A New Strategy to Avoid DetectionThe first step of the hackers’ plan involved acquiring corporate usernames and passwords from multiple companies that may be tied to multiple cloud services (not necessarily Office 365). The attackers tried different email variations derived from the employee name to try to gain access to potentially sensitive information. For example, someone named Elizabeth Miller (name changed) at Company X faced a number of login attempts into her account that used addresses such as [email protected], [email protected], or [email protected]. In fact, one account fell victim to as many as 17 username variations from 14 IPs in just 4 seconds. Although the passwords the attackers used could not be viewed in clear text, it can be inferred that they used the same password for each user for every username variation because each email was only used once to attempt the unauthorized login. The attackers assumed that the users used the same password across multiple accounts, which would allow them to change the username but use the same password. Another assumption was that the accounts lacked basic security provisions, such as multi-factor authentication (MFA).
Detecting the UndetectableThe attackers staggered their login attempts over the course of several months. They focused on one username at a time, and even then it was only targeted for a few seconds. This, along with the use of more than one IP, was intended to avoid triggering any alerts or account lockouts. Attacking several different customers was yet another tactic to avoid generating a pattern of behavior indicative of a threat. Lastly, the attackers only targeted a handful of high-value Office 365 accounts at each organization, knowing full well that a broader attack would be detected by either the cloud service provider or the organization under attack. The “slow and low” strategy was carefully crafted and executed, so how was the brute force attack detected? The first signs of the attack came about when the Cloud Access Security Broker detected multiple failed login attempt anomalies that may be associated with a compromised account. By itself, this didn’t trigger an alert warranting further investigation. Over time and with additional failed login attempts originating from a set of IP addresses, all targeting a handful of Office 365 accounts across multiple organizations, a pattern emerged and elevated the anomalies to actual threats. After further investigation and cross-customer analysis, over 100,000 failed logins across a multi-month period were discovered, upgrading the various threats to a full-blown brute force login attack.
What can we learn from this attack?This attack may have been prevented for the most part had the organizations under attack enabled SSO with MFA. The takeaway point here is that it can be very difficult for organizations to fully protect themselves from sophisticated attacks targeting the cloud without having a robust cloud security infrastructure. Organizations need to gain awareness of their cloud usage in order to mitigate the risk of a security incident in a meaningful way.