Identity theft has always been a lucrative business for criminals. Today, this often takes the form of account takeover (ATO) attacks against organisations. In these attacks, criminals hijack an employee’s legitimate email account and use it for malicious means – for example, to steal sensitive data or even to conduct attacks against other victims by impersonating the employee.

Microsoft 365 (M365) is the most popular enterprise cloud service in the world – with more than 155 million monthly active business users – therefore it is, unfortunately, a target for criminals looking to conduct ATO attacks at-scale. According to their figures, Microsoft experiences more than 300 million fraudulent sign-in attempts to their cloud services every day. This means that businesses using M365 need to be especially vigilant to ATO.

How do ATO attacks work?

ATO attacks are often targeted at organisations and combined with social engineering or phishing initially, to trick employees into sharing their M365 credentials. You can find more information on how to protect your organisation against phishing attacks in M365 here.

Cyber-criminal gangs are well funding, sophisticated and organised – which means that ATO attacks are usually highly targeted, secretive and sustained. Once the criminal has access to an employee’s account they watch in the background for months, siphoning off personal information and gathering intelligence. They use the intel they gather on the employee to convincingly impersonate their communication style, which means they can mislead their contacts.

At the same time, the criminals will use their access to gather information on the organisation itself, mapping the corporate structure, working out who interacts with who, and learning vital details such as who in the organisation has budget approval and sign off. Once they understand who’s who they’ll configure mailbox rules to move messages from specific individuals into folders they create – and then monitor – taking over susceptible conversations to affect malicious outcomes.

Administrator accounts are a particularly popular target for ATO hackers. This is because they can do more damage, typically with the ability to change or access other user accounts, which means that by compromising one admin account the criminals get a skeleton key to a company’s employees.

Admin accounts also usually have elevated privileges that attackers want to exploit, for example, the ability to create additional company accounts. This means that criminals can use a legitimate organisation’s domain as a launchpad for a new wave of attacks.

There have also been cases of attacks targeted at Microsoft directly to compromise accounts in-bulk. Microsoft admitted in April 2019 that hackers had accessed some outlook.com accounts for months as a result of compromised administrator credentials.

The potential consequences of ATO are therefore wide-ranging and can be extremely costly for any organisation. ATO can result in large scale data breaches as credentials open up access to an organisation’s most sensitive data and can escalate into attacks on other organisations.

An ATO attack seen in the wild

 A criminal campaign targeting Microsoft 365 admin accounts was discovered late last year. This was an extensive campaign, with a wide variety of enterprises and industries targeted.

In this case, the group did use an email phishing attack to target unsuspecting admins. The email impersonated Microsoft branding and even used validated domain names, encouraging the victims to click on a link to a spoofed login for M365. When the targeted employees entered their details on to the fake site their credentials were harvested and available for cyber criminals to carry out ATO attacks.

For organisations, there are some lessons to be learnt from this account takeover campaign. Firstly, M365 is an active target for criminals. Secondly, that admin accounts are under threat and need to be afforded additional security. Thirdly, that criminals are sophisticated – they use legitimate domains that could easily be mistaken for a genuine service, to trick both employees and traditional spam filters.

How to protect against ATO in Microsoft 365

While ATO attacks can have very serious effects, thankfully there is a straightforward way to protect against them. The most effective method is to use multi-factor authentication (MFA). MFA means that accounts are protected with more than just a password, providing an additional layer of security on top of what is already offered by M365. At the absolute minimum, MFA is a must have for admin or privileged account holders.

MFA is especially important because users notoriously use and re-use passwords across personal and business applications. Requiring additional authentication stops a stolen password from being the key into an organisation’s data. Remember: more than 80 percent of breaches start with weak or stolen credentials.

Keeping in mind that credentials are often used for more than one application, this will inevitably mean you need to secure Microsoft and non-Microsoft products from account takeover. It’s therefore important to choose an MFA solution that supports all systems, services and applications that need to be protected.

Visit our Defence365 page to find out more about additional layers of security to protect your organisation, whether you are preparing for, migrating to, or strengthening the performance of your M365 environment.

Defence365 Vlog: How do I protect my organization from account takeover in Microsoft 365?