Authors: Will Udovich and Geoffrey Kneale
We’ve been talking a lot about security, and specifically Identity security lately (View: Long Live Identity Security and Identity Security Checklist). But what does a security breach look like? Unfortunately, one of our customers recently fell victim to a phishing scam, illustrating how easy it is for any organization to be compromised. By reviewing the events that occurred, we can share what Microsoft tools may have prevented such an attack.
Did we really say that Microsoft Identity and Security tools could have prevented this? Yes, but before we explain how, here is an overview of how the breach occurred.
Security breach overview:
Our client discovered that a high-level executive was sending suspicious emails to other employees from their Office 365 account. These suspicious messages were invitations to sign a DocuSign document, and when clicked, presented the employees with a fake login page. They suspected that the executive’s computer was compromised, and immediately took the following actions:
- Disabled the executive’s Office 365 logon
- Disconnected the executive’s computer from the network
Upon further investigation, they found that not only did the phisher send suspicious emails, they actually interacted back and forth with other internal recipients! Many recipients would ask the sender if the message was real to which the attacker would respond, ‘Yes, sign the document.’ The attacker would then delete all of the related messages from the compromised employee’s mailbox to attempt to cover their tracks.
How did ‘patient zero’ get breached in the first place?
Formerly a term used when talking about medical emergencies, it’s not uncommon to hear ‘patient zero’ in a security context where we’re trying to find out who the first victim was in a phishing campaign.
While tracking down the path of the attack, we thought the security breach may have occurred via a keylogger or something more malicious. As it turns out, the executive received an email from a colleague’s compromised mailbox and clicked on the fake DocuSign link where they entered their company credentials. With one person’s credentials, the attacker was able to access that employee’s email and contact other company directors to increase the scope of the attack. It was determined that the attacker had mailbox access for approximately two weeks before being discovered.
How can Microsoft technologies help with these kinds of attacks?
- Ensure Litigation Hold is enabled for all accounts
- The customer had this implemented, which allowed us to perform eDiscovery searches to find messages the attacker had deleted
- Deploy custom branding on the Office 365 sign in page
- Custom branding can help employees distinguish between your real login page and fake login pages
- Invest in AzureAD Premium
- Enabling Multi-Factor Authentication (MFA) helps thwart attackers even if they have an individual’s username and password
- Azure Active Directory Identity Protection could have alerted the account owner and client’s IT team to suspicious logon activity and allowed them to shut down access immediately
- AzureAD Premium also provides detailed logon reporting that can help identify suspicious logon behavior and provide information on where attacks originate
- Educate users on phishing attacks
- Other solutions like Office 365 Advanced Threat Protection (ATP) or Data Loss Prevention (DLP) can help protect sensitive information
While our customer is still investigating the security breach, they’re taking a second look at what Microsoft security offerings are available, and how Prosum can help them implement solutions to protect their organization in the future. A little bit of identity security goes a long way these days, so why not make sure you’re protected? Reach out and schedule some time to talk to one of our experts if you want to dive deeper into your own security posture and how you can take steps to secure yourself against a similar security breach at your company.