Organizations that are not using Microsoft’s multi-factor authentication are finding themselves victims of credential attacks that involve threat actors installing Outlook on a controlled device.
It’s pretty simple: if you don’t have MFA enabled (whether in the context of Microsoft 365 or in general), threat actors only need a username/password combination to gain access to your environment and its’ resources. And this is the lynch pin of a recent string of attacks, according to Microsoft, where the following transpires:
- A set of Microsoft 365 credentials are obtained via a phishing campaign in the first phase of the attack
- The credentials are used to associate an attacker-controlled endpoint with the victim’s Azure AD instance
- Outlook is installed and the credentials are used to allow it to access the victim’s mailbox
- Inbox rules are setup to delete any messages that include the keywords “junk;spam;phishing;hacked;password” that may warn the compromised user of a problem
The controlled Outlook client is then used for a second attack phase where thousands of phishing emails are sent from the real mailbox, using a malicious document stored in the user’s SharePoint site as the dropper.
In some ways this attack is a bit brazen, as we’re now seeing hackers engaging on a specific client (that can be tracked via IP and MAC address, although I’d suspect a virtual machine on compromised infrastructure is likely used).
There are two lessons to be learned from this. First, if you don’t want to be a victim of the first phase, enable MFA and have users enrolled in Security Awareness Training to keep from having credentials compromised. And second, if you don’t want to be a victim of the second phase, Security Awareness Training, again, is the answer.
