Skip to Main Content
November 15, 2018

Holiday Phishing: Office 365

Written by Scott Nusbaum
Incident Response Incident Response & Forensics Office 365 Security Assessment Security Testing & Analysis Social Engineering
  It’s that time of year again, Merry Phishmas!! Holidays are the prime time of the year for attackers to send Phishing campaigns. Whether you are looking for the best deal on Black Friday, the best Christmas gift for that special family member, or a Holiday greeting from employees, employers, or costumers, there are plenty of ways to craft Phishing campaigns to entice even the weariest computer users. TrustedSec Incident Response has seen a rise in the number of fraud cases through Office 365 (O365). The attackers will Phish users whose roles deal with finances. Once the attackers gain access to the system, they will commonly set up rules to forward emails to an external email address that they own. The attacker then reviews the existing emails to learn who owes what, who is in charge, or who has dealings with customers. The attacker attempts to Phish coworkers with the end goal of sending an email to customers from a valid email address, informing the customer that their bank routing information has changed, and they expect payment as soon as possible. The attacker then adds rules to delete incoming emails from the customer to hide the activity. We are going to talk about some of the good and bad features of O365 and ways to help protect you and your company this holiday season. Let start with the good:
  1. O365 gives you access to not only your email, but to online versions of Word, Excel, and PowerPoint from anywhere. This is really great for those road warriors who might be traveling all the time, or for those who are sitting at their kids’ soccer practice and need to get a little more work done.
  2. There is no special software to download, all you need is a web browser. Really, who wants to spend the time downloading, installing, and maintaining the updates for that many different pieces of software, let alone the precious drive space they take up? This is made even more difficult since normal users shouldn’t have Administrator rights
  3. It is guaranteed to be online since Microsoft has the resources to have multiple redundancies and failover procedures in place (like we all should have).
  4. Similar to the first point, all Office Documents are now available to you anywhere at any time. Documents are stored in the Cloud and collaboration is made easy with a simple click of a button.
  5. O365 has the ability to configure Multi-Factor Authentication (MFA). When attempting to log in to an account, a one-time key is sent to the registered user which is then required to log in to the system. If you did not try to log in, do not just blindly approve or give this key to others.
  6. This option is cheaper than hosting your own server for each Office product. Microsoft has priced its Cloud services in such a way that it is a no brainer to shift from hosting the services yourself to the Cloud.
  Now, the bad:
  1. O365 gives you access to not only your email but to the online version of Word, Excel, and PowerPoint from anywhere. It is harder to secure when it is outside of your network. You now have limited control and all that money spent on hardening and monitoring your network are useless for O365.
  2. No physical control of your data. Microsoft has it all unless you do your own backups.
  3. Reduced Logs. O365 keeps 90 days of log information. There are multiple ways to pull these logs from O365, which we will discuss later in this blog. Oh, did you know that Microsoft truncates the audit logs for you?
  4. Multi-Factor Authentication (MFA) is not required by default. We all have strong passwords and they are never compromised, right?
  5. Reduced visibility. Logs are stored in the Cloud and extra features such as network logging are not available.
  The Ugly:
  1. Access from anywhere! Not just you and your employees can access your O365 account, anyone from anywhere can try to access it too.
  2. Hackers - if you can access it anywhere, so can they. If you are not monitoring and using MFA, they can attack until they get in.
  3. Security is reduced to the strength of the individual user’s password. Passwords are the weakest point in most organizations' security.
    1. You need to be able to remember them, so complexity is reduced.
    2. You have to type them in every time you log in, so longer passwords are a pain for bad typers.
    3. You need a unique password for every site and computer. Password reuse is very common, so if someone gets someone else's O365 password, they might have access to that account owner's computer.
    4. You are forced to frequently change the password. This means that users tend to use incremental schemes to remember the passwords or write them down.
  4. Misconfigured accounts. Normal users should not have administrative rights. If an account is compromised and has administrative rights, the attacker now has access to everyone’s accounts. They can set forwarding rules to send all email to themselves and can send and receive email as anyone.
  5. All data is available to a compromised account.
  So far, we have discussed the good, the bad, and the ugly of O365, and we touched on how Attackers can gain unauthorized access to O365. Now we will go into a few more common ways attackers can gain access to O365 accounts. The first is brute-forcing the password. Email addresses are fairly regularly published, allowing the attacker direct access to the email account name or giving them the format that the company uses when creating email accounts. Attackers can then spend time trying to guess the password. Did you know that passwords are set by default to never expire? See this Microsoft article on how to set an expiration feature. In incidents I have worked, I have seen attackers trying to gain access for over three months. A good method to detect this is to do periodic analysis of the O365 Audit logs. Export the Audit logs to the CSV format and open them in Excel. This will allow you to filter and search for possible Indicator of compromise (IOC). Some common IOC includes large amounts of failed login attempts or successful logins from geographically different areas within a short period of time. See this Microsoft article on contents of the Audit log. You can also automate the detection to have it alert when a threshold is met. The second method commonly used to gain access to O365 is through Phishing attacks, as mentioned above. Commonly, Phishing attacks try to trick the user into providing their credentials through the use of a fake website owned by the attacker by setting up a mirror of the valid site. Phishing can also be used to install malware on the system. I have heard of penetration test situations where a Phish was sent to a company and the head IT administrator clicked the link. Not only was the link clicked but the administrator entered into the username password fields a message to the attacker. This message told the attacker that they were not going to fall for this Phish. The problem was that it was a Phish to install malware, not collect credentials. The moral is to never click on the link, even if you think you know what it is. To combat credential stealing, good Phishing awareness programs help, and the use of MFA will reduce the number of unauthorized accesses. The third method attackers use to break into O365 accounts is through the reuse of passwords. Everyone knows that every site requires you to have a password. With so many passwords, how do you remember them all? Many people reuse the same password, or variations of the same password, allowing the attacker to reduce the brute-force attempts needed to gain access. The last method is to man-in-the-middle the user's connection. This is more difficult, as the attacker would need to isolate the target. It is more easily accomplished when the target is using a public WIFI access at the local Starbucks down the street from the office. The attacker captures the connection and is either able to strip the SSL encryption, or redirects the user’s requested traffic to a site operated by the attacker, which requires the target to log in. This is great, but how do you detect this activity? By monitoring the logs that are available to you. First you must enable Audit logging in the Security and Compliance Center. The O365 Audit logs roll over every 90 days, so you lose any older data. 90 days is the max that can be recorded. I suggest downloading the logs every 89 days and storing them locally. When performing an incident response for an O365 breach, I would like to see at least six months of data. That may be a lot of data, but it provides enough background information on the usage patterns to note anomalous behavior. There are multiple ways to pull the Audit logs: the graphical way and the PowerShell way. Enable mailbox auditing. The ability to search individual mailbox events is disabled by default. This is unfortunate, as mailbox auditing provides more user activities in the Audit log search. This will drastically increase the size of the Audit log, but it is more robust and contains valuable information. A warning that I have seen with the Audit Logs is that they can be truncated. I like to parse the CSV file and upload it to ElasticSearch. I have had issues with the internal JSON format being corrupted due to the truncation of the line. This results in lost data and manually editing the lines to salvage the data that is provided.   When analyzing the Audit logs here are a few of the things I look for:
  1. Multiple failed attempts from varying IP addresses, short span of time, or consistent over a longer period of time. These are normally a sign of brute-force attempts.
  2. Multiple successful attempts from different geographical locations. Unless the user developed teleportation (or a TARDIS), this could be a sign of compromise. It is possible the user used a VPN, which can record the user logging in from different locations.
  3. Logins out of a user’s normal routine. I like to develop a timeline and identify the normal usage activity of the users. If the user always logs in at 7:30AM and logs out at 5:30PM for three months, then starting two weeks ago there are logins at 8:00PM, this is an indicator that should be reviewed.
  4. Creation of Mailbox Rules. Creation of a rule to forward all incoming emails to and external email address is a key indicator of malicious activity. There might be a legitimate usage for this but in the vast majority of the times this is malicious.
  I am a strong advocate for automation, it can make life so much easier. In the cases above, a script could be created to:
  1. Pull the Audit logs and parse them
  2. Search for common attacks, such as, unknown IP addresses attempting to access
  3. Search for the creation or modification of mailbox rules
  4. Search for a large number of failed login attempts
  5. Send an alert or an email to notify a security analyst to perform a further analysis.
To go a step further, when the email logs are enabled, the automated script could look to determine the number of emails sent from one account trying to identify Phishing attempts. Metadata could be scraped looking for keywords such as bank account or routing information.   To review some of the recommendations:
  • Automate Detections of common attack methods
    • Setting rules to forwards, delete, etc.
    • Large number of failed attempts
    • Generate warning messages to security team or IT staff
  • Periodic Manual review of logs
  • Employ a third-party security SOC to monitor systems and O365
  • Implement MFA
  • Never have password reuse
  • Mandatory password change every 30 days (frowned on by Microsoft, but I still think its applicable since Microsoft assumes that all their suggestion will be implemented. If MFA is not implemented, then this is dangerous)
  • Least privilege policy - only have the permission’s you need to complete your job
  • Enable Audit logging on each users account
  • Six month retention of Audit Logs. Microsoft charges to have more than 90 days so download Audit Logs and store them locally
  • Enable Email Audit logs
  • Alert Policies
  • VPN (with MFA). This can allow the company to lock O365 to a single IP address
    • Allows users to work from Open WiFi’s with reduced risk.
    • Client and server authentication