Saturday, December 28, 2024
Latest:
The Register 

Thought two-factor auth completely locks down Office 365? Not quite

TH Author

Hackers can potentially obtain access to Microsoft Office 365-hosted emails and calendars even if multi-factor-authentication is thought to be in place, we were warned this week.

Cybercrooks are able to force their way into corporate Office 365 accounts, bypassing single sign-on or multi-factor authentication, by targeting older systems, according to email security biz Proofpoint.

The trick is to target legacy services that use weak or known passwords, are not secured behind multi-factor-authentication, and, once commandeered, can be used to poke around inside the corporate structure. If you don’t know the password, it could be phished via email or instant message.

This all may seem obvious, but apparently people are being stung by it.

“The current wave of attacks mostly goes after Exchange Web Services and ActiveSync,” said Ryan Kalember, Proofpoint’s senior vice president of cybersecurity strategy, earlier this week. “A little real-time phishing gets mixed in, but is usually not necessary.”

Real-world examples

For example, Proofpoint recently saw an attacker access the Office 365 account of the chief exec of a 15,000-user financial services and insurance firm. The hacker viewed the CEO’s emails and calendar in order to sniff out an opportunity to run a sneaky scam.

Two beer glasses clash and splash frothy beer into the air. Cheers! Photo by Shutterstock

Office 365 celebrates National Beer Day by popping out for a pint

READ MORE

At the same time the chief exec was in scheduled meetings with suppliers, the intruder used the compromised account to send an email to the chief financial officer asking for funds to be shifted. The unnamed financial services firm lost $1m over the course of several transfers, it is claimed.

Compromised Office 365 accounts in a 75,000 user real-estate investment firm were used to run another scam. Five executives, including some regional general managers, had their accounts compromised. With access to their Office 365 email, attackers managed to change the ABA routing numbers for corporate funds. The company lost over $500,000 as a result, according to Proofpoint.

By the most remarkable of coincidences, the security shop has released something called Proofpoint Cloud Account Defense (CAD) to detect and proactively protect against compromised Microsoft Office 365 accounts. Kalember explained the need for additional layers of defenses.

“It’s really hard for most orgs to cover all the interfaces to Exchange with MFA [multi-factor authentication],” Kalember told El Reg.

“Particularly with EWS [Exchange Web Services], you need to be 1) fully migrated to O365, 2) use Microsoft’s own MFA, and 3) in Modern Authentication mode. The tech can’t support native iOS/Android mail clients, etc.”

In other words, you may think you’re fully protected – but maybe you should check again. Save yourself some pain in the future. ®

Sponsored: Minds Mastering Machines – Call for papers now open

READ MORE HERE