Phishing and credential harvesting make up a large proportion of the incidents that CERT NZ sees — it's one of the top three reported incident types. These incidents are common because of the low amount of effort and resource it takes to conduct these attacks.
These incidents can also lead to business email compromise, which can have large scale impacts on organisations.
We see a large number of Microsoft 365 branded phishing attacks in particular. This is due to it being such a commonly used cloud platform. A portion of phishing emails are successful and attackers can gain valid credentials. Organisations need to configure security controls to mitigate what attackers can do once they access M365.
Email forwarding rules
Once an attacker has access to an M365 account, they often set up ways to steal data over time. They also try to cover their tracks by hiding any emails they might send and receive a reply to.
Email forwarding rules can be configured to automatically send an email to an email address outside of the organisation’s domain. Inbox rules are also used to auto-delete sent and received emails.
By default, Microsoft 365 data isn’t covered by a retention policy. By creating and implementing Microsoft 365 retention policies, you decrease the risk of data loss in the event of a security incident. Retention policies can also help you recover from accidental data deletion or modification.
You can apply a retention policy to the whole organisation or to specific locations and users.
Principle of least privilege
Microsoft 365 has several types of administrative roles which give the assigned user permission to do specific tasks in Microsoft 365. Ensure that your administrators have the lowest access needed to do their role. This decreases the risk of data leakage or malicious access to data when a security incident or account compromise occurs.
Once you’ve established the tasks each role needs to do, document it. Actively manage this list and do regular access reviews to make sure the right permissions are still applied.
The available administrative roles are frequently changing in the service, so it’s important to periodically review that the least privileged role is used to align with the changes in the platform.
Remediating compromised M365 accounts
Dealing with account compromises is more complicated than resetting a password. While investigating, you should consider what the attacker did while they had access to valid credentials. Attackers can use mechanisms built into Microsoft 365 to maintain their access once their password has been reset.
Incidents we’ve seen
An attacker will often try to maintain access to an account once it’s been identified as compromised. An example of persistent access after compromise is described below:
- Attacker sends a malicious email to User X at your organisation containing a phishing URL.
- User X clicks on phishing link and provides their corporate credentials.
- The attacker does reconnaissance on your organisation, and identifies you’re using Microsoft 365.
- The attacker ‘logs in’ to User X’s account and uses legacy protocols IMAP and SMTPAUTH to send spam emails and copy outgoing emails.
- The attacker creates an inbox forwarding rule to themselves so they can exfiltrate data.
- Your organisation resets the password for User X.
- Outbound SMTP will stop with the password reset. All emails received by User X continues to be sent to the attacker by the inbox forwarding rule.
It’s a lot harder for attackers to phish staff and get valid credentials with multi-factor authentication (MFA) enabled. CERT NZ recommends enabling MFA on all accounts accessible from the internet. Our critical control has advice on implementing it in an organisational level.
What you can do
CERT NZ recommends you do the following when an Microsoft 365 account is compromised:
- Report the incident to CERT NZ.
- Reset the account password.
- Revoke Azure AD refresh tokens. This ensures all established sessions are required to re-authenticate with the new password.Use Microsoft 365 audit searches to determine what the attacker did with the access.
- Enable multi-factor authentication, if not already enabled.
- Remove any mailbox forward rules (SMTP forwards and inbox rules)
- Remove any mailbox permissions and delegations.
- Remove any activesync/MDM-managed devices associated with the account.
- Revoke any OneDrive/SharePoint external shares created by the user. This is a great way for an attacker to exfiltrate data.