18 March 2020

The world is currently gripped by the spread of Covid-19, more commonly referred to as coronavirus, and unsurprisingly, cybercriminals are making the most of the situation and public uncertainty through phishing scams.

 

There are many different examples of Covid-19 phishing scams in active circulation. Some purport to share the latest guidance, others encourage people to apply for a tax rebate, and yet more ask for donations towards medical efforts. Some even claim to provide a magical cure.

It has been reported that in Italy, the European epicentre of the virus, a single malware campaign has reached over 10% of businesses across the country.

Due to the virus and the need to restrict its spread, more and more people are working from home. But working from home can influence user behaviour. It’s only human nature that people do things whilst working at home that they wouldn’t do in the office. While this may be as innocuous as putting a load of washing on or feeding the cat, other non-office type activities may involve taking greater risks while using their computer.

As one of the most widely used software-as-a-service (SaaS) platforms, Office 365 is routinely targeted by cybercriminals. So, it shouldn’t come as a surprise that Office 365 users are being besieged by coronavirus-related scams. It is just the latest tactic in a long line of attacks by scammers and cybercriminals.

 

Ongoing security concerns with using Microsoft Office 365

 

Just last month, the FBI Internet Crime Complaint Center (IC3) alerted US businesses to ongoing attacks targeting organisations using Microsoft Office 365 in business email compromise (BEC).

Again, warnings about BEC are nothing new, but between January 2014 and October 2019, the centre reported that it received complaints totalling over $2.1 billion in actual losses from BEC scams targeting users of Microsoft Office 365 and other hosted email services.

Meanwhile in the UK, despite the fact that the National Cyber Security Centre (NCSC) has made a concerted effort to encourage system administrators to implement stronger cybersecurity practices, Office 365 is still exceptionally vulnerable. In fact, there is damning evidence from Microsoft itself about the security practices of its users.

 

Poor Office 365 security practice by organisations

 

Microsoft estimates that some 1.2 million Azure Active Directory accounts used by Office 365 are compromised every month. Microsoft revealed these startling figures at the RSA conference last month in San Francisco.

About a half of a per cent of the enterprise accounts on our system will be compromised every month, which is a really high number. If you have an organisation of 10,000 users, 50 will be compromised each month“, said Microsoft’s Director of Identity Security, Alex Weinert.

This is a truly worrying revelation. Any account compromise means that a malicious actor or script has some access to internal resources, even though the degree of compromise is unspecified. The goal could be low level, such as sending out spam, or it could be much more serious, with hackers stealing secrets and trying to escalate privileges.

These types of issues with security levels are highlighted for Office 365 administrators through a security dashboard available on the platform. They are given a ‘security score’ to indicate the strength of their defences and security processes. The maximum score is 707, and yet last year the average Office 365 security score came out at just 37!

 

Current Office 365 scams to look out for

 

Whilst there is an almost unlimited variation in the types of BEC attacks, some of the most widely seen Office 365 scams are:

  • Updating Office 365 accounts – ironically one of the main security scams is when users are asked to update their own account details, for example by asking them to urgently re-register their account as it has expired.
  • Fake meeting requests – this type of phishing scam sends messages that spoof the name and email address of a senior manager and asks users to reschedule a meeting by taking part in a poll to choose the new date and time. When users click on the link, they are presented with what appears to be an Office 365 login page which is in fact a phishing site.
  • Employee pay rises – this scam uses the lure of a pay rise to convince employees to hand over their Office 365 login credentials. The email contains a link to what is purported to be a spreadsheet containing details of an employee salary increase – but which instead takes the user to a phishing site that looks like the Office 365 login page. This scam is thought to be particularly effective as the login page displays the user’s email address prominently.
  • Voicemail scams – this attack makes use of a genuine audio recording which requests that employees allow Microsoft access to their Office 365 account, along with an almost identical login page that actually harvests the victim’s details.
  • Content scams – it is also possible for criminals to utilise Microsoft Sway, a bona fide presentation software tool to create a spoofed site, into which even experienced and knowledgeable users have been fooled into entering their details. The fact that the phishing email contains a link to a genuine Microsoft product makes it very difficult for users to spot this form of cybercrime.
  • Conversation hijacking – this scam sees phishers infiltrate a genuine email account using previously compromised credentials and then insert themselves into a conversation by taking on the persona of the account they have gained access to. When another employee gets an email from this ‘trusted’ colleague, they happily click on the links they contain, which take them through to a spoofed site.
  • Video conference scams – with the rise in working from home due to coronavirus, many more people are using video conferencing tools to communicate with both colleagues and customers. Cybercriminals are sending false communications that insert bogus links, through which users then inadvertently download malware rather than the correct conferencing software.

The many scams employed by cybercriminals mean that it is important to take a multi-layered approach to Office 365 security by putting additional defences in place to mitigate the potential damage of an attack.

 

1. Implement multi-factor authentication

 

The first step to improving Office 365 security for all organisations should be to enforce multi-factor authentication (MFA) across all user accounts. MFA requires users to provide an additional layer of authentication, such as entering a unique code sent to a mobile phone application, so that in the event of a password being compromised, an attacker is prevented from gaining access to the associated account.

Enforcing MFA is straightforward and can be implemented via the Office 365 admin centre. At the RSA conference, Microsoft reported that the global adoption rate of MFA for the platform is currently around 11%. They believe this low take-up is a major factor in the high rate of account compromise.

 

2. Use dedicated admin accounts

 

It is not just general employees who are targeted with phishing scams. IT administrators are singled out by cybercriminals, as their accounts typically have greater privileges and access to more company data. With access to an admin account, criminals can carry out extremely effective attacks against other members of the organisation by creating new accounts.

System admins should therefore have separate personal accounts that only include privileges needed for day-to-day operations. Before using high-privilege accounts, admins should also close any unnecessary browser sessions and applications.

 

3. Provide regular security awareness training

 

Naturally, improving employee knowledge is a vital way to reduce the effectiveness of phishing attacks. Regardless of the security defences an organisation has in place, human error is one of the most common causes of breaches.

It is therefore essential that all employees understand their part in maintaining Office 365 security by undertaking regular security awareness training provided by their employer. The training should cover areas such as password management, device management, social engineering and the latest cyber threats.

 

4. Stop email auto-forwarding

 

As was the case in a sophisticated BEC attack investigated by Redscan, cybercriminals that successfully compromise Office 365 user accounts often exfiltrate data by setting up Outlook mail rules to automatically forward incoming and outgoing emails to other addresses.

To prevent this, system administrators should enforce a mail transport rule that blocks users from creating forwarding rules to domains outside of their organisation.

 

5. Proactively monitor your environment

 

With so many threats capable of breaching the network perimeter, having full visibility of Office 365 account activity is essential. Investing in the proactive monitoring of networks allows organisations to detect any malware or unusual activity. The earlier that any suspicious activity is detected, the sooner it can be acted upon. This reduces the window of opportunity for a cybercriminal to achieve their intended goal.

Activating full audit logging within 0ffice 365 can help to detect unusual employee activity, such as which users have logged in and from where, as well as who is accessing and making changes to documents. Before organisations can even think about leveraging audits, IT and security teams need to implement a process to save log data for longer than Microsoft’s standard 30 days. It’s also important to know that even when logging is set up, event tracking is not a default Office 365 setting, so businesses must activate that too.

Network and endpoint monitoring tools can also be used to facilitate threat detection and response by improving the identification of attacks targeting 0ffice 365.

Without specialist cloud security skills, organisations using Office 365 monitoring tools may struggle to configure, manage and monitor them. For this reason, many organisations consider using a 24/7 cloud management and monitoring service to help bridge their skills and resources gap.

 

6. Undertake regular Office 365 security assessments

 

Penetration testing is another important layer of Office 365 protection as it helps to identify and remediate vulnerabilities in cloud environments before they can be exploited maliciously. Office 365 security assessments can help to detect exposures such as insecure configurations and weak web applications.

When commissioning an Office 365 security assessment, it is important to consider Microsoft’s Cloud Rules of Engagement, which place limits on the assets that can be tested and requires organisations to report critical system security issues within 24 hours of discovering them.

 

Help prevent your employees from falling for a coronavirus scam

Webinar graphic

To help organisations tackle the latest coronavirus scams in Office 365 and the other issues identified in this blog article, we are running a webinar next week (Tuesday 24th March) on “Securing Microsoft Office 365 – how to detect and respond to the latest threats”.

The webinar will feature a hacking demonstration from Redscan’s security experts and cover:

  • Key security issues to consider when using Office 365
  • The attack vectors targeting your environment and users
  • Demonstrations of common email phishing attempts
  • How to prevent, detect and respond to cloud-based attacks

Register for the webinar

 

 

back to all posts