Malicious actors have a history of trying to compromise users’ Office 365 accounts. By doing so, they can tunnel into a network and use their access to steal sensitive information. But they need not stop there. They can also single out other entities with which the target does business for supply chain cyberattacks.
In the summer of 2019, phishers used fake alerts to trick admins into thinking that their Office 365 licenses had expired. Those messages instructed the admins to click on a link so that they could sign into the Office 365 Admin Center and review the payment details. Instead, that sign-in page stole their account credentials.
Other cyberattacks in 2019 used spoofing techniques to make the sender appear as if they were a fellow employee. Threat actors tricked people into allowing a fake Microsoft Office 365 app to access their inbox, contacts and other account data.
Near the end of February 2020, other cyberattacks warned users to update their Office 365 apps or risk having their accounts deleted. The phony messages instructed victims to enter their information on a login page and click an ‘update now’ button. In truth, that page was a crafted Google Form that exfiltrated a victim’s data to the attackers.
In May 2020, a phishing campaign used emails from what appeared to be the U.S. Supreme Court. The cyberattacks used threatening language to trick users into clicking a ‘view subpoena’ button. From there, it sent them to a domain designed to steal Office 365 credentials.
Where Supply Chain Cyberattacks Come In
Supply chain attacks starting in Office 365 can take on many different forms. For instance, spear phishers can use a compromised Office 365 account to scout out a targeted employee’s ongoing emails. They can then use what they learn to go after vendors and suppliers with business email compromise fraud attacks.
Other types can be even more far-reaching. At the end of 2020, for instance, threat actors compromised an IT network management provider’s product update methods and misused their access to infect customers with malware. The attacker compromised the victim’s Office 365 emails, which “may have provided access to other data contained in the company’s office productivity tools”.
Several months later, the new CEO for that company revealed that the cyberattacks compromised one of its Office 365 accounts in December 2019. “That led them to compromise other email accounts and as a result, our broader [Office] 365 environment was compromised,” they told The Wall Street Journal.
The Cybersecurity & Infrastructure Security Agency warned of the same attackers using compromised apps in victims’ Office 365 environments in January 2021. That threat was present regardless of whatever threat vector they used to gain access first.
Going Beyond Native Controls
Supply chain cyberattacks involving Office 365 are effective in that they enable threat actors to bypass some authentication controls. They can avoid triggering an alarm if the right tools or solutions aren’t in place. Therefore, organizations need to focus on putting defense best practices in place. Those measures include enabling multifactor authentication on users’ email accounts and monitoring for suspicious behavior using extended detection and response.
It’s not always easy to manage these efforts at the same time; more so when so many accounts might be involved. That’s why they should consider taking a single-pane-of-glass approach to gain intelligent security analytics into the most critical assets. This will help gain comprehensive visibility over their networks. From there, they can spot and shut down potential supply chain cyberattacks and other digital threats.
David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...