Cybercrooks are able to force their way into corporate Office 365 accounts, bypassing single sign-on or multi-factor authentication, by targeting older systems, according to email security biz Proofpoint.
The trick is to target legacy services that use weak or known passwords, are not secured behind multi-factor-authentication, and, once commandeered, can be used to poke around inside the corporate structure. If you don't know the password, it could be phished via email or instant message.
This all may seem obvious, but apparently people are being stung by it.
"The current wave of attacks mostly goes after Exchange Web Services and ActiveSync," said Ryan Kalember, Proofpoint's senior vice president of cybersecurity strategy, earlier this week. "A little real-time phishing gets mixed in, but is usually not necessary."
For example, Proofpoint recently saw an attacker access the Office 365 account of the chief exec of a 15,000-user financial services and insurance firm. The hacker viewed the CEO's emails and calendar in order to sniff out an opportunity to run a sneaky scam.
At the same time the chief exec was in scheduled meetings with suppliers, the intruder used the compromised account to send an email to the chief financial officer asking for funds to be shifted. The unnamed financial services firm lost $1m over the course of several transfers, it is claimed.
Compromised Office 365 accounts in a 75,000 user real-estate investment firm were used to run another scam. Five executives, including some regional general managers, had their accounts compromised. With access to their Office 365 email, attackers managed to change the ABA routing numbers for corporate funds. The company lost over $500,000 as a result, according to Proofpoint.
By the most remarkable of coincidences, the security shop has released something called Proofpoint Cloud Account Defense (CAD) to detect and proactively protect against compromised Microsoft Office 365 accounts. Kalember explained the need for additional layers of defenses.
"It's really hard for most orgs to cover all the interfaces to Exchange with MFA [multi-factor authentication]," Kalember toldEl Reg.
"Particularly with EWS [Exchange Web Services], you need to be 1) fully migrated to O365, 2) use Microsoft's own MFA, and 3) in Modern Authentication mode. The tech can't support native iOS/Android mail clients, etc."
In other words, you may think you're fully protected – but maybe you should check again. Save yourself some pain in the future. ®