Published on in Cyber Security

A range of services are available within Microsoft’s Office 365 platform, including Skype, Office, OneDrive and SharePoint.  All of these allow users to access these and other productivity services referred to as SaaS (Software As A service).

These services offer a significant benefit to most organisations in that access to them is available wherever their users require it. However, along with the benefits comes risk, and a number of threats.

Fujitsu Cyber Threat Intelligence (CTI) research has identified a new threat emanating from West African actors who are successfully compromising legitimate credentials via Microsoft Office 365 (O365) chain phishing.

This article highlights the serious risks which can be associated with Office 365 cloud services if not appropriately managed, monitored and secured, and the potential to further compromise an organisation through chain phishing.

Fujitsu CTI has previously highlighted research into cloud security and the risk of unsecured data to both the company and their supply chains as a result of preventable risks. 

Chain 365

This Office 365 specific chain phishing attack has compromised other organisations since at least June 2017. It starts when an organisation receives a phishing email from an organisation in their supply chain with a landing page requesting the input of Office 365 credentials.

The second phase of the attack then uses the compromised credentials to force phish further internal and external contacts via a different landing page. The attacks have a higher chance of success as they are from what appears to be a legitimate user.

The following high-level diagram highlights the attack chain:

High level diagram of attack chain

Potential impact

Whilst phishing is not a new concept, and is frequently used as an attack vector to compromise web based services, the risk is amplified to Office 365 customers as compromising and using legitimate credentials can allow access to other Microsoft services within an O365 environment such as Skype, SharePoint and One Drive.

Overview diagram of potential services at risk

The following table highlights a number of the high level findings from this assessment:

Table showing potential areas of exposure & associated risk

Modus Operandi

Following the analysis of a series of phishing emails and lures, using both DocuSign and spoofed O365 login pages, it has become evident that significant, and far reaching, attacks are most likely impacting other organisations.

The threat impacts not only the organisation but its supply chain and also, potentially, its client base.

A successful phishing lure, targeting an O365 user, will start a series of events via a chain methodology.

1. Users are sent an email containing a link, disguised in a number of ways

Screenshot of disguised phishing email

 

2. Users visit the links which commonly reside on, or redirect through, compromised legitimate websites.

Screenshot of user view when being redirected to malicious websites

 

3. Users enter their credentials and are then redirected to the original Microsoft login page

Screenshot of log screen showing user redirection

 

4. The threat actor uses the credentials to then either login to the companies O365 environment, or to configure an external client if Outlook Anywhere is enabled.

5. Threat actor now appears as the compromised user using their legitimate credentials and mass mails a new phishing campaign to known internal and external contacts.

6. If a recipient queries the email by using Skype, or other communication methods, the attacker can respond, posing as the original sender, to further add legitimacy and confirm the mail is genuine.

7. Recipients, either internal to the organisation or external 3rd parties, then fall victim to the phish as the mail is from a trusted source and also proceed to enter their credentials into new, spoofed websites.

8. The steps are repeated both in the same organisation and any external organisation, which provides another continuing link in the chain.

The threat actor can choose who to target and how to target them. This can extend to Business Email Compromise and pose a risk of financial loss to an organisation. Evidence supports this due to the nature of the mails with subjects typically received by financial teams.

Summary

Given the potential for access to key data stored in O365 this attack represents elements of Corporate Identity Theft, creating the ability to interact with both internal and external users posing as a trusted individual and the onward chain of infection. It highlights the serious potential for damage this attack can cause.

This attack is often successful due to the mail being sent by what appears to be a legitimate individual. If someone has had contact with an individual they are far more likely to trust and interact with content they provide. Given the ability in this attack scenario to further communicate via Skype this could easily sway even tech savvy users to let their guard down.

The configuration options Microsoft allows offer numerous remediation steps and more complex configurations which guard against potential compromise. These options include, but are not limited to, Data Loss Prevention, Multi-Factor Authentication and Advanced Threat Solutions.

Fujitsu CTI offer a compromise assessment service in which an initial technical assessment can help determine whether your organisation’s O365 environment has been compromised through misconfiguration issues, by analysing logs to search for Indicators of Compromise.

Alternatively, Fujitsu can assist with an evaluation of the specific O365 environment and provide advice and guidance on optimal configuration settings as a mitigation against this threat.

Please contact our team to learn more.

Bryan Campbell

Senior Security Researcher & Fujitsu Distinguished Engineer at Fujitsu
Bryan is an experienced security analyst with a proven record of delivering technology services across industry sectors.

He has developed his design, technical, project and security skills within some of the UK’s top employers and institutions.

Leave a Reply

Your email address will not be published. Required fields are marked *