Over 1.5 million malicious and spam emails were sent from thousands of compromised Office 365 accounts in just one month thanks to a surge in account takeovers (ATOs), according to Barracuda Networks.
The security vendor yesterday revealed new findings from an analysis of cloud-based email accounts under fire from ATO attempts in March.
It claimed over a quarter (29%) of organizations it monitored had Office 365 accounts compromised by attackers, often via credential stuffing using previously breached credentials, stolen passwords from the same user’s personal email account, brute force attacks, and other web and application channels.
One of the most popular tactics is phishing emails which impersonate Microsoft and request Office 365 log-ins from the unwitting recipient.
“With more than half of all global businesses already using Office 365 and adoption continuing to grow quickly, hackers have set their sights on taking over accounts because they serve as a gateway to an organization and its data — a lucrative payoff for the criminals,” warned Barracuda Networks VP of content security services, Asaf Cidon.
Once an account has been taken over, hackers don’t usually launch an attack from it immediately.
“Instead, they monitor email and track activity in the company, to maximize the chances of executing a successful attack,” Cidon explained.
“As part of their reconnaissance, scammers often set up mailbox rules to hide or delete any emails they send from the compromised account. In the March 2019 analysis performed by Barracuda researchers, hackers set up malicious rules to hide their activity in 34% of the nearly 4000 compromised accounts.”
The attackers then use their reconnaissance to target high value accounts in the organization such as executives and finance bosses, which could be used to facilitate BEC scams.
“Hackers also use compromised accounts to monetize attacks by stealing personal, financial, and confidential data and using it to commit identity theft, fraud, and other crimes,” Cidon claimed.
“Compromised accounts are also used to launch external attacks targeting partners and customers. With conversation hijacking, hackers insert themselves into important conversations or threads, such as during a wire transfer or other financial transaction.”
He urged the use of MFA to protect accounts, alongside tools to monitor inbox rules and suspicious activity, staff training, ATO protection and AI tools to better spot BEC and spear-phishing.