Attackers Compromise Office 365 Accounts without Stealing Credentials

January 21, 2020

Credential phishing attacks are not new, and impersonating Microsoft is well-known at this point. However, this attack is unique because the attacker was not simply asking for email credentials. Instead, the attack uses an app integration to gain full access to a Microsoft account, including email conversations, OneDrive files, and more.

Summary of Attack

  • Platform: Office 365
  • Email Security Bypassed: Office 365
  • Victims: Internal Employees
  • Payload: Office 365 App
  • Technique: Brand Impersonation

Overview of the Phishing Attack

In this attack, the attacker leveraged an Office 365 app which, according to PhishLabs, was created using information stolen from a legitimate organization. This app requests access to nearly everything in the victim's O365 account—email, OneDrive, contacts, and more.

The email itself purports to come from Microsoft, asking users to log in to enable additional anti-virus protection on their account. The email looked like a legitimate email from Microsoft and links directly to legitimate Microsoft pages, including a real Microsoft login page.

Although the login page the email linked to was a legitimate Microsoft login page, the URL also instructed Microsoft to forward the authorization token to another domain. After the user logged in, this forwarded token would trigger an app to request full access to the victim's Office 365 account. This portion of the URL would not have been easily visible in the browser's address bar.

If the user granted the app the access it requested, attackers would take full control of the victim's account. Because access is granted through the malicious app, a password reset would be ineffective—the only way to deny the attacker access to the account would be to delete the app.

Why the Attack Bypassed Existing Security

In this case, the email sent from the attacker looked like a real email from Microsoft and the display name itself said as much. In a unique twist, it offered greater protection for the user's Office 365 account. Nothing about the email, including URLs, looked amiss or illegitimate. Making it even more complicated, the attacker directed the victim to a real Microsoft login page because the point of the attack was not to steal credentials.

The email even said that users would be getting new security capabilities, so they might have even expected the app prompt a full access request to their account. This attack was sophisticated: there was no credential theft since the login page was real, and even if the user realized that this was an attack, changing their password would not block the attacker's access to their account.

Abnormal stopped this attack because of the unusual sender address, the unusual reply-to domain, and the urgent language present within the email itself. In an attack that is extremely difficult to stop, and where remediation is much harder than simply changing the password, increased security is vital to prevent compromise.

See how Abnormal can prevent these attacks for your organization by requesting a demo today.

Related Posts

B 10 15 21
With Detection 360, submission to threat containment just got 94% faster, making it incredibly easy for customers to submit false positives or missed attacks, and get real-time updates from Abnormal on investigation, conclusion, and remediation.
Read More
Extortion blog cover
Unfortunately, physically threatening extortion attempts sent via email continue to impact companies and public institutions when received—disrupting business, intimidating employees, and occasioning costly responses from public safety.
Read More
Blog engineering cybersecurity careers
Cybersecurity Careers Awareness Week is a great opportunity to explore key careers in information security, particularly as there are an estimated 3.1 million unfilled cybersecurity jobs. This disparity means that cybercriminals are taking advantage of the situation, sending more targeted attacks and seeing greater success each year.
Read More
Blog hiring cybersecurity leaders
As with every equation, there are always two sides and while it can be easy to blame users when they fall victim to scams and attacks, we also need to examine how we build and staff security teams.
Read More
Cover automated ato
With an increase in threat actor attention toward compromising accounts, Abnormal is focused on protecting our customers from this potentially high-profile threat. We are pleased to announce that our new Automated Account Takeover (ATO) Remediation functionality is available.
Read More
Email spoofing cover
Email spoofing is a common form of phishing attack designed to make the recipient believe that the message originates from a trusted source. A spoofed email is more than just a nuisance—it’s a malicious communication that poses a significant security threat.
Read More
Cover cybersecurity month kickoff
It’s time to turn the page on the calendar, and we are finally in October—the one month of the year when the spooky becomes reality. October is a unique juncture in the year as most companies are making the mad dash to year-end...
Read More
Ices announcement cover
Abnormal ICES offers all-in-one email security, delivering a precise approach to combat the full spectrum of email-borne threats. Powered by behavioral AI technology and deeply integrated with Microsoft 365...
Read More
Account takeover cover
Account takeovers are one of the biggest threats facing organizations of all sizes. They happen when cybercriminals gain legitimate login credentials and then use those credentials to send more attacks, acting like the person...
Read More
Blog podcast green cover
Many companies aspire to be customer-centric, but few find a way to operationalize customer-centricity into their team’s culture. As a 3x SaaS startup founder, most recently at Orum, and a veteran of Facebook and Palantir, Ayush Sood...
Read More
Blog attack atlassian cover
Credential phishing links are most commonly sent by email, and they typically lead to a website that is designed to look like common applications—most notably Microsoft Office 365, Google, Amazon, or other well-known...
Read More
Blog podcast purple cover
Working at hyper-growth startups usually means that unreasonable expectations will be thrust on individuals and teams. Demanding timelines, goals, and expectations can lead to high pressure, stress, accountability, and ultimately, extraordinary growth and achievements.
Read More