Hackers and their target of choice – Microsoft 365 services

Author
Jolanda Muff
Published
17. May 2021

Indisputably, Microsoft 365 is Microsoft's fastest growing product. Many companies are increasingly using cloud software and Microsoft has emerged as the leader in the field, with upwards of 250 million active users per month. So it comes as no surprise that cyberattacks targeting software-as-a-service (SaaS) user accounts are one of the most common problems for businesses. Find in the latest blog article why cloud software is so appealing to cybercriminals and how your SOC team can rapidly detect and respond to potential attackers.


For many users, Microsoft 365 forms the basis for collaborative working, storing both company data and communications. The SaaS offering is an important feature for private individuals and companies alike, and it dominates the productivity sector with over 258 million users and 75 million team users. Despite the increasing deployment of security measures to protect user accounts such as Multi-Factor Authentication (MFA), 40 per cent of organisations are still battling with cyberattacks that use Microsoft 365, which can quickly lead to financial losses and damage to their reputations.

How cybercriminals use Microsoft 365 for their attacks

Our partner Vectra AI has published a study on the security of Microsoft 365 implementations. The e-book explains how cybercriminals use integrated services for their cyberattacks and is based on a global survey of 1,112 security professionals working in medium to large enterprises.

Attackers can use Microsoft 365 as a way in, then obtain constant access to the user's system. Similarly, hackers can turn a compromised account into a continual reverse shell on the user's system. The research found that in 96 per cent of networks, suspicious lateral movement behaviour was observed. The study also revealed that account hijacking was high on attackers' list of favourite methods to move laterally between the cloud and the network. There are two tools that seem to be particularly attractive to attackers – Power Automate and eDiscovery Compliance Search. For example, Vectra found suspicious behaviour associated with Microsoft 365 Power Automate in 71 % of the organisations it monitored. Fifty-six % of companies encountered suspicious behaviour with eDiscovery.

E-mails and user accounts are frequently used by cyber attackers to infiltrate a network. Social Engineering is a common tactic to get users to install malicious Azure apps. As with mobile apps, users are far too quick to accept permission requests, and these give the app and the attacker unfettered access to resources. The insidious thing about it is that this access can remain in place for 90 days with no authentication issues in the interim, even if the password has been changed

Further highlights from the e-book

  • The COVID 19 pandemic has accelerated cloud migration and digital transformation at 88% of organisations
  • 71% of Microsoft Office 365 users have been the victim of account hijacking of a legitimate user account an average of seven times in the last year
  • 79% have good visibility into attacks that bypass perimeter defences and penetrate their network
  • 58% of organisations plan to allocate more funding to skills and technology this year, and 52% plan to invest in AI and automation

Unfortunately, attacks like these are expected to continue in the months to come, as attackers continue to exploit human behaviour and use the cloud's legitimate tools to gain a foothold in a targeted organisation and remain there undetected. The use of AI solutions and increased automation are essential to effectively analyse large volumes of threat data and detect the subtle behavioural signals that indicate compromise. You need to take precautions now and be prepared.

How Vectra AI protects Microsoft 365

Our partner, Vectra AI, is a specialist in exactly these issues, specifically in the detection of compromised accounts in Microsoft 365 as well as in traditional networks. Learn in our video how your company can quickly detect suspicious behaviour and threatening activities in hybrid networks, and then react immediately.

Videobild-01-01

Video Vectra Cognito Detect for Microsoft Office 365

InfoGuard, the Swiss experts in cyber defence and incident response

In our ISO 27001-certified Cyber Defence Center in Switzerland we marry the most cutting-edge technology with our cyber defence experts' and threat analysts' years of experience. If you would like to learn more about Vectra's solutions or our Cyber Defence Services, we look forward to hearing from you. Our experts will be happy to advise you!
Contact us!We have also compiled a comprehensive document on ways of using Microsoft 365's security functions in a targeted manner. Download our free security checklist right now and optimise your Microsoft 365 Cloud security!

Share article