Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Office 365. Show all posts

Office 365 Provides Email Protection Against Downgrade and MITM Attacks

Microsoft adds SMTP MTA Strict Transport Security (MTA-STS) support feature in Exchange Online to improve Office 365 customers' email security. Redmond disclosed MTA-STS's release in September 2020. after mentioning that it was also adding inbound and outbound support for DNSSEC (Domain Name System Security Extensions) and DANE for SMTP (DNS-based verification of Known Entities). The Exchange Online Transport Team has been validating and implementing and is now ready to disclose support for MTA-STS for all outgoing messages via Exchange Online. 

Office 365 now has MTA-STS, which means that emails sent by users with Exchange Online will be sent over connections having authentication and encryption. It will protect the mails from threat actors and hacking attempts. The new feature improves Exchange Online email security and resolves various SMTP security problems, it includes out-of-date TLS certificates, poor secure protocols support, and certifications not trusted by third parties or same server domain names. Before MTA-STS, emails sent via unsafe TLS connections were vulnerable to external threats like man-in-the-middle and downgrade attacks. 

Exchange Team says "downgrade attacks are possible where the STARTTLS response can be deleted, thus rendering the message in cleartext. Man-in-the-middle (MITM) attacks are also possible, whereby the message can be rerouted to an attacker's server. MTA-STS (RFC8461) helps thwart such attacks by providing a mechanism for setting domain policies." Microsoft offers assistance on adopting MTA-STS, this includes hosting of the policy files on the domain web infrastructure. 

DANE for SMTP support 

Redmond is currently working on starting DANE for SMTP with DNSSEC support, it provides better security for SMTP connections compared to MTA-STS. Microsoft has secured various domains for email transmission as a domain owner including primary domains such as hotmail.com and outlook.com and live.com. It means that connections from senders supporting MTA-STS are prevented from man-in-the-middle attacks. 

Microsoft says "you can use both standards on the same domain at the same time, so customers are free to use both when Exchange Online offers inbound protection using DANE for SMTP by the end of 2022. By supporting both standards, you can account for senders who may support only one method."

Attackers use Azure AD to Enroll Outlook on BYOD and then Send Phishing Emails

 

Microsoft has issued a warning about a new multi-stage phishing campaign that first enlists an attacker's BYOD device on a corporate network before sending thousands of convincing phishing emails to other targets. Bring your own device (BYOD) refers to the practice of employees connecting to their corporate networks using personal devices to access work-related systems and possibly sensitive or confidential data. Smartphones, personal computers, tablets, and USB drives are examples of personal devices. 

According to Microsoft, the goal of enrolling or registering a device on a target company's network was to evade detection during subsequent phishing assaults. According to Microsoft, "most" firms that had activated multi-factor authentication (MFA) for Office 365 were not affected by phishing emails transmitted via attacker-controlled registered devices, but all organizations that had not implemented MFA were affected. 

The attack took advantage of situations in which MFA was not enforced while registering a new device with a company's instance of Microsoft's identity service, Azure Active Directory (Azure AD), or enrolling a BYOD device in mobile device management (MDM) platform such as Microsoft's Intune. 

"While multiple users within various organizations were compromised in the first wave, the attack did not progress past this stage for the majority of targets as they had MFA enabled. The attack's propagation heavily relied on a lack of MFA protocols," Microsoft said. "Enabling MFA for Office 365 applications or while registering new devices could have disrupted the second stage of the attack chain," it added. 

According to Microsoft, the first wave of the attack targeted firms in Australia, Singapore, Indonesia, and Thailand. The first stage used a DocuSign-branded phishing email that asked the recipient to review and sign the document. It made use of phishing domains with the .xyz top-level domain (TLD). The phishing link in each email was also unique and included the target's name in the URL. Victims were routed to a bogus Office 365 login page by the phishing link. 

In the second phase, the attackers installed Microsoft's Outlook email client on their own Windows 10 PC, which was then successfully connected to the victim's Azure AD. All the attackers had to do was accept Outlook's onboarding experience, which encourages the user to register a device. In this situation, the attackers were using credentials obtained in phase one. 

Certain practices, according to Microsoft researchers, can limit an attacker's ability to move laterally and compromise assets after the initial intrusion and should be supplemented with advanced security solutions that provide visibility across domains and coordinate threat data across protection components. Organizations can further limit their attack surface by removing basic authentication, mandating multi-factor authentication when adding devices to Azure AD, and enabling multi-factor authentication for all users.

Spoofed Zix Encrypted Email is Used in Credential Spear-Phishing

 

Hackers have used a credential phishing attack to steal data from Office 365, Google Workspace, and Microsoft Exchange by spoofing an encrypted mail notification from Zix. According to Armorblox security researchers, the assault impacted around 75,000 users, with small groups of cross-departmental staff being targeted in each customer environment. 

Social engineering, brand impersonation, replicating existing workflows, drive-by downloads, and accessing valid domains were among the methods employed by the hackers to obtain data. “Secure Zix message” emails were sent to victims. In the body of the email, there was a header that repeated the email subject and claimed the victim had received a secure communication from Zix, a security technology company that provides email encryption and data loss prevention services.

The victim is invited to view the secure message by clicking on the "Message" button in the email. While the phoney email is not a facsimile, it is similar enough on the surface to fool the unwary victims. According to researchers, clicking the “Message” link in the email causes an HTML file entitled “securemessage” to be installed on the victim's PC. The file could not be opened in a virtual machine (VM) because the download redirect did not show within the VM.

Using valid (albeit unrelated) domains to send emails, according to Armorblox researcher Abhishek Iyer, is “more about tricking security measures (i.e. evading authentication checks) than it is about tricking recipients, especially if the domains are not forged to appear like the real thing.”

A Verizon credential phishing campaign located on the website of a Wiccan coven, for example, was discovered by Armorblox last year. Another example is an Amazon credential phishing email sent from the domain of Blomma Flicka Flowers, a tiny floral design firm situated in Vermont. Under the pretext of Amazon item delivery notices, the campaign intended to steal passwords and other personal information. 

“Whether these domains are used to send the email or host the phishing page, the attackers’ intent is to evade security controls based on URL/link protection and get past filters that block known bad domains,” Iyer said via email.

"To host phishing pages on legitimate domains, attackers usually exploit vulnerabilities in the web server or the Content Management Systems (CMS) to host the pages without the website admins knowing about it," he continued.

IRS Warned of an Ongoing IRS-Impersonation Scam

 

The Internal Revenue Service (IRS) has cautioned of ongoing phishing assaults impersonating the IRS and targeting educational establishments. The assaults focus around colleges staff and understudies with .edu email addresses and use tax refund payments as snare to lure clueless victims. The IRS said the phishing emails “appear to target university and college students from both public and private, profit and non-profit institutions.” 

It added that the suspect emails show the IRS logo and utilize different headlines, for example, "Tax Refund Payment" or "Recalculation of your tax refund payment." Clicking on a link takes victims to a phony site that requests individuals to submit a form to claim their refund. 

Abnormal Security researchers who detected these assaults in the wild, recently said that they circumvent Office 365 security and landed in the mailboxes of between 5,000 and 50,000 targets. "This impersonation is especially convincing as the attacker's landing page is identical to the IRS website including the popup alert that states' THIS US GOVERNMENT SYSTEM IS FOR AUTHORIZED USE ONLY', a statement that also appears on the legitimate IRS website," Abnormal Security revealed. 

 The phishing site requests taxpayers to provide their: 

• Social Security number
• First Name 
• Last Name 
• Date of Birth 
• Prior Year Annual Gross Income (AGI)
• Driver's License Number
• Current Address 
• City
• State/U.S. Territory 
• ZIP Code/Postal Code
• Electronic Filing PIN

Hank Schless, Senior Manager, Security Solutions at Lookout, says, "At this time of year, attackers will pose as members of the IRS to socially engineer employees into sharing sensitive tax-related information such as social security numbers or bank account information." 

Schless adds, “Security teams should be protecting employees across all endpoints to ensure they don’t fall victim to a phishing attack or download a malicious attachment that compromises the organization’s entire security posture. These scams are most effective on mobile devices, and attackers know that and are creating phishing campaigns like this to take advantage of the mobile interface that makes it hard to spot a malicious message. People access their work email on a smartphone or tablet just as much as they do on a computer. Any text, email, WhatsApp message, or communication that creates a time-sensitive situation should be a red flag. Employees should approach these messages with extreme caution or go straight to their IT and security teams to validate it.”

SolarWinds CEO: “SolarWinds Orion Development Program was Exploited by the Hackers”

 

Sudhakar Ramakrishna, CEO of SolarWinds confirmed that ‘suspicious activity’ was spotted in its Office 365 environment which permitted threat actors to secure access and exploit the SolarWinds Orion development program. Threat actors secured access into the SolarWinds’s environment via flawed credentials and a third-party application that a zero-day susceptibility.

Threat actors secured access to the SolarWinds email account to programmatically access accounts of targeted SolarWinds employees in business and technical roles. 
Threat actors used the compromised credential of SolarWinds personnel as a doorway for securing access and exploit the development environment for the SolarWinds Orion network monitoring platform. Initially, Microsoft alerted SolarWinds regarding a breach into its Office 365 environment on December 13 – the same day news of the data breach went public.

Ramakrishna wrote in a blog post that “we’ve confirmed that a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles. By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion development environment.”

“While it’s widely understood any one company could not protect itself against a sustained and unprecedented nation-state attack of this kind, we see an opportunity to lead an industry-wide effort that makes SolarWinds a model for secure software environments, development processes, and products”, he further added.

Investigators of SolarWinds have not spotted a specific flaw in Office 365 that would have permitted the threat actors to enter the firm’s environment via Office 365. Ramakrishna believes that the Russian foreign intelligence service has played a significant role in the SolarWinds’s hack. SolarWinds is analyzing the data from various systems and logs, including from its Office 365 and Azure tenants.

Brandon Wales, acting director of the Cybersecurity and infrastructure Security agency told The Wall Street that SolarWinds has no direct link to the 30 percent of the private sectors and government victims of the massive hacking campaign but investigators failed to identify another company whose products were widely compromised. SolarWinds’s investigation will be continued for at least one month due to the flawless campaign by the threat actors to remove evidence of their actions.