Posted on May 3, 2019 at 6:28 AM
Security researchers seem to have uncovered that over 1.5 million spam emails may have been sent out via 4000 Office 365 accounts that were compromised earlier this year. Barracuda Networks, the firm behind the research has released a blog post detailing its findings.
Previous breaches fully leveraged
The hackers seemed to have executed the account takeovers in a variety of ways using a variety of methods. The principle method that was used, however, was data from previous breaches. This means usernames and passwords that were the same on the Office 365 accounts as on other platforms where the data was stolen from.
This is a common occurrence since many people use the same username and password for multiple accounts. It is something that anyone who is worried about security would not do, but there’s still a general lack of education on this particular topic. The hackers also used personal emails to get access to the business email accounts of the accounts that were taken over. In addition, the hackers also used brute force attacks that managed to unlock the password of people who used very simple passwords. These passwords are simple to guess via social media and people who rarely change their passwords are most at risk of a brute force attack. One brute force attack might not work, but with more and more, the password (if it is simple enough) will eventually be cracked.
The researchers also mentioned that attack came from web applications, including business applications – even SMS in some cases. The researchers note that over half of all global businesses are already part of Office 365’s monthly program and that adoption is growing quickly. That makes Office 365 breaches a valuable target as they are a gateway into a legitimate business’s data and its organizational structure. It allows breaches to become multiple times more lucrative than simple personal attacks.
Trust is earned by companies ad abused by hackers
The compromised accounts were used in spear-phishing campaigns that targeted a wide array of people. These were not the precision strikes of other breaches in the last few months. This is due to the trust between a company and its clients.
While many spear-phishing attempts are stopped due to bad domains, since these emails came from the legitimate domains, they were more believable to people who read them. After all, if you receive emails from a business regularly, you will not think to check if anything is completely different simply because of a few spelling mistakes (the telltale sign of spam emails).
How did the companies not notice the breaches? Well, in 34% of the cases the mailbox rules were changed. This allowed hackers to hide and delete emails that were sent out automatically. They could simply set up a mass emailing campaign and leave the server to do its work. When someone would log in to check the emails sent, there would be no trace of the malicious emails that were sent out.
This is why many in the information security industry are now telling people not to trust any emails that come “trusted” sources. You should always remain skeptical no matter who is sending ou the email. Personal interaction has moved to Facebook, Viber, and Whatsapp, so it has left email as mostly a professional tool. While you may trust certain sources, any time you are asked to download something or click on any link you would be wise to check with the company first.
The techniques hackers use are being refined every day, and the only real way any organization can truly guard themselves is to educate their workforce on phishing attacks. Oft-Repeated infosec saying is that the biggest flaw in any security system is the human factor. Education is one of patching out this flaw, but even then constant vigilance is needed to keep everything as secure as possible.