Malicious actors have a history of trying to compromise users’ Office 365 accounts. By doing so, they can tunnel into a network and use their access to steal sensitive information. But they need not stop there. They can also single out other entities with which the target does business for supply chain cyberattacks.

Office-Related Cyberattacks

In the summer of 2019, phishers used fake alerts to trick admins into thinking that their Office 365 licenses had expired. Those messages instructed the admins to click on a link so that they could sign into the Office 365 Admin Center and review the payment details. Instead, that sign-in page stole their account credentials.

Other cyberattacks in 2019 used spoofing techniques to make the sender appear as if they were a fellow employee. Threat actors tricked people into allowing a fake Microsoft Office 365 app to access their inbox, contacts and other account data.

Near the end of February 2020, other cyberattacks warned users to update their Office 365 apps or risk having their accounts deleted. The phony messages instructed victims to enter their information on a login page and click an ‘update now’ button. In truth, that page was a crafted Google Form that exfiltrated a victim’s data to the attackers.

In May 2020, a phishing campaign used emails from what appeared to be the U.S. Supreme Court. The cyberattacks used threatening language to trick users into clicking a ‘view subpoena’ button. From there, it sent them to a domain designed to steal Office 365 credentials.

Where Supply Chain Cyberattacks Come In

Supply chain attacks starting in Office 365 can take on many different forms. For instance, spear phishers can use a compromised Office 365 account to scout out a targeted employee’s ongoing emails. They can then use what they learn to go after vendors and suppliers with business email compromise fraud attacks.

Other types can be even more far-reaching. At the end of 2020, for instance, threat actors compromised an IT network management provider’s product update methods and misused their access to infect customers with malware. The attacker compromised the victim’s Office 365 emails, which “may have provided access to other data contained in the company’s office productivity tools”.

Several months later, the new CEO for that company revealed that the cyberattacks compromised one of its Office 365 accounts in December 2019. “That led them to compromise other email accounts and as a result, our broader [Office] 365 environment was compromised,” they told The Wall Street Journal.

The Cybersecurity & Infrastructure Security Agency warned of the same attackers using compromised apps in victims’ Office 365 environments in January 2021. That threat was present regardless of whatever threat vector they used to gain access first.

Going Beyond Native Controls

Supply chain cyberattacks involving Office 365 are effective in that they enable threat actors to bypass some authentication controls. They can avoid triggering an alarm if the right tools or solutions aren’t in place. Therefore, organizations need to focus on putting defense best practices in place. Those measures include enabling multifactor authentication on users’ email accounts and monitoring for suspicious behavior using extended detection and response.

It’s not always easy to manage these efforts at the same time; more so when so many accounts might be involved. That’s why they should consider taking a single-pane-of-glass approach to gain intelligent security analytics into the most critical assets. This will help gain comprehensive visibility over their networks. From there, they can spot and shut down potential supply chain cyberattacks and other digital threats.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today