Responding to Microsoft 365 Attacks
This post was last updated on March 17th, 2021 at 09:35 am
Responding to the December 2020 SolarWinds Supply Chain Attack (“Solarigate”) solidified one of the most pressing security gaps of this new decade: visibility and defense against cloud application attacks. In Solarigate, attackers used the tainted SolarWinds software as an entry vector into servers and pivoted into wider network take-over, but this network take-over was not the goal. The end goal was access to communications and the informational crown jewels of the target. For most organizations today, that isn’t on our on-prem networks anymore; it’s in third party cloud platforms.
When the SolarWinds attackers compromised a network, one of their main goals was to gain access to Microsoft / Office 365–by far the most popular cloud application. A recent report from the WSJ noted that the attackers had access to SolarWind’s Office 365 accounts as early as nine months prior to discovering the attack and other reports indicated this was a common tactic. With this access they were able to read emails, reset passwords to other services (email password recovery), and monitor whether they had been caught yet. It’s not just email either. A service like Microsoft 365 can now be the holder of all that an organization values (and once put in their on-prem networks): data (OneDrive), Servers (Azure), IT Management (AzureAD), Email (Exchange/Outlook 365) and endpoint management (Intune) can all live in Microsoft’s cloud platform.
How to Attack Microsoft / Office 365
Recent attacks against a cloud service like Microsoft /Office 365 have utilized a number of tactics, most relying on poor security configurations.
- Inadequate Security Configurations
- Inadequate security configurations make it much easier to attack the cloud app directly using leaked username/password combos.
- Examples of common misconfigurations:
- Not enforcing two-factor authentication
- Too many administrators
- Password sync (same passwords used on-prem as on the cloud side)
- No auditing enabled
- The Cybersecurity Infrastructure & Security Agency (CISA) reported on several of these here: https://us-cert.cisa.gov/ncas/analysis-reports/AR19-133A
- Active Directory Federation Services (ADFS)
- On-prem networks can authorize user’s access to cloud applications using their on-prem Active Directory service. It does this by issuing SAML tokens to grant single sign-on access.
- The method used during the Solarigate incident was to compromise the on-prem domain controller and steal the “Golden” SAML token used to grant users access to their cloud apps.
- Note: The use of this stolen SAML token would trip no alarms on your on-prem network
- The most important part of this vector is that it starts with an on-prem compromise of a workstation or datacenter server.
- User Device Compromise
- A tried and true vector for cloud compromise is to hijack a user device (like their laptop). With this access, they can then install keyloggers to steal username/password combinations or perform session hijacking attacks while they are logging into their cloud service.
- Attacks like keylogging can be mitigated with out-of-band two-factor authentication. Reporting these failures can queue defenders to such an attack on a user device.
Infocyte’s Approach to Securing Microsoft 365
Due to demand from our partners, incident responders and security managers, Infocyte recently launched phase 1 of our answer to these attacks. Our Microsoft 365 / Office 365 connector makes it extremely easy to assess, monitor, and mitigate the most pressing Microsoft 365 security misconfigurations.
With the vast number of new security features and APIs available in Microsoft cloud services, it’s become difficult for a typical administrator to handle or prioritize. Infocyte’s role is to leverage these new security APIs to simplify the experience and make complex Microsoft security capabilities accessible for a broader user base.
Also, remember that two of the vectors noted above result from endpoint compromise. Our platform has historically been endpoint focused, so we’re able to detect and respond to even the most advanced on-prem compromises whether it’s a server (e.g. a SolarWinds server) or a keyloggers on a user device.
If you’re interested in learning more about Infocyte’s approach to Microsoft 365 security or performing a threat assessment, contact us here.