Written By:  Brien Posey |  Published:  2/24/2020

Defending Against Office 365 Account-Takeover Attacks

As a freelance tech journalist, I get bombarded each day by reports and press releases. Most of the time, the information contained in those documents is about as exciting as watching paint dry.

Every once in a while, though, I receive a report that is impossible to ignore -- such as this recent report by Barracuda Networks. The report, titled "Threat Spotlight: Account Takeover," predictably claims that there has been a recent increase in account-takeover attacks directed at Office 365.

The thing that really grabbed my attention was this statement: "29 percent of organizations had their Office 365 accounts compromised by hackers in March 2019." Let that one sink in for a second. Barracuda is claiming that nearly one out of every three Office 365 customers suffered from an account-takeover attack within the span of one month. That's huge!

While such an audacious claim certainly deserves a degree of skepticism, I am inclined to believe that Barracuda's claim  is true. Barracuda has a decent track record, and the subject of Office 365 security has been in the news a lot lately, so I don't really have a reason to doubt the validity of Barracuda's claim.

Being that Office 365 account-takeover attacks have become so pervasive (and so successful), it is worth talking about how these attacks happen and what you can do to prevent them.

Unfortunately, it is impossible to make a blanket statement saying, "Here is how the hackers are getting in." Hackers use a variety of methods. Even so, phishing attacks seem to be among the most commonly used methods. In many cases, these phishing attacks impersonate Microsoft.

For an IT pro, many of these phishing attacks are laughable. We've all probably seen phishing e-mails, written in broken English, in which an alleged Microsoft support technician threatens to cancel your account unless you "click here" to take some sort of action. While most of us probably aren't inclined to fall for such an obvious fraud, we still have to take these sorts of messages seriously. If such a message makes it into our inbox, then there is little doubt that the message will also make it into users' inboxes. Some users are less computer-savvy than others and may end up taking the bait.

Countless blog posts have been written outlining various things that you can do to prevent phishing attacks from being successful. Techniques range from using filtering software to either flag or delete suspected phishing messages, to educating users on what to look for. Reminding users that Microsoft will never e-mail them and ask them to change their password is a good first step.

As important as it may be to take steps to thwart phishing attacks, there is a much bigger issue to consider. If Barracuda is correct and a huge percentage of companies have suffered account-takeover attacks, then you must assume that your organization has already been infiltrated. That changes the game considerably.

First and foremost, you will need to explain to users that messages from co-workers cannot be assumed to be legitimate. If a co-worker asks for something unusual, or if the co-worker suddenly starts writing in a different way (such as suddenly using abbreviations or misspelling words that they normally spell correctly), then it could be a sign that the co-worker's account was compromised. It's better to call the co-worker and verify that they really did send the request rather than simply assuming that the request is legitimate.

It's also important to secure your network immediately. Audit the Active Directory (including Azure AD) to ensure that each account belongs to a known user. A hacker who performs an account-takeover attack may create additional accounts if they have sufficient privileges to do so.

While you are at it, force a companywide password change and require the use of multifactor authentication if you haven't already. Multifactor authentication won't necessarily guarantee that a hacker cannot log in, but it will make the hacker's life a little bit harder.

Finally, monitor your network for suspicious activity. Pay particular attention to administrative actions and unusual log-ins. If, for example, one of your users is logging in at 3:00 a.m. from North Korea, then you most likely have a problem. You should also be on the lookout for what I like to call "impossible travel." If a user logs in from a PC in Florida and then logs in again 20 minutes later from a location in New York, then the user is either using a VPN service or their account has been compromised.

Ultimately, there is no surefire defense against account-takeover attacks. My advice is to assume that your network has already been compromised and be suspicious of almost everything.