in the transfer software MOVEit allowed criminals to steal sensitive healthcare data related to 4.1 million patients.
7: Barracuda Email Security Gateway Attacks (May 2023): A critical vulnerability was exploited to compromise Barracuda’s Email Security Gateway appliances, targeting government agencies.
8: Microsoft Cloud Email Breach (June 2023): It comprised email accounts belonging to the U.S. government agencies, with the emails of high-profile officials being compromised.
9: Casino Operator Attacks: Casino operators MGM and Caesars Entertainment were reportedly interfered with through the use of social engineering tactics and ransomware deployment.
10: Cisco Attacks (October 2023): Targeted to enable customers of the Cisco IOS XE to exploit some critical vulnerability, nearly 42,000 Cisco devices were compromised.
Such incidents underscore a changing and persistent threat landscape on on-prem and cloud infrastructure, which exemplifies the necessity of resilient cybersecurity measures and awareness.
15 Ways Hackers Use To Target Microsoft 365
Tactics used by the actor UNC2452 ( AKA Nobelium or SolarWind Hackers) were such a complex blend of techniques of lateral movement to the Microsoft 365 cloud environment. They include system vulnerabilities, protocol manipulation, and exploited stolen credentials as they demonstrate the capability of the attacker’s sophisticated knowledge of cloud infrastructure and its security features.
15 Most Common Techniques Used For Achieving Lateral Movement To The Microsoft 365 Cloud
1: API Abuse: Attackers targeting weak API endpoints can change the endpoint request in a way that allows bypassing standard authentication or authorization checks. For example: when exploiting weak permissions in an API used for managing user data in M365, attackers could possibly extract personal information or try to escalate privileges. They can also bring in techniques to alter API calls, like adding users, deleting users, or changing permission details and flows to allow access to data that is important from the company’s perspective. Typical of such exploits are approaches such as forceful browsing in which, for example, they try to incrementally change URLs to be able to access unauthorized API endpoints.
2: Side-channel Attacks: Side-channel attacks in a cloud environment can be incredibly sophisticated. It’s like monitoring cache usage patterns on shared hardware to recover encryption keys or any other sensitive data. For example: Using the duration of a given operation, an attacker can be able to gauge the size of data and further use statistical analysis to identify encryption keys or hidden operations in the M365 environment. To perform this kind of attack, one would need a strong knowledge of hardware architecture and software implementation, therefore stressing the importance of strong isolation practices in multi-tenant architectures.
3: Token Theft & Forgery: Attackers can steal or forge authentication tokens to gain unauthorized access to cloud resources. In the case of M365, this can be the theft of OAuth tokens from applications that are compromised or the forgery of SAML tokens by compromising key components like identity providers.
4: Exploitation of Configuration Flaws : Configuration errors are a common target in cloud environments. Concerning M365, this could mean exploiting misconfigured Conditional Access Policies or Directory Permissions, hence allowing later movement with higher privilege or without alerting in those sensitive areas.
5: Phishing and Credential Stuffing: Phishing attacks make up a significant volume of the methodology that attackers use to exfiltrate credentials, often forming the basis of an attack on M365 environments. In credential stuffing, attackers use already-stolen data to log into users’ accounts on other services, capitalizing on the prevalence of password reuse.
6: Zero-day Exploits: Zero-day exploits take advantage of software vulnerabilities of which even the software maker or the antivirus vendors have no knowledge. In the context of M365, this could mean leveraging a security model loophole in SharePoint Online to run arbitrary JavaScript in a user’s session and gain unauthorized access to sensitive documents or data. Their extreme infiltration power arises because zero-day attacks can move undetected until unleashed, without any disturbances to attackers infiltrating systems and stealing data.
7: Cross-Tenant Data Leakage: Attacks in multi-tenant clouds can exploit weak isolation mechanisms between tenants. For example, a misconfiguration of Azure Active Directory can allow an attacker to steal sensitive information belonging to other tenants via tenant enumeration. Another form of cross-tenant information leakage can occur due to shared resources, such as the data cache that isn’t cleared before being used to store private information from another tenant.
8: Supply Chain Compromise: For a supply chain attack against Microsoft 365, the attacker would need to compromise a widely used third-party service or application that integrates with M365. Imagine the same project management tool that most enterprises are using but having an M365 plugin to synchronize tasks. If the updating mechanism of the tool was compromised, an attacker could distribute a malicious update that would, after being downloaded and applied, install a backdoor for use. That backdoor might allow them to run remote commands, access sensitive data in M365, or propagate laterally into other parts of the organization’s network.
9: Cloud Hopping: The inter-connected nature of cloud services is exploited by cloud hopping, where every compromise makes it easier to penetrate numerous environments. An attacker may compromise a third-party cloud service, which lacks good security but has already established trust relationships with the target’s M365 environment. It might lead to penetration of unauthorized access to M365 without direct intrusion through the process of exploiting the connections. For example, the attacker can compromise a cloud-based accounting application that has access to M365 for invoice processing, and use this to inject malicious code to steal the credentials or sensitive financial documents from M365.
10: Subdomain Takeover: A subdomain takeover is when a miscreant takes advantage of abandoned or misconfigured DNS settings for the subdomains used within M365. A typical example is an abandoned service endpoint, where attackers can identify subdomains pointing to services that have been decommissioned or are not in use anymore, for example, a staging server for a web application. They register the service endpoint that has been abandoned so that they can point the subdomain to a server under their control. In this way, it is quite feasible to perform phishing attacks under the cover of a real company’s domain, increasing substantially the chances of stolen credentials.
11: Pass-the-cookie Attacks: These are similar to token theft where they steal session cookies that authenticate users to cloud services. In an M365 environment, attackers can use stolen cookies to impersonate legitimate users, gaining access without needing the user’s password.
12: Office 365 Account Backdoors: Once inside, attackers could create new accounts or compromise existing ones. For example, by adding mail forwarding rules to email accounts to assure that access is maintained when an original entry point is discovered and remediated. Such attacks also include the modification of Exchange Online rules to intercept or manipulate email communications.
13: AI-Powered Attacks AI: AI and Machine Learning driven attacks allow hackers to fully automate complex tasks, ranging from the optimization of the timing of phishing attacks (based on user activity patterns) to the crafting of really advanced spear-phishing emails. For instance, machine learning models trained on breached-source data could make predictions about what types of passwords were likely in use in an organization, yielding immense efficiency gains in credential-stuffing attacks. But attackers would also set AI systems loose to modify attack vectors on the fly, adapting to defenses almost instantly and evading classic security tools based on signatures or patterns.
14: Memory Scraping and Credential Dumping: Memory scraping and credential dumping in cloud environments are generally aimed at cloud servers where many user sessions are executed concurrently. Then, the attacker would make use of Mimikatz or an equivalent variant malware to collect any plaintext passwords, hash values, and even encryption keys found within the server memory that they had access to. This can work very effectively if the isolation between user processes is poor and, in that case, one process compromised in a user session can read the contents of memory from another.
15: Man-in-the-Cloud Attacks: Man-in-the-cloud attacks make use of data synchronization processes that have become a part of each of the cloud services. For example, an attacker could intercept a synchronization token in use by a Cloud Storage service like OneDrive (embedded into M365). Armed with that token, the attacker can proceed to synchronize malware into the user’s devices or alter the content of the synchronized files without the user being alerted.
These techniques are used in multifaceted exercises like those conducted by advanced persistent threat (APT) actors, including UNC2452. These techniques highlight the need for strong security measures like multi-factor authentication, least privilege access models, auditing of configurations and permissions, and appropriate training on social engineering and phishing. Similarly, anomaly detection and response tactics are critically important for fast discovery and quick mitigation of such advanced attacks.
Best Practices to Ensure Microsoft 365 Security
In recent times, with the rising volume of cyber threats, there is a need for organizations to enhance their cybersecurity postures. Microsoft 365 offers protection against such threats through a set of characteristics using advanced security measures and compliance tools.
What Is Microsoft Security Copilot? A Full-Fledged Guide
Here is how some advanced Microsoft 365 features could help prevent the types of cyber-attacks previously described, aimed at a savvy audience.
1: Advanced Threat Protection (ATP)
Microsoft 365 Advanced Threat Protection offers the best protection against advanced cyber attacks, including phishing, ransomware, and other malware. Features of ATP include:
Safe Attachments: This inspects email attachments for malware before reaching the recipient’s inbox and successfully quarantines such malicious files.
Safe Links: Real-time scanning and verification of links in emails and documents mitigate phishing campaigns by blocking access to malicious websites.
Anti-phishing Policies: Anti-phishing in M365 ATP uses machine learning and impersonation detection to catch and block phishing.
2: Azure Active Directory (Now, ENTRA ID) & Conditional Access
Azure AD, with Conditional Access policies, can really help combat credential theft and unauthorized access since it is a cloud-based service for identity and access management.
✅ Multi-Factor Authentication (MFA): MFA should be implemented in a way to prevent unauthorized access even if the credentials are compromised.
✅ Information Protection and Governance.
✅ Conditional Access Policies can allow or deny access, depending on the user, location, state of the device, and sensitivity of the application, hence giving fine-grained control over who can access what.
✅ Azure Information Protection: It classifies documents and emails, and they are labelled with protection actions, such as encryption or access restrictions.
✅ Data Loss Prevention (DLP): DLP policies prevent inappropriate disclosure of sensitive information outside of your organization.
3: Secure Score
It measures the security posture of your organization that you get from an analysis of your organization’s configurations and activities in all the M365 services. It provides recommendations to increase your score and subsequently improve your security.
4: Microsoft Endpoint Manager
It brings the services of Intune together with Configuration Manager, managing and securing the devices that access data from your organization.
5: Compliance Policies for Devices
Compliance Manager ensures devices comply with your security standards before allowing them access to corporate data.
6: Application Protection Policies
It’s for the protection of data within managed applications, for example, by using data encryption, which prevents the security flaws originating from the copy-paste options of data.
7: Defender for Microsoft 365
Formerly Office 365 ATP, Defender is the security service purposely built to span all attack scopes across email, collaboration, or link-related attacks and allows accurate detection, investigation, and response to any advanced threat.
8: Compliance Manager
This tool helps you operationalize your organization’s compliance posture with a score based on a risk-based model and further provides you with insights and recommendations toward strengthening data protection and compliance. All in all, the plethora of security and compliance features associated with Microsoft 365 can be tuned and customized to provide a stronghold of protection against any modern cyber threat out there. Advanced Threat Protection, secured access with Azure AD and Conditional Access, data encryption, and endpoint management with compliance are all ways that an organization can greatly mitigate risks associated with cyberattacks. However, to maximize these benefits, you need specialized M365 skills and experience.
Licensing Updates to Microsoft 365
A good professional cybersecurity service enables proactive cybersecurity allowing you to defend against real-world and future threats, without having to rely on your in-house teams.
Why WME is the M365 Security Partner You Need
✔ World-Class Expertise: The WME team is highly qualified, having certifications in M365 and deep expertise in optimizing your security posture.
✔ Proactive Threat Hunting: Our well-versed experts go beyond just threat detection and hunt for hidden enemies in advance.
✔ 24/7 Vigilance: Continuous monitoring that gives you complete assurance of the security of your M365 environment even after business hours.
✔ Proven Incident Response: We have a successful track record in rapid incident response to mitigate the damage done by security breaches.
✔ Compliance Navigation: WME supports your organization in compliance with even the most complex regulations and M365 configuration standards in the industry.
✔ Focus on Your Core Business: Our managed services free up your internal IT teams to focus on strategic initiatives.
✔ Cost-effective Security: WME precludes costly cyber threats. We provide cost-saving measures and maximize returns on the investment.
✔ Customized Solutions: Our M365 security services are customized to your business, needs, and objectives.
Windows Management Experts
Now A Microsoft Solutions Partner for:
✓ Data & AI
✓ Digital and App Innovation
✓ Infrastructure
✓ Security
The Solutions Partner badge highlights WME’s excellence and commitment. Microsoft’s thorough evaluation ensures we’re skilled, deliver successful projects, and prioritize security over everything. This positions WME in a global tech community, ready to innovate on the cloud for your evolving business needs.
