Frequently Asked Question

O365 Account Compromise
Last Updated 8 months ago

Microsoft O365 Account Compromise

Whilst many companies use O365 for their daily function, there are inherent risks introduced by the data that it holds, and the ease with which logon credentials can be extracted, stolen and bypassed. Wide adoption of Microsoft makes it a high value target as a platform and the pool of bad actors developing exploits and actioning phishing campaigns is extensive. 

Compromise

80% of account compromises are due to human error, either weak passwords, poorly implemented MFA, phishing success, social engineering and poor endpoint security. Cybercriminals send billions of phishing emails daily, leveraging automation and AI to increase success rates in bypassing security defences and tricking users.

Poorly managed O365 tenants result in privilege sprawl and misconfigured access policies, which combine to create exploits and loopholes. This is common and leads to tenant-wide risks. 

Credential Harvesting is a method involving MiiM (AMiim) campaigns, and fake oAuth apps to intercept and obtain MFA tokens. 

Features like 'Direct Send' and 'Teams' are exploited to allow unauthenticated internal email sending or messaging, enabling spoofed phishing campaigns to bypass external filters. 

Complexity is a major factor, with the O365 admin console being a terrible and convoluted experience with information disseminated over numerous 'other' consoles which makes it increasingly hard for organisations to monitor and audit more complex environments. 

Consequences

Once an account is compromised, the consequences are:

  • Data Theft: Attackers can access sensitive emails, files (OneDrive, SharePoint), personal information, and use it for identity theft, fraud, or further attacks.
  • Account Takeover: The attacker can change passwords, security settings, and recovery options to lock out the legitimate user.
  • Malware and Phishing: The compromised account can be used to spread malware or phishing emails to contacts, potentially compromising others and spreading malicious payloads.
  • Unauthorised Access to Other Services: If the account credentials are used across multiple services, attackers may gain access beyond Microsoft 365, including banking or social media accounts.
  • Disruption: Email forwarding or mailbox rules may be altered to intercept or delete emails, disrupting communications.
  • Wider Organisational Impact: If admin accounts are compromised, attackers can access the entire Microsoft 365 tenant, affecting all users, potentially capturing sensitive organizational data or encrypting files for ransom.
  • Reputational Damage and Legal Issues: There may be insurance claims, legal investigations, and a need for reputation rebuilding following a breach.
  • Deliverability Issues: If the accounts are used to solicit spam and phishing, then the domain will likely be blocked wholesale by many providers, whilst others will rank it as suspect or a risk.

Recovery

Immediate steps after detection typically include resetting passwords, removing admin roles, signing out all sessions, disabling forwarding and mailbox rules, enabling MFA, and scanning user devices for malware. 

Organisations often use third party audit logs and security tools to investigate and contain damage. 

Notification

You should immediately mailshot all regular contacts and inform them of the breach, asking them to carry out their own assessments of risk to ensure that successful phishing hasn't already taken place. For key accounts -call them. 

In any subsequent legal action, having a clear record of your actions, including swift notification is a viable mitigation. 

Assessment

There are major consequences of an O365 account compromise and the urgency of a thorough response to mitigate damage and prevent further breach propagation is essential. Once the tenant has been secured, then focus needs to turn to the breach. 

Every file stored in one-drive or sharepoint has potentially been exposed and extracted. The content of every email including attachments has potentially been exposed and extracted. These two alone can be very high risk because attackers can leverage this information to 

Launch attacks on regular contacts with far more effect given that the sender is known and trusted. This is called attack amplification and begins very soon after the initial compromise. 

Espionage is commonplace where confidential information has been obtained which can take several forms

  • Blackmail - demanding payment not to release the data
  • Sale - pitching and selling the data to competitors or news agencies
  • Publication - uploading to public forums for all to access

and interestingly, all these are often tendered in this order, no matter what efforts are made to mitigate it. 

Support

If you have experienced a breach and need assistance and advice on how to undertake any of these actions then GEN has been providing this support for over 30 years. Head over to 

GEN Contact Us

and contact us by phone, chat, email or web-form and we will come right back to you. 

This website relies on temporary cookies to function, but no personal data is ever stored in the cookies.
OK
Powered by GEN UK CLEAN GREEN ENERGY

Loading ...