“One question was what exactly were the hackers after? They had compromised at least one account, yet they still weren’t done. What was next? But the big question was - how to get rid of them?”
Last week, we got a call from a potential customer that sounded like 911-urgent: “They’re in our account. Now. We need your help to stop a live attack."
The call and the subsequent investigation described an incidence of hacking and impersonation that I believe would be interesting to all Office 365 and G Suite corporate users as it demonstrates the pervasiveness and sophistication of hackers, and emphasizes some of the unique problems of SaaS security.
This organization was not an Avanan customer, but had been using Office 365 for awhile, and were generally happy with Microsoft’s default security. They had seen phishing and malware coming through but didn’t consider it a priority. That changed when they learned that hackers were sitting dormant in their accounts and sending very targeted emails.
Here's what they noticed: During a large endpoint upgrade project, the most relevant IT manager got an email from an account that appeared to be the project lead. The email stated that the upgrade process was stuck, and requested the manager to log in to Office 365 with his admin credentials to release the lock. As you might have guessed, the email was a forgery, the sender was not actually the project lead, and the link within the email led to a fake Office 365 login screen.
Over the next few hours we learned more about the attack:
The hackers already compromised at least one account. What was next?
Apparently, the hackers tried to expand from compromising a single-user account to gaining admin credentials. The phishing email went to someone that very likely has that admin-level access. Based upon the phishing email and what we’ve seen in similar attacks, the next step after compromising the admin account would have been not to login with the stolen password, but to approve a malicious app (usually with a very benign name) across the entire organization. This would have given the hackers full access to everyone’s inbox and every other Office 365 application—OneDrive, ShareFile, etc. Such access would be indefinite because even after the admin password is changed, the app is still connected with its OAuth token. There are no login alerts or user activity logs, making these API events practically invisible. Once the entire organization is open to the hackers, the stolen credentials are no longer needed. In many cases, the company believes the crisis to be over and goes back to business as usual.
[See The New Attack Vector: API-based Attacks on Your SaaS ]
Phishing and malware propagation via email have been with us for decades, but there are several aspects of this attack that demonstrate the unique difficulties associated with securing SaaS email that are not a factor in securing on-premises email.
When email was in the data center, the threat was assumed to be incoming SMTP. No email security system would bother to monitor the IMAP or POP connections between the server and user because they were assumed to be safe inside the perimeter.
Those legacy email security solutions, like Proofpoint or Mimecast, did move to the cloud but they did not change their original assumptions. In a typical mail-proxy (MTA) deployment, only inbound Office 365 email is monitored. Monitoring internal messages is not implemented and monitoring for compromised accounts or malicious apps is completely off their radar. In the cloud email these attack vectors must be secured.
Here’s more info on why MTA is not the right approach for SaaS-based email security: 7 reasons not to use an MTA gateway
Since anyone can login from anywhere in a SaaS environment, multiple or failed login attempts can go unmonitored. Currently, an administrator must manually sift through Office 365 logs or rely on Microsoft to flag them.
Another problem is the end-users. They have become empowered to add new functionality through third party applications and have grown accustomed to authenticating and re-authenticating services several times a day. A prompt to login here and there doesn’t raise any suspicion. Administrators do not have the tools to find the one malicious app authentication among the thousands that happen every day.
While both Microsoft's Office 365 and Google's G-Suite, included some default security into their service, talking to any enterprise customer of this service, makes it evident that they have failed to protect their SaaS email service from phishing and malware. We have summarized some reasons for this failure in the link below, but the key reasons are that as any default security, the hackers have all the time in the world to find a way around it. With hundreds of Milions accounts using the same security, hackers are very motivated to do so.
[See our post: 5 Reasons Why Microsoft Can't Secure Office 365 ]
No security administrator would disagree that basic email security should include anti-phishing, anti-malware, and malicious-link protection at a minimum. This typically includes signature-based scanning, malware sandboxing, active-content detection, URL-reputation filtering and URL form emulation. Ideally you would want a solution that scans all traffic--inbound, outbound and internal.
In addition, for SaaS email, you would also need to monitor logins to the service and detect suspicious activity for compromised accounts, and Allow List/ Block List the applications your end-users can install so they don't open access to a malicious app.
Finally, you would want to expand protection beyond just email. For example, filesharing via OneDrive, Google Drive or Box. And to protect other collaboration tools that have replaced email like Slack or Skype. And other business apps that have become the target for sophisticated attacks like Salesforce or ServiceNow.
We were not the customer’s first phone call, but we were the only one to have a solution that could provide the answers. Unlike most security tools that can only start their investigation on current and future information, Avanan can go back in time to every event, every email (received or sent, even on deleted accounts), every file and API authentication to run multiple, parallel security scans in retrospect.
It turns out that what they needed was what we offer to every potential customer, free of charge, with no obligation.
If you are worried about this scenario in your organization, Avanan offers historical email scans to flag suspicious activity and phishing attacks on your domain. We will help you find if and how they got in, at no charge.