SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
#
Malware
#
Firewalls
#
Data Protection

Video: 10 Minute IT Jams - Vectra AI exec discusses cybersecurity for Office 365

Wed, 25th Nov 2020
FYI, this story is more than a year old
Author image
By Nick Forrester, Senior News Editor

Security breaches are surging.

At the heart of this problem lies Microsoft Office 365, which has become an increasingly attractive target for cyber attackers over the past year. Chris Fisher, Head of Security Engineering at cybersecurity company Vectra AI, gave an in-depth account this week of why attacks targeting Office 365 are on the rise, and what organisations need to do to protect themselves.

Speaking on the 10 Minute IT Jam, Fisher explained that the rapid transition to remote work during the pandemic dramatically shifted the threat landscape. "Obviously as we're all aware of the pandemic and the fact that everyone has gone to work from home, a lot of organisations very quickly pivoted to cloud," he said. "I've said this before but I keep hearing this from customers... they've done things like digital transformation projects that should have taken 24 months have been compressed literally into six months to be able to deliver services and keep their businesses running."

This race to digitise, Fisher noted, meant that security considerations sometimes took a back seat. "With technology, it's all about keeping the business moving and sometimes security is a secondary thought," he said. In many cases, organisations were unable to prepare or adjust their security baselines to match the accelerated changes.

Attackers, in turn, saw an enormous opportunity. "From an attacker's perspective they've just seen this big attack surface appear in front of them. When you think of something like Office 365, the value of data that sits in there for the attackers is enormous. So just that alone is really what's driven the change that we've seen—and the change in behaviour from the attackers," Fisher said.

A recent report from Priority found that the cost of account takeovers—where an attacker gains access to a legitimate user's credentials—has ballooned to around $6.5 billion in annual losses. These attacks have become more sophisticated as the tools and workflows inside Office 365 itself are being weaponised. 

Fisher described how attackers are repurposing the very same features that help legitimate users be more productive. "Things like email rules are incredibly helpful to sort out what you need to do with the mail to make our lives a little more productive," he noted. "But when an attacker does this… they've created things like exchange rules that, when the client syncs after they've done that account takeover, they've been able to execute—take the user to a website using Explorer, get them to download a payload, shut down that Explorer session very, very quickly, and then use another rule to execute the payload."

Crucially, these attacks now require minimal to no user interaction. "The attack has now gone from that initial account takeover to creating a way to do user execution without the user having to interact in any way, shape or form—[the attacker] just simply sends an email," Fisher explained. "That's created a command and control channel so that attack is now being able to pivot from Office 365 to the user's machine, which now means they can get on that corporate VPN, start pivoting into different services in those environments."

This is made even more effective by the widespread use of Power Automate, a tool designed to enhance productivity by automating tasks across Office 365 and other cloud apps. Fisher described Power Automate as "the PowerShell for Office 365." He said, "It's designed to build rules across all the productivity tools, to make our lives simpler and easier... We've seen attackers leverage these tools to do the same thing, so every email attachment that comes in when they've done that account takeover, they're literally just piping it straight out to one of their own drop boxes."

The risk is amplified because, according to Fisher, most security tooling for Office 365 still focuses almost exclusively on the legitimate user—tracking document sharing or subtle changes in behaviour. "But we're not focusing on the attacker behaviour and it's those things like the exchange rules, what they can do with Power Automate, and how they're able to deliver their attacks very successfully and do that in stealth—that I think is really where we need to pivot and start understanding what that looks like," he said.

Fisher was clear that the solution requires a fundamental change in mindset. "It's a mindset shift that we need to look at. We really need to focus in on the attacker behaviours—how are attackers using this surface that they have in front of them with Office 365, how are they leveraging that, and how can they use that for their advantage in a way that is very stealthy?" he asked.

He recommended looking beyond traditional user-centric security checks and instead monitoring the systems for behaviours characteristic of attackers, such as malicious rule creation or abnormal Power Automate flows. "That effectively helps you identify things like account takeover. You can then start to see how they're doing the account takeover: is it coming in through malicious Azure applications, have they managed just to phish a user, have they managed to be able to bypass multi-factor authentication—which a lot of organisations have turned on—so it helps you identify where the gaps are."

By pivoting to focus on attacker tactics, Fisher argued that organisations can detect intrusions earlier and close the gaps more quickly. "We can start to really define what the attack surface is and then start closing those gaps incredibly quickly or we can monitor for what they are and really identify very early in the stage of an attack, before the attacker's had any chance to do any damage," he said.

Ultimately, Fisher stressed, "That mind shift change to move towards attacker behaviour is critically important in the thinking for organisations."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Mid-market APAC firms boost cybersecurity but lag in AI use
Panaseer launches tool to automate enterprise compliance tasks
Innovation forges a secure & sustainable technology future
Ransomware attacks expose urgent risks for critical utilities
Outpost24 expands platform for data & social threat defense
Top stories
Fortinet launches FortiGate 700G with AI & quantum protection
DXC launches solution with SAP & Microsoft to boost AI use
Barracuda boosts threat detection with multimodal AI upgrade
Facebook ads scam uses celebrity faces to spread malware
BlueVoyant launches tailored Microsoft Security optimisation service