Real-World Attacks on Microsoft 365 and How to Fight Back

Migrating to Microsoft 365 offers undeniable benefits , but it also creates a new attack surface. However, the unmatched convenience of Microsoft 365 can be undermined if attackers exploit weaknesses that bridge the gap between your on-prem environment and the cloud. This blog post dives into the tactics real-world attackers use to infiltrate Microsoft 365 through on-prem vulnerabilities. We’ll also equip you with actionable strategies to bolster your defences and keep your cloud data safe.

Don’t Let Your Cloud Become Ground Zero.

Read On.

Top 10 Attacks Against Microsoft 365

1: Data Breach on Okta: This was a breach in the customer service system as a result of stolen credentials, exposing support case information.

2: Air Europa Data Breach (October 2023): The attackers accessed the customers’ financial information, and they recommended that customers cancel their credit cards.

3: 23andMe Data Breach (October 2023): Unauthorized access to customer accounts due to a credential stuffing attack, exposing genetic data.

4: SONY Data Breach (September 2023): Ransomware group Ransomware.vc allegedly exfiltrated over 6,000 files from SONY and threatened to sell the data.

5: Topgolf Callaway: Over One Million Customers Hit by Data Breach That Exposed Personal Information.

6: IBM MOVEit Data Breach: A vulnerability in the transfer software MOVEit allowed criminals to steal sensitive healthcare data related to 4.1 million patients.

7: Barracuda Email Security Gateway Attacks (May 2023): A critical vulnerability was exploited to compromise Barracuda’s Email Security Gateway appliances, targeting government agencies.

8: Microsoft Cloud Email Breach (June 2023): It comprised email accounts belonging to the U.S. government agencies, with the emails of high-profile officials being compromised.

9: Casino Operator Attacks: Casino operators MGM and Caesars Entertainment were reportedly interfered with through the use of social engineering tactics and ransomware deployment.?????

10: Cisco Attacks (October 2023): Targeted to enable customers of the Cisco IOS XE to exploit some critical vulnerability, nearly 42,000 Cisco devices were compromised.??

Such incidents underscore a changing and persistent threat landscape on on-prem and cloud infrastructure, which exemplifies the necessity of resilient cybersecurity measures and awareness.

15 Ways Hackers Use To Target Microsoft 365???????

Tactics used by the actor UNC2452 ( AKA Nobelium or SolarWind Hackers) were such a complex blend of techniques of lateral movement to the Microsoft 365 cloud environment. They include system vulnerabilities, protocol manipulation, and exploited stolen credentials as they demonstrate the capability of the attacker’s sophisticated knowledge of cloud infrastructure and its security features.

15 Most Common Techniques Used For Achieving Lateral Movement To The Microsoft 365 Cloud

1: API Abuse: ?Attackers targeting weak API endpoints can change the endpoint request in a way that allows bypassing standard authentication or authorization checks. For example: when exploiting weak permissions in an API used for managing user data in M365, attackers could possibly extract personal information or try to escalate privileges. They can also bring in techniques to alter API calls, like adding users, deleting users, or changing permission details and flows to allow access to data that is important from the company’s perspective. Typical of such exploits are approaches such as forceful browsing in which, for example, they try to incrementally change URLs to be able to access unauthorized API endpoints.??????

2: Side-channel Attacks:? Side-channel attacks in a cloud environment can be incredibly sophisticated. It’s like monitoring cache usage patterns on shared hardware to recover encryption keys or any other sensitive data. For example: Using the duration of a given operation, an attacker can be able to gauge the size of data and further use statistical analysis to identify encryption keys or hidden operations in the M365 environment. To perform this kind of attack, one would need a strong knowledge of hardware architecture and software implementation, therefore stressing the importance of strong isolation practices in multi-tenant architectures.????

3: Token Theft & Forgery:? Attackers can steal or forge authentication tokens to gain unauthorized access to cloud resources. In the case of M365, this can be the theft of OAuth tokens from applications that are compromised or the forgery of SAML tokens by compromising key components like identity providers.

4: Exploitation of Configuration Flaws?????? :? Configuration errors are a common target in cloud environments. Concerning M365, this could mean exploiting misconfigured Conditional Access Policies or Directory Permissions, hence allowing later movement with higher privilege or without alerting in those sensitive areas.

5: Phishing and Credential Stuffing:? Phishing attacks make up a significant volume of the methodology that attackers use to exfiltrate credentials, often forming the basis of an attack on M365 environments. In credential stuffing, attackers use already-stolen data to log into users’ accounts on other services, capitalizing on the prevalence of password reuse.

6: Zero-day Exploits:? Zero-day exploits take advantage of software vulnerabilities of which even the software maker or the antivirus vendors have no knowledge. In the context of M365, this could mean leveraging a security model loophole in SharePoint Online to run arbitrary JavaScript in a user’s session and gain unauthorized access to sensitive documents or data. Their extreme infiltration power arises because zero-day attacks can move undetected until unleashed, without any disturbances to attackers infiltrating systems and stealing data.

7: Cross-Tenant Data Leakage:? Attacks in multi-tenant clouds can exploit weak isolation mechanisms between tenants. For example, a misconfiguration of Azure Active Directory can allow an attacker to steal sensitive information belonging to other tenants via tenant enumeration. Another form of cross-tenant information leakage can occur due to shared resources, such as the data cache that isn’t cleared before being used to store private information from another tenant.

8: Supply Chain Compromise:? For a supply chain attack against Microsoft 365, the attacker would need to compromise a widely used third-party service or application that integrates with M365. Imagine the same project management tool that most enterprises are using but having an M365 plugin to synchronize tasks. If the updating mechanism of the tool was compromised, an attacker could distribute a malicious update that would, after being downloaded and applied, install a backdoor for use. That backdoor might allow them to run remote commands, access sensitive data in M365, or propagate laterally into other parts of the organization’s network.?

Click here to read more