Credential harvesting has become a business in and of itself within the cybercrime economy. New insight from Microsoft details the types of attacks your organization should watch out for.
I’ve attempted to cover every Microsoft 365 credential harvesting attack since the platform is so popular and is an easy target for cybercriminals. But the news coming from their newly-released Microsoft Digital Defense Report 2023 puts this type of attack into perspective.
Not only should the 10,000 credentials per month data point make you realize that these types of attacks are prevalent, but there is a black market buying at an equally-blistering pace.
In the report, Microsoft points out five specific examples of credential-harvesting attacks:
- Emails sent from a trusted third party – compromise one account and then send a malicious email to everyone in their contact list intent on stealing each recipient’s credentials.
- Using legitimate URLs – I’ve covered plenty of stories where threat actors used legitimate web platforms to host landing pages (that usually redirect to malicious sites) in order to bypass security scanners.
- Using OneNote attachments – The use of this file type in attacks is in response to Microsoft disabling macros and attackers needing a relatively commodity filetype supported by the largest number of potential victims possible.
- OAuth – the attacker exploits the device authorization grant process within M365 to trick a user into granting them access to their account using a phishing link.
- Targeted Attacks – attackers do their diligence on a potential victim and create tailored attacks with appropriate look-alike domains.
In all of these cases, the onus may end up solely on the recipient user, with security solutions potentially none-the-wiser. So your users need to be as up-to-date as possible on the latest attack methods through continual security awareness training.
KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
