The Value of a Compromised Cloud Account

With more than 250 million monthly users, it’s easy to understand why attacks targeting Office 365 cloud accounts are one of the fastest-growing security concerns. Even before the COVID-19 crisis, cyber-criminals discovered the value of a compromised cloud account - the sudden shift to remote working simply accelerated this trend.

Microsoft is now the most imitated brand for phishing (other SaaS providers rank pretty high in the chart too), and in general SaaS/Webmail continue to be the most targeted vertical in Q2 2020.

Data is moving to the cloud, and so are the cyber-criminals

A compromised Office 365 account is a coveted target for malicious actors as it offers multiple profit options. The most obvious is the lateral movement i.e. the access to the information stored in the victim’s account or to other members of the same organization.

Migration to the cloud has accelerated due to more workers needing to access corporate data from any device and any location. As a result, the valuable information that the criminals want is now in the cloud. Yet there are other ways that attackers can take advantage of a compromised account.

An emerging trend is the exploitation of compromised legitimate email accounts to carry out Business Email Compromise (BEC) attacks. These attacks (also known as CEO or CFO frauds) target high-profile company executives to issue fake payment instructions. Using a legitimate email address to issue the wiring instructions is a fundamental aspect to trick the victim into sending funds to the wrong account.

Attackers, especially state-sponsored actors, are getting even more creative and sophisticated by aiming to compromise the email infrastructure of an organization to target the organization itself, or use the compromised entity to launch other campaigns.

For example, if an admin account is taken over the threat actors can install web shells to scrape the user credentials directly from the OWA (Outlook Web Access) interface, or they can use the same email infrastructure as a relay and command and control point.

Recent research from Accenture confirmed the increasing exploitation of cloud services for these purposes, and as the report states: “Web-facing, data-intense systems and services that typically communicate externally can make it easier for adversaries to hide their traffic in the background noise, while authentication services could open up a credential harvesting opportunity for cybercriminals.”

Without considering an important aspect - the email traffic is the ideal communication channel for data exfiltration, not only it is hidden in the background noise, but it is also permitted through the security gateways (well, at least when the world was different, and the users connected primarily from the corporate networks).

Even without achieving similar levels of sophistication, compromised email accounts can also be used for opportunistic attacks by financially-motivated criminals. In these attacks, the phishing email originates from a legitimate address, a non-secondary aspect for bypassing the controls enforced by email security gateways.

Another reason that Office 365 is so attractive to attackers is that it offers multiple services that can be used to launch malicious campaigns against other targets. OneDrive, Sharepoint, and even Sway are examples of cloud services within the Microsoft 365 suite that can be abused to deliver malware or to host phishing pages. This technique is particularly evasive from a detection standpoint, and successful from an attacker’s perspective.

A recent study has revealed that in the first half of 2020, 5.9 million email messages with malicious SharePoint and OneDrive links were detected. While these messages made up about one percent of the total sample of messages with malicious URLs, they represented more than 13% of user clicks. On average users were nearly seven times more likely to click on malicious links hosted on Sharepoint/OneDrive (four times more likely in case of SharePoint, and 11 times more likely for OneDrive). It’s no coincidence that OneDrive continues to be the preferred cloud service to distribute malware.

Numbers don’t lie and, as I mentioned in a previous blog post, there is danger in the implicit trust in the cloud service provider for cloud-native threats. Users feel much more comfortable if they see a familiar domain and a certificate signed by Microsoft that, in case of Office 365 phishing campaigns, is also the impersonated domain. Things are worse if the domain belongs to a (compromised) legitimate organization.

Mitigating the Risk of Account Takeovers

A complex problem with a simple solution in theory. According to Microsoft, turning on Multi Factor Authentication on Office 365 can prevent up to 99.9% of account takeovers. Unfortunately, in reality, this isn’t the case. A recent survey has shown that 78% of Microsoft 365 administrators don’t enable MFA.

MFA is not effective against OAuth phishing attacks, a variant where the phishing page hosts a malicious application that obtains an access token on behalf of the attacker. The token grants specific permissions to the malicious actor such as accessing the contact list, emails, etc. - the same principle used when you login to a third-party service with your Google account).

For this reason, in addition to MFA, it is also recommended to continuously monitor the cloud environment (for example via a Cloud Access Security Broker) to detect anomalies and suspicious activities (and support the incident response team in the remediation process).

Finally, user education continues to play a central role in preventing account takeovers. The perimeter has moved from the organization to the user, and despite security technologies are adapting to this new normal (the SASE paradigm moves the security controls to the edge that connects the user with the target application). Being able to spot the misplaced details that reveal the malicious intentions of a malicious email or a phishing page is always a good advice.

What’s Hot on Infosecurity Magazine?