Vectra, a provider of network threat detection and response (NDR), released its 2020 Spotlight Report on Microsoft Office 365, which highlights the use of Office 365 in enterprise cyberattacks. The report explains how cybercriminals use built-in Office 365 services in their attacks.

Attacks that target software-as-a-service (SaaS) user accounts are one of the fastest-growing and most prevalent problems for organizations, even before COVID-19 forced the vast and rapid shift to remote work. With many organizations increasing their cloud software usage, Microsoft  has dominated the productivity space, with more than 250 million active users each month. Office 365 is the foundation of enterprise data sharing, storage, and communication for many of those users, making it an incredibly rich treasure trove for attackers, says the report. 

“Within the new work-from-home paradigm, user account takeover in Office 365 is the most effective way for an attacker to move laterally inside an organization’s network.” said Chris Morales, head of security analytics at Vectra. “We expect this trend to magnify in the months ahead. Attackers will continue to exploit human behaviors, social engineering, and identity theft to establish a foothold and to steal data in every type of organization.”

Even with the increasing adoption of security postures to protect user accounts such as multifactor authentication (MFA), 40% of organizations still suffer from Office 365 breaches, leading to massive financial and reputational losses. In a recent study, analyst firm Forrester Research put the cost of account takeovers at $6.5 billion to $7 billion in annual losses across multiple industries.

Highlights from the Vectra 2020 Spotlight Report on Office 365 include:

• 96% of customers sampled exhibited lateral movement behaviors
• 71% of customers sampled exhibited suspicious Office 365 Power Automate behaviors
• 56% of customers sampled exhibited suspicious Office 365 eDiscovery behaviors

Morales adds, "Within the new work-from-home paradigm, user account takeover in Office 365 is the most effective way for an attacker to move laterally inside an organization’s network. And when there, attackers use the existing tools present to live off the land and avoid detection. We expect this trend to magnify in the months ahead. Attackers will continue to exploit human behaviors, social engineering, and identity theft to establish a foothold and to steal data in every type of organization."

"In terms of recommendations, identifying user access misuse has been treated as a static problem using approaches that are prevention-based, policy control-centric or rely on manual entitlements that surface threats as they occur, leaving little time to properly respond. These approaches continue to fail. Security teams must have detailed context that explains how entities utilize their privileges – known as observed privilege – within SaaS applications like Office 365. Just as attackers observe or infer interactions between entities, defenders should think similarly about their adversaries. This translates into understanding how users access Office 365 resources and from where, but without looking at the full data payload to protect privacy. It is about the usage patterns and behaviors, not the static access. Ideally, when security teams have solid information and expectations about SaaS platforms, malicious behaviors and privilege abuse will be much easier to quickly identify and mitigate," Morales says. 

The report is based on the participation of 4 million Microsoft Office 365 accounts monitored by Vectra from June-August 2020. Click here to download the Vectra 2020 Spotlight Report on Office 365. Read the companion blog here.