The 4 Most Common Ways Hackers Target Microsoft 365

The 4 Most Common Ways Hackers Target Microsoft 365

As we all know, Office 365, or M365 as it’s now called, is probably the leading productivity suite used by organisations of all shapes and sizes. Because of its popularity, it’s a frequent target for cyberattacks and, although thankfully rare, operational incidents.

From our research of recent high profile breaches and incidents, we’ve identified the following themes that you need to be aware of:

Phishing and Business Email Compromise (BEC)

Phishing remains the most common attack vector against M365. Criminals continue to improve the quality of their malicious campaigns to create  convincing emails which are designed to trick users into revealing credentials, approving fraudulent actions or clicking on compromised or malicious websites. Business Email Compromise, is considered a subset of phishing and involves attackers trying to gain access to business email accounts in order to intercept communications, redirect payments, or exfiltrate sensitive data. Whilst Microsoft doesn’t publish these statistics, it’s been reported by industry experts that they detect over 150,000 BEC attempts every day, with, phishing regularly cited as the initial access method in many breaches.

Credential Theft and Account Takeover

M365 accounts are constantly being attacked through the form of credential stuffing (where an attacker uses leaked email addresses and passwords from other breaches), brute force, or exploiting weak authentication. Once they’ve successfully logged in, they can access emails, files, and sensitive business information. The lack of enforced multi-factor authentication (MFA) makes it easier should they obtain the password. Microsoft observes thousands of password-based attacks per second on cloud identities.

Exploitation of Misconfigurations and Legacy Authentication

Misconfigured M365 environments, including things as simple as excessive admin privileges, unintended or unauthorised external sharing, and enabled legacy authentication are the primary cause of breaches. Legacy authentication, which does not support MFA, is too often exploited as it enables attackers to bypass security controls. Misconfigurations can also lead to data leaks as it facilitates unauthorised access to sensitive information and resources.

Abuse of Third-Party Integrations and Legacy Authentication

Many third party applications require a user with privilege to consent which enables the application to interact with your M365 service. Without appropriate due diligence and approvals taking place, an attacker could trick them into authorising a malicious application. These apps can then access mailboxes, files, and other resources, often without triggering traditional security alerts. Unrestricted or over privileged third-party app access is a significant risk, as it can lead to large-scale account compromise or data exfiltration.

What Next?

These themes all highlight the importance of robust security practices, including enforcing MFA wherever possible, minimising elevated or admin privileges, disabling legacy authentication when it’s not required (and if it is, manage and review who has access on a frequent basis), and monitoring third-party app access.

By taking some basic steps, you can make it a lot harder for a simple attack to be successful and still have time to focus on your primary job of supporting your customers and growing your business.

Engaging with Somniac Security, can help secure your services leaving you safe in the knowledge that you won’t suffer from these common attacks.  Contact us at info@somniacsecurity.com today to help safeguard your business against tomorrow’s challenges!