Hackers used compromised Office 365 accounts to send millions of spam emails

News by Rene Millman

ATO attacks saw accounts used in spear-phishing and BEC campaigns

Security researchers have discovered that more 1.5 million malicious and spam emails were delivered by hackers using roughly 4,000 accounts compromised via ATO in March this year.

In a blog post by researchers at Barracuda Networks, it was found that hackers executed the account-takeover attacks using a variety of methods. In some cases, hackers leveraged usernames and passwords acquired in previous data breaches. Due to the fact that people often use the same password for their different accounts, hackers were able to successfully reuse the stolen credentials and gain access to additional accounts.

"Hackers also use stolen passwords for personal emails and use access to that account to try to get access to business email. Brute-force attacks are also used to successfully take over accounts because people use very simple passwords that are easy to guess and they don’t change them often enough. Attacks also come via web and business applications, including SMS," said researchers.

Researchers said that with more than half of all global businesses already using Office 365 and adoption continuing to grow quickly, "hackers have set their sights on taking over accounts because they serve as a gateway to an organization and its data — a lucrative payoff for the criminals".

Researchers said that hackers used mailbox rules to hide or delete any emails they send from the compromised account. The analysis found this happened "in 34 per cent of the nearly 4,000 compromised accounts.

Hackers tried to harvest their credentials through spear phishing and brand impersonation.

"For example, scammers use email to impersonate a trusted entity, such as a well-known company or a commonly-used business application," researchers said.

They said that attackers try to get recipients to give up account credentials or click on malicious links. Attackers often use domain-spoofing techniques or lookalike domains to make their impersonation attempts convincing.

Corin Imai, senior security advisor at DomainTools, told SC Media UK that the most important thing to remember in light of the percentage of Office 365 compromised by ATO attacks is that even known senders should not be trusted by default.

"Barracuda Networks’ findings should come as a reminder that we are all likely to receive at least some form of phishing email in our inbox, and that caution is a requirement when opening any email," she said.

"Most criminal groups running these campaigns are refining their techniques in an attempt to make their emails seem legit. However, there is usually at least one detail that gives away that the message might be a scam, being that an unusual phrasing or a link with a suspicious URL. Although it may sound trite to repeat this, phishing attacks are counting on an oversight from the human component of an organisation’s security posture. This is a vulnerability we would love to patch, meaning we need to take education seriously and ensure that phishing prevention is part of each employee’s training package."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop