Office 365 IAM Attack

Posted on Posted in Uncategorized

Fortune Ranked Companies Targeted by Cloud-to-Cloud Brute Force Attacks

July 27th, 2017

Consistent low-profile attacks desired deep penetration and lack of detection


A report from Skyhigh Networks detailed a sophisticated assault upon senior level Office 365 accounts in likely hopes of obtaining access of additional cloud service accounts for further penetration. The coordinated drive resembled a “slow and low” attack pattern, using techniques such as varying IP address attacks, utilizing different access points, and only targeting high value users, unlike typical brute force attacks. The hackers attempted over 100,000 Office 365 logins through at least 67 IP addresses and 12 networks. These attempts have currently been detected at 48 different organizations.

Through detailed forensic analysis, it has been revealed the attempted hackers cycled through variations of users’ Office 365 usernames, lending strong evidence that the hackers already possessed information regarding usernames and passwords and may have been expanding their database for a next level attack, perhaps phishing or data access. These agents were reliant on the lack of multi-factor authentication (MFA) and Single Sign-On (SSO) capabilities active for the applications and the potential reused or default passwords. If they utilized these identity and access management (IAM) capabilities, they would have made a definitive stop to the attacker’s campaign. The attackers would have needed additional information or access to even begin a feasible attempt.

Currently, sensitive data does not seem to have been compromised. However, there are potential disastrous implications if they did. Office 365 claims the lion’s share of sensitive corporate cloud information, an estimated 58%. With over 85 million users across computer, mobile, and web applications, penetration would have had significant consequences, as Yahoo, the DNC, and these companies have discovered.

Bala Ramaiah, CEO of ISSQUARED, warned that enterprises should take this as a cautionary tale. “The prevalent trend in the contemporary corporate environment has and is continuing toward expansive connectivity and accessibility, notably in the cloud. As information critical to enterprises continues to proliferate in these spaces, hackers will be investing more and more into sophisticated attacks for these high value targets. As a duty to our clients, we must invest in security to guard their information. As this news has shown, even simple IAM tools such as SSO and MFA can stop a sophisticated attack. It is necessary, now more than ever, to evaluate your existing protocols and understand what more you can do as these attacks will not stop”.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.