A recent attack on Microsoft 365 organizations has highlighted the danger of ‘password spray’ attacks that try to get into your account and perhaps get a foothold into an organization.
There’s a simple fix that can protect you and your organization. Regular Office Watch readers will know what we’re going to say!
Password Spray is repeated attempts to login to an account using multiple password attempts. Getting someone’s login name isn’t hard (it’s usually their email address).
Too many people use simple or guessable passwords. A little research can identify other likely passwords based on location or personal details (family names, hobbies etc. gained from social media).
Hackers setup an automated system to try possible passwords until it guesses correctly and get into the account. That’s a Password Spray.
The recent attack, as reported by Microsoft, was targeted on US and Israeli defense companies, Persian Gulf ports and related organizations. They tried to login to mailboxes via AutoDiscover and ActiveSync, in other words in ways used by Outlook to login to the mail servers.
Around 250 organizations were targeted in the latest attack with “less than 20” being successfully hacked. That’s a worrying high success rate.
A Password Spray usually targets specific companies or industries. Once the criminal gain access to an account, they might ‘lurk’ checking out the mailbox and available documents. They look for ways to get into other accounts of more senior people and, preferably, network administrators.
It’s not hard to setup a Microsoft 365 password spray attack, there’s a package on Github with all the tools needed. (we’re not giving away any secrets, Microsoft itself acknowledges and even links to ‘o365spray’).
Two Factor Authentication
The best way to prevent a successful password spray getting into your account is Two Factor Authentication, otherwise known a ‘Multi Factor Authentication’.
Even if a password spray succeeds in guessing your password, the criminals won’t have the additional time-limited code that only your authentication app can provide.
We’ve banged on about ‘2Fac’ for years now yet not a week goes by without hearing from someone in panic because their crucial mailbox account has been taken over.
Microsoft is now pushing access to Microsoft accounts without a password at all. Instead you rely on external authentication via a smartphone. It sounds great in theory but could be very troublesome in practice. We’re cautious about such a big step and inclined to stick with ‘password plus other authentication’ for the moment.