“One question was what exactly were the hackers after? They had compromised at least one account, yet they still weren’t done. What was next? But the big question was - how to get rid of them?”
Part 1: They are already in the account.
Last week, we got a call from a potential customer that sounded like 911-urgent: “They’re in our account. Now. We need your help to stop a live attack."
The call and the subsequent investigation described an incidence of hacking and impersonation that I believe would be interesting to all Office 365 and G Suite corporate users as it demonstrates the pervasiveness and sophistication of hackers, and emphasizes some of the unique problems of SaaS security.
This organization was not an Avanan customer, but had been using Office 365 for awhile, and were generally happy with Microsoft’s default security. They had seen phishing and malware coming through but didn’t consider it a priority. That changed when they learned that hackers were sitting dormant in their accounts and sending very targeted emails.
Here's what they noticed: During a large endpoint upgrade project, the most relevant IT manager got an email from an account that appeared to be the project lead. The email stated that the upgrade process was stuck, and requested the manager to log in to Office 365 with his admin credentials to release the lock. As you might have guessed, the email was a forgery, the sender was not actually the project lead, and the link within the email led to a fake Office 365 login screen.
Part 2: They are watching.
Over the next few hours we learned more about the attack:
- In the original breach, the hackers sent an email from an external email account, faking the name of the company and its employee. They registered a domain that looked like the company they were attacking and created an email account with the same name as the real user they were impersonating. Not expensive, but it demonstrates that this was, indeed, a targeted attack.
- The hackers patiently read emails and conducted due diligence as they awaited an opportunity to strike. They spent the time researching the internals of the organization, learning its projects, employee hierarchy and responsibilities, so they could craft and send a message in the perfect context. They made sure it was not only to the right people, with a very genuine body and correct signature, but also timed perfectly to a highly-relevant ask.
- Strangely, the hackers did not send an email from the account they had already compromised, most likely because they didn’t want to expose the account they beachhead. Therefore, even after the attack, the organization still didn’t know to determine which account had been compromised. Because the original announcement of the endpoint upgrade project went to everyone in the company, IT Security couldn’t even narrow it down their search of the breached account.
The hackers already compromised at least one account. What was next?
Part 3: They want full (undetectable) control.
Apparently, the hackers tried to expand from compromising a single-user account to gaining admin credentials. The phishing email went to someone that very likely has that admin-level access. Based upon the phishing email and what we’ve seen in similar attacks, the next step after compromising the admin account would have been not to login with the stolen password, but to approve a malicious app (usually with a very benign name) across the entire organization. This would have given the hackers full access to everyone’s inbox and every other Office 365 application—OneDrive, ShareFile, etc. Such access would be indefinite because even after the admin password is changed, the app is still connected with its OAuth token. There are no login alerts or user activity logs, making these API events practically invisible. Once the entire organization is open to the hackers, the stolen credentials are no longer needed. In many cases, the company believes the crisis to be over and goes back to business as usual.
[See The New Attack Vector: API-based Attacks on Your SaaS ]
How is this attack unique to SaaS email?
Phishing and malware propagation via email have been with us for decades, but there are several aspects of this attack that demonstrate the unique difficulties associated with securing SaaS email that are not a factor in securing on-premises email.
Legacy email security solutions no longer apply.
When email was in the data center, the threat was assumed to be incoming SMTP. No email security system would bother to monitor the IMAP or POP connections between the server and user because they were assumed to be safe inside the perimeter.
Those legacy email security solutions, like Proofpoint or Mimecast, did move to the cloud but they did not change their original assumptions. In a typical mail-proxy (MTA) deployment, only inbound Office 365 email is monitored. Monitoring internal messages is not implemented and monitoring for compromised accounts or malicious apps is completely off their radar. In the cloud email these attack vectors must be secured.
Here’s more info on why MTA is not the right approach for SaaS-based email security: 7 reasons not to use an MTA gateway
Since anyone can login from anywhere in a SaaS environment, multiple or failed login attempts can go unmonitored. Currently, an administrator must manually sift through Office 365 logs or rely on Microsoft to flag them.
Another problem is the end-users. They have become empowered to add new functionality through third party applications and have grown accustomed to authenticating and re-authenticating services several times a day. A prompt to login here and there doesn’t raise any suspicion. Administrators do not have the tools to find the one malicious app authentication among the thousands that happen every day.
Microsoft and Google can do their best, but can only promise ‘best-effort’.
While both Microsoft's Office 365 and Google's G-Suite, included some default security into their service, talking to any enterprise customer of this service, makes it evident that they have failed to protect their SaaS email service from phishing and malware. We have summarized some reasons for this failure in the link below, but the key reasons are that as any default security, the hackers have all the time in the world to find a way around it. With hundreds of Milions accounts using the same security, hackers are very motivated to do so.
[See our post: 5 Reasons Why Microsoft Can't Secure Office 365 ]
How Can You Solve It?
Full Stack Security for Email
No security administrator would disagree that basic email security should include anti-phishing, anti-malware, and malicious-link protection at a minimum. This typically includes signature-based scanning, malware sandboxing, active-content detection, URL-reputation filtering and URL form emulation. Ideally you would want a solution that scans all traffic--inbound, outbound and internal.
In addition, for SaaS email, you would also need to monitor logins to the service and detect suspicious activity for compromised accounts, and Allow List/ Block List the applications your end-users can install so they don't open access to a malicious app.
Finally, you would want to expand protection beyond just email. For example, filesharing via OneDrive, Google Drive or Box. And to protect other collaboration tools that have replaced email like Slack or Skype. And other business apps that have become the target for sophisticated attacks like Salesforce or ServiceNow.
The Ultimate Resolution
We were not the customer’s first phone call, but we were the only one to have a solution that could provide the answers. Unlike most security tools that can only start their investigation on current and future information, Avanan can go back in time to every event, every email (received or sent, even on deleted accounts), every file and API authentication to run multiple, parallel security scans in retrospect.
It turns out that what they needed was what we offer to every potential customer, free of charge, with no obligation.
If you are worried about this scenario in your organization, Avanan offers historical email scans to flag suspicious activity and phishing attacks on your domain. We will help you find if and how they got in, at no charge.