View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 25, 2022updated 26 Aug 2022 4:25am

CEOs beware: senior executives targeted in complex Office 365 attack

Researchers discovered the complicated attack that involved phishing, a flaw in Office 365 and adversary-in-the-middle exploits.

By Ryan Morrison

CEOs and CFOs are being targeted by a phishing campaign that uses a flaw in Microsoft’s Office 365 productivity suite, lets a hacker pose as the executive and send out fraudulent invoices and financial requests. This works regardless of whether multi-factor authentication (MFA) is enabled, businesses are warned.

The attack involved the hacker inserting themselves in a real email thread using a fake domain. (Photo courtesy of Mitiga)

This type of attack, known as a business email compromise (BEC) campaign is “widespread on the internet now and targeting large transactions of up to several million dollars each,” according to cybersecurity vendor Mitiga, which discovered the breach after being called in to investigate an incident at an unnamed company following reports of unusual email activity.

One real world example of this type of attack was detailed by Mitiga in a new report. The incident combined high-end spear-phishing with an adversary-in-the-middle (AiTM) attack and an exploit in Office 365 that allowed the hacker to bypass MFA.

The hackers start by sending a phishing email targeted to a senior executive that looks like a legitimate document from DocuSign. it contains a malicious link which redirects to a fake Microsoft Office 365 login page. Entering details sends the attacker the target’s username and password.

The attack also implements a proxy server between the client and the real Microsoft server that allows the hacker to bypass MFA, meaning they can intercept a valid session cookie and obtain persistent access to monitor the account and emails.

How to combat the Office 365 phishing scam

Once into the system and able to monitor email threads, the hacker can set up a fake domain very similar to that of the company and insert themselves into an existing email thread, usually one involving a financial transaction.

The hacker would find a message in the thread about payment details and reply, suggesting there is an issue with the payment system due to an ongoing audit that has led to the target bank account being frozen. The hacker then offers up alternative payment information in an attachment.

The case that sparked the investigation didn’t result in fraud due to the “quick action of the company involved”, Mitiga says, but the attacker was able to access sensitive information that could only be obtained by compromising a user in the organisation.

Content from our partners
The growing cybersecurity threats facing retailers
How to integrate security into IT operations
How Kodak evolved to tackle seismic changes in the print industry and embrace digital revolution

“The email that the attacker sent included all the recipients of the original thread,” explained Mitiga in a review of the incident. “However, the attacker created forged domains using similar domain names, such as using capital i to replace an l, and so on.” This was put in the ‘bcc’ email field so other recipients couldn’t see the domain.

After containing the threat, Mitiga found that the hacker spent time roaming around the Office 365 environment, including accessing emails through outlook and files through Sharepoint to identify the best target email thread.

Mitiga says account security should be tied to specific authorised computers and phones to prevent criminals compromising cloud application accounts from a different location. They also recommend still using multi-factor authentication as it is a vital tool for protecting users from cyber attacks but to take additional steps to check the authenticity of domains.

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.

Read more: Vulnerability leaves Office 365 cloud data open to attack

Homepage image of Office 365 courtesy of abalcazar/iStock

Topics in this article: ,
Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED
THANK YOU