Credential harvesting is not the hacker’s end goal. It’s just a step in a much grander scheme.
Using these compromised credentials, hackers take over Office 365 accounts belonging to corporate users. This is called Business Email Compromise (BEC), a specific kind of email-based account compromise designed to spread phishing at the organization. The hacker’s goal is to financial loss, commit data exfiltration, and degrade the organization’s reputation.
The issue of account compromise is highly critical because Microsoft Office 365 offers many integrations with third-party applications. Once the hacker has gained control over a trusted account, they typically sift through the email to learn more about the victim’s role in the company, and their relationship with other employees and partners. They’ll investigate the victim’s calendar, SharePoint folders, and OneDrive files.
With this knowledge, hackers will launch a phishing campaign targeting other employees at the organization and partners. To avoid this activate MFA, perform semi-frequent password resets, and program conditional access.
Signs of a Compromised Account
- Mailbox rule that deletes all your emails
- An Internal user sending phishing emails
- Missing or deleted emails, and other suspicious configuration changes
- New inbox rules, such as automatically forward emails to unknown addresses or moving them to other folders
- Changes to the user’s display name
- Unusual credential changes, such as multiple password changes
- Mail forwarding rules that aren’t part of company best practices
- Suspicious login events
“Avanan also has a cool report that notes any suspicious login attempts and has allowed me to quickly reset any user accounts passwords that get hit too many times from Hacker nations.”
CTO, Retail Industry
How Avanan Detects Compromised Accounts
Avanan has developed an algorithm to detect compromised accounts, using a number of threat signals appearing in the Office 365 instance. The adaptive technology looks at email activity, and correlates that with account activity and user behavior.
Because Avanan is so tightly integrated with the full Office 365 Suite, it can correlate login information, policy edits, file activity, data shares or other anomalous behavior across the entire suite. This identifies the insider threat and blocks malicious behavior before it happens.
“Superman” Login Alerts
Flags logins that would be impossible for a human, such as logging in from two different continents in a short period of time.
Identifies insecure behaviors, such as users mass-downloading files, CCing hundreds of recipients on a single email, etc.
Continuous analysis that introduces the concept of time into the security paradigm. Shortens adversary dwell time by using what you discover in the past to inform predictive discovery of security threats using this historical context and knowledge.
How Avanan Remediates Compromised Accounts
|Compromised/Lost Devices||Detecting cases of authenticated devices (phones?) - lost/taken over||
|Brute-force attack||Identifying brute-force attacks (trying multiple passwords, multiple users) - associated with a single campaign (IP? Device, network, VPN provider)||
|Logins behind VPN||Successful logins behind VPN/proxies||
|Unsecured successful authentications||Logins from old browsers, internet-kiosks, subject to password grabbers and vulnerabilities.||
|Unusual authentication protocols||Logins/emails using ‘old’ authentication protocols - IMAP, pop3 etc.||
|Too-many devices||Identifying logins (success/fail) with different device fingerprints||
|GEO-wall||Extending our GEO capabilities to allow GEO-walling - detecting and preventing of logins from hostile locations||
|Outbound phishing campaign||Detecting outbound phishing emails - indicating of an account take over||
|Too many ‘bounced’ emails||High load of ‘bounced’ emails, indicate a massive outbound email campaign||
|Unlikely device (down version)||Connection from unlikely devices||
READ THE WHITE PAPER
Cloud Account Takeover
Ready to see the threats hiding in your inbox?
Approve the Avanan app in one click. From within your email environment, the patented AI will build a social graph connecting users across your organization, and identify phishing, malware, and other advanced threats that have been hiding in your collaboration suite immediately.