Hackers using brute-force attacks to infiltrate e-mail systems protected by MFA

News by Jay Jay

Brute-force attacks launched by cyber-criminals can allow them to compromise corporate e-mail systems such as Office365, steal login credentials, and then use such credentials to read sensitive emails and to send malicious ones to unsuspecting employees, new research has revealed.
Research carried out by security firm Proofpoint shows how cyber- criminals can infiltrate enterprise e-mail systems and access sensitive corporate e-mails by carrying out brute-force attacks, even if such e-mail systems have single sign or multi-factor authentication in place.
"It only takes one compromised Microsoft Office 365 account to unlock access to a virtual goldmine of confidential data and access—and we have seen a major increase in organisations losing both money and data to these attacks," said Ryan Kalember, senior vice president of Cybersecurity Strategy for Proofpoint.
"Once an attacker compromises a trusted account, they can read a user’s email, look at their calendar, and launch internal phishing emails attempts from a trusted account."
According to Kalember, e-mail systems that have multifactor authentication support are also being targeted by cyber-criminals who do so by exploiting interfaces that do not support strong authentication in most deployments, such as Exchange Web Services and ActiveSync.
The revelation by Proofpoint didn't surprise Andy Norton, director of threat intelligence for Lastline who told SC Magazine UK that the Office365 environment is becoming a huge target for cyber-criminals as the number of corporate users and the incidence of cyber-attacks is only increasing. He added that using third-party tools to dynamically analyse every URL and attachment to augment Microsoft security controls is the only way to detect sophisticated threat actors.
Commenting on the vulnerability of e-mail systems that field multi-factor authentication, Richard Archdeacon, advisory CISO at Duo Security, told SC Magazine UK that enterprises should implement multi-factor authentication solutions that apply zero trust security principles through a reverse proxy. Such solutions will combine MFA with device information and a risk-based approach to the use of applications, thereby mitigating brute force attacks. 
"The hacker will not only have to have the user login details, ie compromise the credentials, but will have to intercept the authentication; mimic the device - location/security status - and be given permission to access the application. 
"In addition, the solution must be easy to implement in a hybrid environment which will protect not only cloud solutions but legacy in house applications. As a general rule, complexity and tying together different components often provides gaps in the control mechanisms which can be exploited," he added.
Matt Walmsley, EMEA director at Vectra, said that considering a major rise in criminals' pursuit of privileged access in today’s hybrid world of cloud services and local infrastructure, it has become very difficult for enterprises to constantly identify reconnaissance and brute-force attacks that gain access into their networks.
The same applies to cloud infrastructure where hackers launch attacks on CloudPaaS using stolen credentials and such attacks remain invisible to workload and cloud instance-centric security controls. Hence it is imperative for enterprises to maintain full visibility over network and cloud assets if they intend to succeed in the long term, and artificial intelligence could be the solution.
"The task of quickly spotting the attacker behaviour, particularly when they are using legitimate tools and services for nefarious means, is beyond the speed and scale of humans alone.  AI is now being used to combat cybersecurity adversaries by analysing digital communications in real time and spotting the hidden signals to identify nefarious behaviour whether they’re in the cloud or operating in your local infrastructure," he said.
"AI can also "tie together" the weak signals from the cloud and local infrastructure to identify the developing attack. The removal of security blind spots therefore dramatically significantly improves security your posture. And when you are able to quickly identify and stop cyber-attacks before they’re able to wreak havoc, you dramatically reduce business risk," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews