Stillwater Cyber Compliance

Office 365 How Malicious actors are using your account to scam others

The problem is certainly getting worse and some security awareness training can help, but individuals feel safe within Office 365.

But Microsoft doesn’t protect everything. They operate under a model of “shared responsibility” – this means they’re responsible for securing some things, and the customer is responsible for securing some things.

Office 365 is a name that is widely known and is the preferred email hosting platform for many companies Office 365 platform is widely used in SMB’s getting a good quality system at a price that is very reasonable plus it works with no real changes to how they used to use it with the old in-house servers they would have nearly all had before. It makes sense to them which is great, but this isn’t a sales pitch for office 365, no this is to tell you how it really is and set some things straight with no stupid jargon that is just used to confuse people.

So, let’s put together a scenario here of an incident that I have seen on at least ten different occasions over the last six months. We get a call from a company who is hosted on office 365. They have staff located across several locations or a mobile workforce and they all connect into the office 365 for emails and possibly some sort of data sharing.

They have probably been on the platform for 12 months or more and it has been working well for them. Sounds like most companies on 365 or google hosting, Right? Yes, it does. Now we received a call because one of the staff has been getting strange bounce backs in emails for emails that they have not even sent in the first place. Alarm bells are starting to ring, this sounds like an email account compromise.

First things first, reset the password immediately. Just to be on the safe side. Doesn’t matter if it turns out to be something else that is the cause, it is safer to reset it and cut access to the account if it is, in fact, a breached account. Export all the logs for review at a later point and then check the rules in office 365 web portal for that user, I bet in most cases that you will find a rule redirecting emails with “invoice” or “payment” or “account” in the subject into deleted items, RSS feeds or a random folder created hidden down under folders you already have configured.

The malicious actor will be looking over all these emails, changing the details and then putting them back in your inbox as nothing had happened. They will change account details and invoice amounts just for starters. The malicious actors will then usually move onto sending sometimes crude and vulgar emails to all of your contacts or some sort of scam to get you to open an infected document or change account details for payments.

These contacts know who you are and have dealt with you before. They are not suspicious of your email when it comes through so will most likely click on whatever is sent through. It just takes that one click and the malicious actor has another victim. These emails are less likely to be picked up by email protections as they are form legitimate users who have no record or history of email abuse leaving this scenario to continue to move from victim to victim.

I have honestly seen this many times over this year. The problem is certainly getting worse and some security awareness training can help, but individuals feel safe within Office 365. One simple change that is really very easily configured can make such a large difference in keeping your office 365 account secure and in turn all of your unsuspecting victims. TURN ON TWO-FACTOR AUTHENTIFICATION. It is pretty simple and is turned on in the admin portal for the companies 365 account. It is just an option that is turned on by a tick box, nothing scary at all. Once that is done each user just logs into their office 365 account and will be prompted to set up the two-factor authentication. 

They will have some options with using an authenticator app or text message via mobile. I recommend using the authenticator app over the text as this will remove the number porting method to bypass this two factor method. This method would basically take ownership of your number and send text verification to your number now in their control.

If the authenticator app is used the malicious actor needs to have your device and be able to unlock it before the authentication can occur. Yes, it is still possible to achieve this, but the risks are greatly reduced to the owner of the account in this scenario. The idea is to try and make it so hard to get access to your account that it just irritates the malicious actor enough to just say it isn’t worth it and then move on to the next target. It truly is that simple.