Attackers use Office 365 tools to steal data

Targeting of SaaS user accounts was one of the fastest-growing problems for organizations, even before COVID-19 forced a rapid shift to remote work, but a new report shows cybercriminals are using built-in Office 365 services in their attacks.

The study from network detection and response company Vectra, based on four million monitored Office 365 accounts, shows that 71 percent of of those surveyed had seen suspicious Office 365 Power Automate behaviors.

In addition 56 percent of customers saw suspicious Office 365 eDiscovery behaviors and 96 percent had seen attempts at lateral movement.

"Within the new work-from-home paradigm, user account takeover in Office 365 is the most effective way for an attacker to move laterally inside an organization's network." says Chris Morales, head of security analytics at Vectra. "We expect this trend to magnify in the months ahead. Attackers will continue to exploit human behaviors, social engineering, and identity theft to establish a foothold and to steal data in every type of organization."

Even with the increasing adoption of security postures to protect user accounts, such as multi-factor authentication, 40 percent of organizations still suffer from Office 365 breaches.

Tactics used by attackers targeting Office 365 include searching through emails, chat histories, and files looking for passwords or interesting data, setting up forwarding rules to get access to a steady stream of email without needing to sign-in again, and using the trusted communication channel to socially engineer employees, customers or partners.

The Power Automate feature -- formerly Microsoft Flow -- can be exploited to connect via HTTP to a command-and-control server to send data, or automatically sync OneDrive files to an attacker-owned Google Drive on every modification update.

The full report is available on the Vectra blog.

Image credit: Frank-Peters/depositphotos.com