Sometimes when we talk about cybersecurity, it can feel a little intangible, with theory tending to dominate what we read about it. Therefore, learning from real-life instances can often be the best education. Thus, the security operations center (SOC) team of analysts at AT&T Cybersecurity makes it a priority to share certain security incidents for the greater cybersecurity community to learn from. The following story is an actual security incident uncovered by AT&T Cybersecurity SOC analysts. It is part of a larger series that aims to provide insight from the frontline of cybersecurity, including what triggered alarms for indicators of compromise, the investigation process, the APT actors behind the attack and the responses and defense tactics to remediate the threat.
Welcome to Tales from the SOC.
This second story focuses on an Office 365 threat discovered by the AT&T Cybersecurity Managed Threat Detection and Response SOC analyst team. This is a threat that many other organizations may experience. The team was alerted to several alarms after a customer’s user attempted to send an excessive number of emails, resulting in these emails being blocked within Microsoft Office 365. However, upon further inspection, there was more to the incident than meets the untrained eye... it turned out to be an account compromise and credential abuse attack.
Initially, when analyzing the user’s login behavior, the team discovered abnormal activity as the individual was using foreign IPs outside the user’s typical location when logging in. At this stage, the incident was contained, and the team initiated an investigation into all the activities and systems accessed by this user while engaging with the customer and remediating the compromise before the threat escalated.
In total, three alarms were raised, and these were triggered by three further security incidents: credential abuse, anomalous user behavior and security policy violation from Office 365 activity.
For organizations of any size, credential abuse and compromised user accounts are dangerous threats as they could have a wide and negative impact. Hackers will typically use the credential abuse attack method to gain access to other critical assets within an organization’s architecture and exploit its subsidiaries and partners. Additionally, when criminals compromise an account, it can be leveraged to either exfiltrate data or continue infiltrating other systems.
Hackers will also look to exploit the internal email accounts of legitimate organizations to distribute phishing emails to acquire more information and accounts to steal. Threat actors have even been known to set up inbox rules to have sensitive emails forwarded to accounts owned by the hackers externally.
"Threat actors have even been known to set up inbox rules to have sensitive emails forwarded to accounts owned by the hackers externally"
Dissecting the Triggers for the Three Alarms
Alarm 1 – Credential Abuse:
Upon further investigation, the credential abuse alarm was raised after 12 instances of successful login attempts made from a foreign country and the United States, all within 24 hours. This was unusual as previously, the user had never tried to log in from anywhere else except the United States.
Open-source intelligence (OSINT) tools were then utilized to better understand the foreign IPs, and it was revealed that the IPs belonged to a foreign telecommunications company that had been previously blacklisted. Tools like OSINT are vital during investigations as they can help ascertain ownership, location, history of abuse and malicious activity surrounding an IP address or domain.
Alarm 2 – Anomalous User Behaviour:
The anomalous user behavior alarm was raised because an excessive number of outbound emails were generated in Outlook 365. In fact, the logs showed 53 outbound emails had been sent in the 24-hour period from the foreign IP address – this was a 1000% increase for this individual.
At this point, the intrusion prevention system (IPS) came into action and put on restrictions to prevent the user from sending emails. The systems also sent another alarm on the network to request a review of this suspicious activity. Having IPS is critical, especially in this scenario, as it stopped the possibility of data being exfiltrated from the compromised email account.
Alarm 3 – Security Policy Violation:
The final alarm sounded was the security policy violation which warned that there was potential Office 365 abuse and email restriction due to irregular login activity by the user. Due to the odd login location, the number of login successes and failures, and the resulting email activity from the IP addresses, the system escalated the threat, which notified the security team.
Scanning for Further Compromise
As with any cyber-attack, system scanning needs to be conducted to ensure no further compromise of systems. The AT&T Managed Threat Detection and Response analyst team increased all search ranges to cover a 30-day timespan to detect any other suspicious activity. Thankfully, the searches and extended log activities did not uncover any further signs of compromise.
Once the investigations were complete and the information correlated, the customer was contacted to inform them of the findings in accordance with their incident response plan (IRP). Once the facts were explained, the customer contained the threat by isolating the affected assets and revoking the user’s account credentials.
Fortunately, the customer had some important and necessary security tools in place that helped to identify this Office 365 compromise before it impacted the entire system. Organizations are also advised to deploy multi-factor authentication (MFA) and geofencing to reduce the threat. Furthermore, security best practices pertaining to password and account usage should be followed, including using different passwords for accounts and refraining from using work emails for non-work purposes or accounts.