Microsoft 365 - Anatomy Of A Breach

Author: Greg Timinski
Principle Architect, Digital Defense
Long View

---

 

In this example, we provide an overview of a typical Microsoft 365 attack, highlighting its significance due to the fact that approximately 46% of companies utilize Microsoft 365, making it a substantial target for malicious actors seeking to exploit it for business ransomware extortion.

For this particular scenario, we examine the attack across all security domains, including identity, endpoints, data, and applications. Research indicates that around 20% of data breaches originate from identity compromises resulting from social engineering attacks. In this instance, we delve into a spear-phishing attack orchestrated by malicious actors who conducted thorough research on an individual with potential high-level access to their corporate IT infrastructure.

The initial Step
Malicious actors conducts a LinkedIn research and carefully crafts a specific email designed to mimic a Teams invitation to a new Teams project site. The goal is to entice the target individual into clicking on the link, which then redirects them to a fake site where they are prompted to enter their credentials. Subsequently, the individual is redirected to an error page in the hope that the failed login won't raise suspicion.

With the successful compromise of the individual's identity and access gained to the M365 tenant, the attackers proceed to assess their level of access. They then devise a strategy to attempt privilege escalation and lateral movement through the identity domain, eventually reaching the application domain. Here, they aim to execute remote code on an accessible endpoint or server they've infiltrated.

Environment Breached
After the execution of ransomware code within the environment, the attackers transition to the data domain layer. Their objectives include data exfiltration and the establishment of persistence. Achieving persistence involves employing defense evasion tactics such as uninstalling or disabling security software to evade detection.

Following this stage, the attackers have several options. They can continue exfiltrating data or gain access to the backup application, making it impossible for the business to recover its data. This could involve encrypting data or altering data retention policies within the application to render backups unusable.

Ransomware Demand
The final step typically involves the attackers issuing a ransomware note or demands. They may place these directly within the target systems or send targeted internal emails to senior-level staff to initiate a reaction phase. During this breach detection phase, the organization must verify the breach's authenticity and determine its next course of action. This might involve invoking their cyber insurance policy to facilitate a ransom payment or engaging a forensics team to investigate the root of the attack in an attempt to recover data.

Of course, a data breach has external repercussions, starting with the expenses incurred for hiring a forensics team and facilitating the restoration and rebuilding process. Our research indicates that the global average cost of a data breach has risen to $4.24 million USD, reflecting a 10% increase from the previous year.

Furthermore, the organization is responsible for addressing the compromised client data, which may consist of personal information (PII data), private intellectual property, or, in many cases, leaked financial data. In any event, reporting the breach to the Privacy Commissioner is mandatory, and dealing with media attention regarding the breach is a challenging aspect that no organization wishes to encounter.

Defense Strategy

Identity Behavior Monitoring is usually the first area to ensure you are covering via implementing user risk policies and monitoring your identity domain around the Lateral Movement of users- developing a strategy around understanding who your Risky Users are and implementing controls such as Conditional Access and the Zero Trust approach where you always:

1. Verify Explicitly
2. Use least privileged access
3. And always Assume Breach

The second domain to ensure you have direct visibility into is your endpoints & servers. Are they being actively monitored for the detection and response for Malware, Viruses, and compliance exploits – or even USB attacks, the endpoints are a highly mobile and vulnerable area that need to have strict policy control over.

The third security domain is around your Cloud and Email behavioral file monitoring, are you actively scanning and blocking Phishing, Spoofing, Safe attachments, within your SharePoint & exchange online? What about teams links and file sharing? These are all potential threat areas that need to be monitored actively.

The last domain is Cloud App SaaS monitoring around areas such as Shadow IT, what Cloud apps are in use within the organization, and how to fit in compliance around data exfiltration polices and data loss prevention with implementing information protection- in addition looking for and actioning Risky IP Addresses, impossible travel, and other non- authorized Admin activities.

The final stage in the defense journey involves the establishment of a unified "Single pane of glass" platform that seamlessly integrates telemetry data from all security domains. Leveraging signal intelligence through AI and machine learning, this platform collects signals from identity, email, endpoints, and cloud sources.

Adopting a SIEM (Security Information and Event Management) framework offers the most effective approach to expedite the processes of Collection, Detection, Investigation, and automated Response to potential threats.

In summary, the optimal strategy begins with the implementation of security toolsets at the domain level to enhance the protection of critical assets. Subsequently, the focus shifts to developing a comprehensive security operations strategy, ultimately reducing the time required to recover from a breach.