The Enabling Technologies Blog


Chris Stegh / / Categories: Cloud Security, Executive View, Technical View

Son of a Beach, an Office 365 Account Breach!

Microsoft Skype For Business | Microsoft Skype For Business Installation | Download Microsoft Skype For Business | Microsoft Sky

An unguarded account, a weak password, and elevated access lead to $250,000 loss

 

A real-world financial hack came across our desk @EnablingTechCo recently, where some old tricks were applied in a new environment to wreak financial and reputational havoc. 

The scenario was a hijacking of an Office 365 Exchange Online email account.  The first evidence of an intrusion came when the accounting group became aware of a fraudulent $250,000 transaction.  No automated or manual InfoSec systems nor financial checks/balances caught the activity. 

Let’s call the two organizations involved organization A and organization B.  Organization B (the financial victim) is a customer of the hacked organization (A).  The accounts receivable department of B received an email from a legitimate alias of an employee in A’s billing department.  The email contained a typical financial invoice, requesting payment of $250,000 for goods/services.  B wired the money to A.  At least they assumed they wired A, since they followed the bank routing instructions in A’s invoice.  However, the money never arrived at A.  It was only realized after B contacted A when they hadn’t received confirmation. 

The payment was actually wired to the attacker’s account, who were at large at the time of this learning.

Here are some of the behind the scenes findings, along with some recommended instructions for Office 365 administrators and CSOs.

The email had come from a legitimate employee’s address at organization A.  The attacker hijacked A’s employee’s account and used the account to send the fictitious email and invoice to B.  The attacker had elevated A’s accounts receivable employee’s account privileges to Global Administrator of the Office 365 tenant.  The attacker of course would’ve needed Global Admin account access to be able to promote the employee’s account.  They likely used a weak password on the directory synchronization account that had been created upon installation of the tenant.  A Global Administrator account is needed for the initial configuration an ongoing operation of Azure AD Connect.

Some advice from the security team at Enabling:

  1. Check your directory synchronization configuration and ensure you are using the automatically created user account.That account should not be modified. If in doubt, re-run the configuration wizard.

  2. Upgrade older versions of Dirsync, Azure AD Sync, and Azure AD Connect to the latest version.

  3. Limit the number of accounts that need Global Administrator rights to a (super) small set of super user(s).  The global admin account should be a separate account from the admin’s everyday access.

  4. Use Role Based Access Control, Service Administrators Roles, and other Office 365 roles

  5. As necessary, use Azure AD Privileged Identity Management to enable temporary access to elevated rights to configure the tenant. 

  6. Enforce strong passwords and activate Multifactor Authentication on the admin accounts.(Note: on admin accounts with MFA specifically activated, PowerShell commands aren’t supported (due to the MFA). In that case, create more than one admin account, and separate the one used with PowerShell).

  7. Activate Office 365 monitoring systems to log / alert on oddities like accounts being elevated.Advanced Security Management has a default policy to send an alert or suspend a user when an admin user performs an administrative activity from an IP address that is not included in a specific IP range category.  Azure AD ID Protection automatically scans for suspicious sign-in attempts, leaked credentials, and alerts admins when accounts appear compromised.

 

This hack is so common, even Jeremy Piven knows about it! 

 

 

Subscribe to Email Updates

Refine by

To expand the list, please click on the double arrows.

 

Filter: