Author Topic: Office 365 Accounts Compromised via ATO Attacks Used in BEC Scams  (Read 700 times)

Offline javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35122
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
Office 365 accounts are targeted and compromised in takeover attacks (ATO), accounts which cybercriminals later use for a variety of nefarious purposes ranging from spear-phishing and BEC attacks to malvertising campaigns.

As explained by Barracuda Networks' researchers in a report published today, more than 1.5 million malicious and spam emails were delivered by threat actors using roughly 4,000 accounts compromised via ATO during March 2019 within a single month.

Also, while analyzing ATO attacks targeting Barracuda customers, the researchers discovered that 29 percent of the monitored organizations had their Office 365 accounts infiltrated.

Once the Office 365 accounts were successfully hacked into, the scammers added malicious mailbox rules to hide their activity and deleted the malvertising, phishing, and spam emails sent from the account in "34 percent of the nearly 4,000 compromised accounts."

Barracuda's research team found that suspicious logins originating from Chinese IP addresses were the most encountered while investigating the Office 365 ATO attacks with almost a quarter of the total number of attempts, with attackers also using servers located in Brazil (9%), Russia (7%), Netherlands (5%),  and Vietnam (5%).

Office 365 attack methods

To infiltrate their targets' accounts via ATO attacks, cybercriminals use a combination of "brand impersonation, social engineering, and phishing," impersonating high-profile companies such as Microsoft to convince potential victims to visit previously set up phishing landing pages and send over their accounts credentials.

The bad actors also "leveraged usernames and passwords acquired in previous data breaches. Due to the fact that people often use the same password for their different accounts, hackers were able to successfully reuse the stolen credentials and gain access to additional accounts," says Barracuda.

The stolen credentials for personal emails we later used to gain access to the compromised Office 365 accounts" to try to get access to business email," as part of BEC (Business Email Compromise) — also known as EAC (Email Account Compromise) — campaigns.

Brute-force attacks were also observed by the researchers, an attack method which takes advantage of the fact that users set up very easy to guess passwords. "Attacks also come via web and business applications, including SMS," also states the report.

Compromised Office 365 accounts abused by crims

The cybercriminals "monitor and track activity to learn how the company does business, the email signatures they use, and the way financial transactions are handled, so they can launch successful attacks, including harvesting additional login credentials for other accounts."

During the next stages of the attacks, the crooks will use the compromised Office 365 accounts to target company executives and employees part of the financial department using both social engineering and spear-phishing attacks as part of BEC scams.

As detailed in the 2018 Internet Crime Report published by FBI's Internet Crime Complaint Center (IC3) during April, this type of scams was behind financial losses of roughly $1,2 billion, with the scammers successfully targeting wire transfer payments and redirecting them to bank accounts under their control.

BEC/EAC attacks against both individuals and companies were by far the most profitable for cybercriminals according to the IC3, with confidence/romance, real estate, and investment frauds, which take the next few spots in the 2018 crime types tanking by victim loss totaling $763 million.

IC3's findings were also confirmed by Rob Holmes VP of email security at Proofpoint who said that "the frequency with which companies were targeted with email impersonation attacks tripled in 2018 relative to 2017 and increased greatly in sophistication.

Adding to this global financial impact, it is worth noting that each year many incidents of this nature typically go underreported or unreported for various reasons."

The hackers also "use compromised accounts to monetize attacks by stealing personal, financial, and confidential data and using it to commit identity theft, fraud, and other crimes. Compromised accounts are also used to launch external attacks targeting partners and customers," according to Barracuda's report.


Mitigation measures

Barracuda advises organizations to use machine learning-based defense solutions capable of detecting and blocking attacks designed to bypass email gateways and spam filters, to protect their users against "against spear-phishing attacks, including business email compromise and brand impersonation."

The use of multi-factor authentication, two-factor authentication, and two-step verification can also make the difference, with attackers not being able to leverage the account credentials they stole because of this extra layer of protection.

Barracuda also suggests deploying ATO detection and protection solutions designed to monitor and alert when accounts have been compromised and used for nefarious purposes, monitoring mailboxes for malicious rules, and training employees to recognize spear-phishing attacks are also viable solutions against hacking attempts.

source