Office 365 continues to be a hackers treasure chest

Office 365 hosting is still a big target for hackers and criminals to infiltrate organizations around the world.  There are two new terms to know: Lateral Movement and Breakout Time.

As Microsoft pushes their cloud services, it’s become a bigger and more valuable target for anyone wanting private data to sell or blackmail.  Office 365 hosting offers a consistent base of apps and services, so hackers can use tricks learnt from one company, to access others also using Microsoft’s services.

Vast Attack Surface

In geek talk, Office 365/Microsoft 365 hosting offers a “Vast attack surface”.  That’s a term you won’t see in Microsoft’s relentless marketing push.

Hackers are becoming increasingly tricky and subtle.  The usual hack is getting into an account and grabbing whatever is available (emails, documents etc) then escaping before anyone notices.

Source: Vectra

Lateral Movement

Now they’ll use ‘Lateral Movement’, gradually moving through an organizations systems.  Impersonating a hacked user, they’ll slowly move from app to app.  They’ll trick other staffers into accepting hacked documents, malicious web links and other nasties.  Who questions a document or link shared ‘in house’?

During this slow exploration they’ll grab more information and get into other accounts (preferably with higher access).

With many tools at their disposal (including Windows in-built features) it doesn’t take long for a hacker to go beyond the limited access of the original account they’re impersonating.

You have two hours

According to Crowdstrike, it takes less than two hours (average 1hr 58 min) for a hacked account to start infiltrating other parts of a network.

That’s the Breakout Time – the time between an account being compromised and when the organization might be leaking vital data.

Identifying hacked accounts is getting harder, in part because of Work from Home.  Now staff are accessing the company systems from much further afield.  No longer can admins assume that most computer access is from offices and local networks. 

According to a new Office 365 security report from Vectra:

  • 96% had signs of lateral movement behaviour
  • 73% showed evidence of data exfiltration
  • 71% exhibited suspicious Office 365 Power Automate behaviours
  • 69% had Office 365 redundant account creation
  • 58% showed signs of suspicious SharePoint operations
  • 56% of customers exhibited evidence of reconnaissance
  • 56% of customers exhibited evidence of eDiscovery

What can I do?

Listen to your IT department.  Their security advice might seem annoying, even petty, but they have good reason to be concerned.

Multi-factor authentication is important.  If you aren’t using ‘2Fac’ already, you should be for all important accounts – email (personal and work) and cloud services.

Keep an eye on any ‘Last login … ‘ notices. Check to make sure the last time the account was used was by you, not at some time you weren’t working.

Office 365 hosting (email, Sharepoint, Teams etc) is a great range of services, many that were a pipedream just a few years ago.  The danger is that Microsoft’s hype blinds their customers to the real risk and downsides involved.