Microsoft Office 365 is becoming the core of many businesses. And hackers have noticed

mood · Aug 7, 2020

Microsoft Office 365 is becoming the core of many businesses. And hackers have noticed
As cloud-based services become the key to many business operations, hackers are refocusing their aim
August 7, 2020
https://www.zdnet.com/article/micro...-of-many-businesses-and-hackers-have-noticed/

As the use of Microsoft's Office 365 grows – encompassing services including Exchange, Teams, SharePoint, OneDrive and more –the sheer amount of data stored in the cloud is proving to be a tempting target for some of the most sophisticated hacking operations in the world, according to cybersecurity researchers at FireEye Mandiant.

"The amount of data in Office 365 is just huge and attackers are obviously interested in data. But also they can now access that data from pretty much anywhere in the world," Doug Bientock, principal consultant at Mandiant told ZDNet, ahead of the research being presented at the Black Hat USA security virtual conference.
"Office 365 is also a gateway for organisations to access other applications as a single sign-on platform," Bienstock explained.
Click to expand...

It's believed that a significant majority of – if not all – state-backed advanced persistent threat (APT) groups are interested in deploying this kind of attack, but one that definitely has is APT35, a hacking operation working out of Iran, which Madeley described as "notorious" for exploiting cloud services to gain access to the sensitive information it wants to see.

"They'll gain access to your Office 365 environment then use the security tooling to search the contents of every mailbox, every Teams chat, every SharePoint document," he explained.
Click to expand...

mood · Aug 7, 2020

Hack involving Microsoft Office 365 accounts
Scholarship America Provides Notice Of Data Security Incident
August 6, 2020
https://www.prnewswire.com/news-rel...tice-of-data-security-incident-301108112.html

Scholarship America, a nonprofit organization that manages scholarship and tuition assistance programs for different organizations, is providing notice to individuals impacted by the exposure of certain personal information.

On or about April 28, 2020, Scholarship America's internal IT security processes detected suspicious activity within its email system which triggered security protocols. Upon discovery, Scholarship America took immediate action to shut down unauthorized access and remediate the problem.
The investigation confirmed that the impact of this incident was limited to certain Microsoft Office 365 email accounts, and that no other systems or servers within the Scholarship America IT network were impacted, including where student applications and program information are stored.
Click to expand...

mood · Oct 13, 2020

Office 365: A Favorite for Cyberattack Persistence
October 13, 2020
https://threatpost.com/office-365-persistent-cyberattacks/160010/

Threat actors are consistently leveraging legitimate services and tools from within Microsoft Office 365 to pilfer sensitive data and launch phishing, ransomware, and other attacks across corporate networks from a persistent position inside the cloud-based suite, new research has found.

Office 365 user account takeover – particularly during the COVID-19 pandemic with so many working from home – is one of the most effective ways for an attacker to gain a foothold in an organization’s network, said Chris Morales, head of security analytics at Vectra AI.
From there, attackers can move laterally to launch attacks, something that researchers observed in 96 percent of the 4 million Office 365 customers sampled between June to August 2020. The company revealed the findings of this research in a 2020 Spotlight Report, released Tuesday.

“We expect this trend to magnify in the months ahead,” Morales said in an email interview with Threatpost.
Click to expand...

Cybercriminal Tactics
Researchers found three key features of the suite that attackers exploit to take over accounts and go on to perform a variety of attacks: OAuth, Power Automate and eDiscovery.

“OAuth is used for establishing a foothold, Power Automate is used for command and control and lateral movement, and eDiscovery is used for reconnaissance and exfiltration,” Morales told Threatpost.
Click to expand...

mood · Oct 26, 2020

Attackers finding new ways to exploit and bypass Office 365 defenses
October 26, 2020
https://www.helpnetsecurity.com/2020/10/26/exploit-and-bypass-office-365-defenses/

Over the six-month period from March to August 2020, over 925,000 malicious emails managed to bypass Office 365 defenses and well-known secure email gateways (SEGs), an Area 1 Security study reveals.
How criminals bypass Office 365 defenses
Attackers increasingly use highly sophisticated, targeted campaigns like business email compromise to evade traditional email defenses, which are based on already-known threats.

Attackers also often use Microsoft’s own tools and branding to bypass legacy defenses and email authentication (DMARC, SPF, DKIM).
In one example where a customer layered Office 365 with an SEG, more than 300,000 malicious messages were still missed [...]
Click to expand...

While Microsoft continues to make Office 365 security improvements and can even exceed the best anti-spam and antivirus providers, cyber threat actors have evolved accordingly. For example, Area 1 has intercepted a number of credential harvesting phish exploiting cloud tools like Microsoft SharePoint and Microsoft Planner.
Attackers adopting cloud suites to launch phishing campaigns
As noted in the Gartner 2020 Market Guide for Email Security,

“As organizations move to cloud email, it’s easier for attackers to target users with phishing attacks posing as log-in screens in order to harvest credentials. They then use those credentials to launch further account-takeover-based attacks that can include other collaboration tools. Organizations need to ensure that both internal and external email is secured as well as collaboration tools that are being used.”
Click to expand...

mood · Nov 18, 2020

Office 365 phishing campaign detects sandboxes to evade detection
November 17, 2020
https://www.bleepingcomputer.com/ne...ampaign-detects-sandboxes-to-evade-detection/

Microsoft is tracking an ongoing Office 365 phishing campaign that makes use of several methods to evade automated analysis in attacks against enterprise targets.

"We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defense evasion and social engineering," Microsoft said.
Custom subdomains and automated redirection to legitimate domains
One of the evasion tactics utilized in this credential theft attack is the use of redirector URLs with the capability to detect incoming connections from sandbox environments commonly used by security researchers to gain more info about the attack.

This allows the phishers to make sure that their phishing pages will only be visited by real users, thus drastically lowering the chance of getting their attacks blocked and increasing the odds of real people being lured to their phishing sites.
Click to expand...

Innovative evasion tactics
Earlier this month another Office 365 phishing campaign was detected while inverting images used as backgrounds for landing pages to avoid getting flagged as malicious by web crawling engines used to spot phishing sites.
The phishing kit designed to use that novel tactic automatically reverts the backgrounds using Cascading Style Sheets (CSS) to revert to the original backgrounds of the Office 365 login pages they're trying to mimic.
Click to expand...

mood · Dec 8, 2020

Spearphishing Attack Spoofs Microsoft.com to Target 200M Office 365 Users
December 8, 2020
https://threatpost.com/spearphishing-attack-spoofs-microsoft-office-365/162001/

A spearphishing attack is spoofing Microsoft.com to target 200 million Microsoft Office 365 users in a number of key vertical markets, including financial services, healthcare, manufacturing and utility providers.

Researchers at Ironscales discovered the campaign targeting several thousand mailboxes at nearly 100 of the email security firm’s customers, Lomy Ovadia, Ironscales vice president of research and development, said in a report posted online Monday. Other industries being targeted including telecom and insurance companies, he said.
Click to expand...

The attack is comprised of a realistic-looking email that attempts to persuade users to take advantage of a relatively new Office 365 capability that allows for them to reclaim emails that have been accidentally marked as spam or phishing messages, according to the report. The messages come from sender “Microsoft Outlook.”
Click to expand...

Ironscales: Microsoft O365 Fails to Block Spoofed Emails Sent from Microsoft.com

The 200 million Microsoft Office 365 (O365) users worldwide are now being targeted by a new global spear-phishing attack spoofing Microsoft.com. Two weeks ago, IRONSCALES researchers first identified what we can now confirm to be a well-coordinated email spoofing campaign targeting O365 users particularly within the financial services, healthcare, insurance, manufacturing, utilities, and telecom industries, among others.

Specifically, the fraudulent message is composed of urgent and somewhat fear-inducing language intended to convince users to click on what is a malicious link without hesitation.
Click to expand...

mood · Dec 16, 2020

Microsoft Office 365 Credentials Under Attack By Fax ‘Alert’ Emails
December 14, 2020
https://threatpost.com/microsoft-office-365-credentials-attack-fax/162232/

Researchers are warning of a coordinated phishing attack that targeted “numerous” enterprise organizations last week.

The attackers behind the attack leveraged hundreds of compromised, legitimate email accounts in order to target organizations with emails, which pretended to be document delivery notifications. In reality, the phishing attack stole victims’ Office 365 credentials.

“The widespread use of hundreds of compromised accounts and never-seen-before URLs indicate the campaign is designed to bypass traditional threat intelligence solutions accustomed to permitting known but compromised accounts into the inbox,” said researchers with Abnormal Security, in a Monday analysis.
Click to expand...

Here, “the attacker attempts to legitimize the campaign with official-looking landing pages similar to those used by eFax,” said researchers.
Click to expand...

Abnormal Security: Widespread ‘Doc(s) Delivery’ Spear-Phishing Campaign Targets Enterprises with Hundreds of Compromised Accounts

If the employee clicks “View Documents” on the landing page, they are taken to a credential phishing page that attempts to steal their O365 credentials.
As noted above, the attackers are using more than one landing page template in an attempt to steal credentials.

The volume, recency and spread of phishing attempts across numerous employees and organizations indicates the attackers are determined in their efforts.
Click to expand...

Log in or Sign up

Microsoft Office 365 is becoming the core of many businesses. And hackers have noticed

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

Log in or Sign up

Microsoft Office 365 is becoming the core of many businesses. And hackers have noticed

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

Useful Searches