Stopping Office 365 Account Takeover Attacks in Their Tracks

Enterprises are heading to the cloud in record numbers, drawn in by the accessibility and flexibility of platforms like Microsoft Office 365. However, without significant changes to the traditional on-premise security paradigm, the transition increases exposure to account takeover and other serious risks. 

The increasing usage of cloud apps and services, such as Office 365, and most notably email, raises new challenges related to securing data and ensuring regulatory compliance. Symantec’s 2018 Shadow Data Report found that 32% of cloud-based emails and attachments are broadly shared. Moreover, 68% of companies have employees that engage in high-risk behavior with their cloud accounts, increasing susceptibility to data exfiltration, data destruction, and account takeover.

In the cloud, credentials are the keys to the kingdom, making them a target for bad actors in search of a way in. Cyber criminals, and even amateurs looking to make a quick buck, have escalated account takeover attacks to gain access to an insider’s credentials to compromise other accounts and systems using social engineering techniques and phishing campaigns.

A more sophisticated variation of account takeover is the Business Email Compromise (BEC) scheme, in which criminals target high-ranking executives’ credentials, using their identity to spoof company employees and partners into paying fraudulent invoices. An FBI report estimated BEC attacks between October 2013 and May 2018 have resulted in $12.5 billion in global losses, with $2.9 billion stolen from U.S. victims.

Cloud Security Gaps

Once a bad actor has swiped a user’s credentials, they can log in as that individual across all other Office 365 functions. Account takeovers are often initiated through phishing attacks, which mimic legitimate requests for resetting a username or changing a password to gain entrée into the system. Brute force attacks, where bad actors repeatedly try to grab credentials, and malware, which is introduced by compromised end points or through shared content, are other popular vectors for account takeover attacks.

Cloud platforms like Office 365 have some built-in security, but they have no way to determine whether a cloud-based account is being used by an authorized user or being exploited by cyber criminals. “Office 365 has limited abilities for administrators to track what was sent where, to do e-discovery of problems, or to look at what documents were sent across the way,” explains Jeannie Warner, senior product manager at Symantec. “There is no way to characterize documents as personal, there is no identifiable information, and there are limited controls.”

For a proper defense against account takeovers and other risks, enterprises need to augment cloud platforms like Office 365 with with a complete security solution that can block sophisticated email threats using a multilayered defense and is part of a broader security solution. For example, Symantec Email Security.cloud bolsters the security of cloud and on-premise email systems with advanced detection technologies and telemetry from the Symantec Global Intelligence Network. The platform scans external email, including attachments and links, at the cloud perimeter, enabling it to identify attempts to impersonate legitimate users.

Symantec’s email security solution also features Threat Isolation, proprietary technology that opens risky or unknown website links in read-only mode, preventing the spread of infection and stopping users from entering their credentials. At the same time, a sophisticated impersonation engine blocks threats that masquerade as specific users or legitimate email domains, providing additional protections.

Another important piece of the security foundation for Office 365 is a Cloud Access Security Broker (CASB) like Symantec’s CloudSOC. CloudSOC covers the entire suite of Office 365 apps, including OneDrive, SharePoint, and Yammer, in addition to email and other applications, blocking threats and sensitive data exposures for both internal and external-bound user transactions. Using data science-driven user behavior analytics, CloudSOC identifies malicious behavior even when users are remote or using personal, unmanaged endpoints. A CASB can also detect the use of unsanctioned cloud apps and email while applying the appropriate protections. Administrators can assign users ThreatScores to flag more or less levels of risk as well as enforce policies via alerts and by quarantining or blocking users.

Machine learning and pattern matching are essential capabilities for a CASB, Warner says. “They help decipher thousands of small micro clues that determine whether something is good or bad traffic or whether a piece of content is proprietary to your system,” she explains. “The CASB can extrapolate that learning out to future emails to prevent attacks.”

Cloud applications like Office 365 raise the bar on productivity, but they also open the door to greater security risks. By taking a layered approach to security, organizations can ensure their cloud journey is both safe and a success.