Top attacks against M365
The three biggest cyber threats also create the greatest cyber-related risk for organisations. Cyber risk is defined as Likelihood x impact. The impact is often measured against the cost to repair or recover from the attack or by other business metrics such as reputational impact, financial impact, or business continuity capability.
Many sources quote phishing as the most common attack. Phishing is what’s known as an ‘Initial Access’ method that can then lead to a successful compromise. The attack could be targeting data (data theft), trying to steal a user’s account (identity theft), or focused on deploying ransomware (ransomware attack) – in some cases, it could involve all three. Note, there are other terms used such as Business Email Compromise (BEC), Email Account Takeover, Cloud Data theft, et al.
The impact is typically the ‘outcome’ of the attack, including but not limited to financial loss, business disruption, reputational damage, or regulatory penalties. That’s why phishing is number one because it’s the most common and can lead to high impact attacks such as those described above – that’s a big impact!
When considering Microsoft 365, we are generally referring to the following core components:
Outlook, SharePoint Online, OneDrive, OneNote, Teams and Office apps such as Word and Excel.
Almost every M365 user has these. They may also have more M365 services depending on their licence model which provides additional functionality and security; this article is written for all M365 users as the most common attacks are the same. Please keep in mind, the better the M365 licence you have, the more security solutions and tools will be available to you. Even with the SMB licenses like Microsoft 365 Business, you can achieve great results by reducing your attack surface and greatly improving your security posture, particularly when every licence can also be upgraded and customised using add-ons from Microsoft and allowing flexibility to incorporate additional security features as and when organisations need them.
Your basic M365 user will use Azure Active Directory (AAD) to authenticate access to M365. If this user account is compromised, then the attacker has access to all the data and applications that are available to the user, across all the platforms. M365 users will typically store lots of sensitive information in their email (Outlook) as well as OneDrive/SharePoint and OneNote. If an attacker can login as the compromised user, it’s very easy for them to steal data and start causing serious disruption and typically, the organisation will be completely unaware. The attacker may use this initial access to penetrate further into the organisation, as once in it’s easier to move laterally. Attackers may also decide to sell this access to other criminal cyber groups that may have other motives and deploy further attacks.
Let’s consider a few scenarios:
Phishing leading to M365 account takeover –> Account takeover leading to fraudulent invoices through the use of email, to deceive suppliers and customers leading to –> Financial loss, reputational damage Likelihood: HIGH Impact: HIGH/MEDIUM
Phishing leading to M365 account takeover –> Account takeover leading to data theft, leading to the ransom of that data, leading to –> Fines, more financial loss and legal costs, reputational damage Likelihood: HIGH Impact: HIGH
Phishing leading to M365 account takeover –> Account takeover leading to theft or destruction of IP, or other critical data leading to –> Business failure, loss of competitive advantage, loss of investment Likelihood: HIGH Impact: HIGH
Phishing leading to ransomware –> Ransomware leading to data theft, leading to the ransom of that data, leading to the destruction of that data –> Fines, more financial loss and legal costs, reputational & infrastructure damage Likelihood: HIGH Impact: HIGH
Phishing leading to malware being deployed with the organisation –> Malware passed on to the supply chain, leading to business being the source of supply chain compromise of other organisations. Supply chain attack leading to complex legal problems, business disruption, loss of customers, etc Likelihood: HIGH Impact: HIGH
Phishing leading to M365 account takeover –> Account takeover leading to supply chain attack The attacker uses stolen accounts, and access to other companies. Businesses typically targeted here are MSPs or similar that use their Azure AD accounts to access other organisations to provide helpdesk and support services. Supply chain attack leading to complex legal problems, business disruption, customer loss, etc Likelihood: HIGH Impact: HIGH
As we’ve demonstrated, there are multiple ways phishing can lead to high impact attacks. M365 is a fantastic productivity and modern workplace tool but you need to ensure you have firstly, properly secured it and secondly, that you have the means to detect and respond to attacks quickly. Speed is vital here as catching those successful identity attacks before the attacks move on (before the actual data theft or before the ransomware is deployed) is essential. This is often referred to as ‘disrupting the attacker kill chain’ or ‘shifting left’ – this means stopping the attack early and is an essential element of cyber resilience.
The graphic below shows a typical timeline for a ransomware attack and illustrates the importance of detecting and responding to attacks as early as possible.
How do you achieve this?
The advice is this - secure M365 and monitor it. Be ready to detect and stop attacks before they can cause harm/impact. Be ready to disable user accounts quickly and take other similar actions such as quarantining files and disconnecting devices from the network. Assume you will suffer a successful attack (this is referred to as ‘Assume Breach’) and plan for it. Assume Breach generally refers to a cyber strategy where it assumes that the business is either already breached or could easily be. This is seen as an effective, modern strategy to identify and address potential gaps in detection, response and recovery and when implemented effectively gives organisations confidence that they are cyber resilient, which is the key goal of cyber security strategies.
Through effective security monitoring, attacks can be detected and responded to in the same way as other business issues – expect them to happen and put measures in place to address them quickly and effectively. Detections and responses to attacks need to be practiced and rehearsed; this is why you see a lot of advice around ’table-top exercises’ and so forth; because the first place to start is by planning for the worst and using that exercise to get your organisation ready for that inevitable, successful attack. Your goal is to minimise impact by stopping the attack before it has a high impact (‘shifting left’). This is how you will achieve cyber resilience which is essential for your business. Only then can you effectively manage your cyber risk.
Rob Demain, CEO