Phishing from the inside: Microsoft 365 account hijack

Max Heinemeyer, Director of Threat Hunting | Tuesday August 4, 2020

Cyber-criminals are increasingly impersonating trusted SaaS platforms and suppliers with their attacks. Recently, Darktrace has detected threats leveraging QuickBooks, WeTransfer and Microsoft Teams brand names. Many of these emails attempt to coax a recipient into clicking a malicious link that leads to a page containing credential-harvesting malware. This blog post demonstrates a possible next phase in an attack – what happens after an employee enters their details on this malicious webpage and has their account compromised.

Even just one compromised internal account can greatly increase the success rate of a phishing campaign. Attackers can use a compromised Microsoft 365 account to gain access to multiple other accounts within hours.

Darktrace’s AI was monitoring over 9,000 devices at a leading technology firm in the APAC region when one employee became victim to a Microsoft 365 account takeover over the weekend. This account was then used to send hundreds of phishing emails to both internal and external contacts. Darktrace detected the early signs of account compromise and raised a high-confidence alert to the security team well before these emails were sent. If the security team had acted quickly in response to the alert, the delivery of the phishing emails – and a second account compromise – could have been avoided.

Timeline of the attack

Figure 1: A timeline of the attack

We can see in the timeline that the attacker only spent three hours performing research before acting. This raises questions on the nature of this threat. Was the attack automated? Had the attacker done preliminary research? Did they know what they were after?

A bespoke and targeted attack

Darktrace first alerted to the security incident when the AI detected that someone was logging in from an unusual geographical location, promptly setting up new inbox rules, and viewing several shared files. The attacker then proceeded to send out over 200 phishing emails to internal and external recipients.

The emails contained a link to a Microsoft OneDrive landing page titled “Contract & Proposal – Customer,” indicating the page was specifically built for this attack. The page contained a phishing link hidden under the display text “Click to Review Fax Document.” Less than one hour after the phishing emails were sent, Darktrace’s AI detected an an unusual login from the same IP to a second account in the organization, indicating this account had likely also been compromised.

How did the attack bypass the rest of the security stack?

  • The attacker leveraged compromised M365 credentials, with the initial entry likely via compromised credentials from a previous phishing campaign before Darktrace’s AI was deployed;

  • Traditional email security software trusts internal emails;

  • Phishing emails contained a OneDrive link, a trusted SaaS platform, so other email security products would not have identified these links as suspicious.

AI Analyst investigates

The technology firm had deployed Darktrace’s Enterprise Immune System across their network and SaaS applications, and consequently had real-time visibility across every event in this attack as it unfolded. Additionally, when the unusual login location was detected, Darktrace’s Cyber AI Analyst immediately launched an automated investigation into the malicious activity, generating a natural language summary of the events and other crucial information to help with incident review.

Figure 2: An excerpt of Cyber AI Analyst’s report of the account hijack

Darktrace’s SaaS Console also reported on the event in the context of activity on that device over the previous week.

Figure 3: Darktrace’s SaaS dashboard displaying an overview of the incident

This attack is another example of the changing nature of cyber-threats in the context of digital transformation. It is not devices, but identities that are increasingly being targeted and attacked.

Darktrace’s real-time alerting on the evolving situation could have enabled the security team to isolate the initial compromised account and change the credentials before the attack escalated further. The initial rare login destination caused Darktrace’s Cyber AI Analyst to launch an ongoing investigation into the compromised account, such that an alert was raised just three minutes after new processing rules were set up by the attacker. With eyes on the technology, a more serious breach could have been avoided, and the breach remeditated in minutes.

Thanks to Darktrace analyst Stefan Rowe for his insights on the above threat find.

For eight more case studies of cyber-threats detected within SaaS environments, download the White Paper

IoCs:

IoCComment
covingtonok[.]buzzUsed to host fake login page

Darktrace model detections:

  • SaaS / Unusual External Source for SaaS Credential Use
  • SaaS / New Email
  • SaaS / Unusual Login and New Email Rule
  • SaaS / Anomalous Exchange Activity

Max Heinemeyer

Max is a cyber security expert with over nine years’ experience in the field, specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats, as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. In this role he worked as a white hat hacker, leading penetration tests and red team engagements. He was also part of the German Chaos Computer Club when he was still living in Germany. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.