Microsoft Office 365 remains an attractive target for cybercriminals as it continues to be used by businesses worldwide. In a new report from Barracuda Networks, the company revealed that more than 1.5 million malicious and spam emails were sent from thousands of compromised Office 365 accounts of their customers in March 2019 alone. The increase in the number of account takeover attacks was said to be the cause for this massive total.
The report details the various methods cybercriminals employ to take over Office 365 accounts. One of the most popular methods is the use of phishing emails that trick users into visiting impersonated Office 365 login forms. Once users log in, cybercriminals gain access to their email accounts. In 2018, the Trend Micro™ Cloud App Security™ solution detected 3.5 million attacks of this type.
Apart from using phishing emails, other methods used in compromising email accounts include using previously stolen passwords from the same user’s personal email account, brute-force attacks, and credential stuffing via previously breached credentials. Web and application channels were also used to compromise email accounts.
What happens after account takeover
Cybercriminals don’t immediately launch an attack after an account has been compromised. They will conduct reconnaissance first to maximize their chances of executing a successful attack. To do this, they set up mailbox rules to hide or delete emails they send using the compromised account. Cybercriminals were found doing this in 34% of the nearly 4,000 compromised accounts, based on the March 2019 analysis done by researchers from Barracuda Networks.
Once cybercriminals gained significant information about companies, for example, what email signatures the company uses and how it handles financial transactions, they will then proceed to target other high-value accounts, with focus on executives and employees from the finance department.
An account takeover attack is just one of the many contrivances of cybercriminals who continue to abuse email to gain a foothold in an enterprise’s IT system. The use of advanced tactics, for example, legitimate-looking but fake loginforms, in email attacks should remind enterprises to set up an efficient multilayered defense strategy.
Cloud App Security, which can be integrated into an enterprise’s existing email gateway, combines artificial intelligence (AI) and computer vision technologies to help detect and block attempts at credential phishing that use fake login forms to deceive email users. After suspected phishing emails pass through sender, content, and URL reputation analyses, computer vision technology and AI will examine the remaining URLs to check if a legitimate login page’s branded elements, login form, and other website components are being spoofed.