chat
expand_more

Attackers Compromise Office 365 Accounts without Stealing Credentials

January 21, 2020

Credential phishing attacks are not new, and impersonating Microsoft is well-known at this point. However, this attack is unique because the attacker was not simply asking for email credentials. Instead, the attack uses an app integration to gain full access to a Microsoft account, including email conversations, OneDrive files, and more.

Summary of Attack

  • Platform: Office 365
  • Email Security Bypassed: Office 365
  • Victims: Internal Employees
  • Payload: Office 365 App
  • Technique: Brand Impersonation

Overview of the Phishing Attack

In this attack, the attacker leveraged an Office 365 app which, according to PhishLabs, was created using information stolen from a legitimate organization. This app requests access to nearly everything in the victim's O365 account—email, OneDrive, contacts, and more.

The email itself purports to come from Microsoft, asking users to log in to enable additional anti-virus protection on their account. The email looked like a legitimate email from Microsoft and links directly to legitimate Microsoft pages, including a real Microsoft login page.

Although the login page the email linked to was a legitimate Microsoft login page, the URL also instructed Microsoft to forward the authorization token to another domain. After the user logged in, this forwarded token would trigger an app to request full access to the victim's Office 365 account. This portion of the URL would not have been easily visible in the browser's address bar.

If the user granted the app the access it requested, attackers would take full control of the victim's account. Because access is granted through the malicious app, a password reset would be ineffective—the only way to deny the attacker access to the account would be to delete the app.

Why the Attack Bypassed Existing Security

In this case, the email sent from the attacker looked like a real email from Microsoft and the display name itself said as much. In a unique twist, it offered greater protection for the user's Office 365 account. Nothing about the email, including URLs, looked amiss or illegitimate. Making it even more complicated, the attacker directed the victim to a real Microsoft login page because the point of the attack was not to steal credentials.

The email even said that users would be getting new security capabilities, so they might have even expected the app prompt a full access request to their account. This attack was sophisticated: there was no credential theft since the login page was real, and even if the user realized that this was an attack, changing their password would not block the attacker's access to their account.

Abnormal stopped this attack because of the unusual sender address, the unusual reply-to domain, and the urgent language present within the email itself. In an attack that is extremely difficult to stop, and where remediation is much harder than simply changing the password, increased security is vital to prevent compromise.

See how Abnormal can prevent these attacks for your organization by requesting a demo today.

Attackers Compromise Office 365 Accounts without Stealing Credentials

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Osterman Recap
Discover key insights from Osterman Research’s latest report on modernizing MFA to tackle rising identity threats.
Read More
B Transportation Industry Attack Trends Blog
Explore the latest attack trends in the transportation industry and learn how to defend against rising threats like phishing, BEC, and VEC.
Read More
B F1000 Manufacturer Replaces Proofpoint with Abnormal
A global industrial manufacturer enhanced its email security and operational efficiency by replacing its Proofpoint SEG with Abnormal.
Read More
B QR Code Phishing One Year Later Blog
Are QR code phishing attacks still a threat? Explore the latest trends in QR code phishing and how AI-powered solutions like Abnormal Security stop these sophisticated attacks.
Read More
B Customers AI
Learn from Abnormal customers about the challenges of AI-enhanced attacks and discover why they trust AI-driven security solutions to stay ahead of these evolving threats.
Read More
B AI Mbx Prompts
Discover how to unlock the full potential of the AI Security Mailbox with custom prompts designed to enhance your generative AI output.
Read More