A rise in attacks targeting election-related organizations has been recently reported by Microsoft. An advanced persistent threat (APT) group (also referred to as Strontium, APT28 or Fancy Bear) has been observed launching campaigns to either steal login credentials or compromise their accounts.
The attacks against Microsoft Office 365 accounts have mainly been targeting U.S. and U.K. organizations involved in political elections, such as campaign groups, advocacy groups, parties and political consultants, although many other businesses affected fall outside of that description. Other businesses targeted by the APT group are in the entertainment, hospitality, manufacturing, financial services and physical security industries, as observed by Microsoft.
In more recent months, the attackers have scaled up their tactics to more efficiently harvest credentials, using brute-force attacks and password spraying instead of spear phishing, the method of choice in 2016. The Microsoft Threat Intelligence Center (MSTIC) released a more detailed account of their observations of the attackers’ tactics.
A brute-force attack is a trial-and-error method used to obtain information such as a user password. In a brute-force attack, automated software is used to generate a large number of consecutive password guesses.
Password spraying is when an attacker will attempt to authenticate to your network or applications by typing in multiple usernames paired with a single password, helping them evade detection by avoiding password lockouts. Password spraying can be used by attackers to discover weak passwords that can be used to move laterally throughout your environment. Learn more in How to Test Your SIEM Detections for Password Spraying.
Protect & Defend Against Office 365 Attacks
To help protect your Office 365 accounts, detecting credential theft attacks like brute-force and password spraying is key to identifying indicators early enough to respond quickly and contain any damage to your organization. Blumira easily integrates with Microsoft/Office 365 to stream events and logs to its service for analysis, detection, alerting and response.
One example Office 365 detection is anomalous access attempts via password spraying – this can indicate an attacker is attempting more methodical methods to access your environment. Without a strong password policy, password spraying is highly successful, according to Blumira’s security team.
In our platform, we provide incident response recommendations (known as workflows or playbooks) such as blocking the source IP and resetting passwords for targeted users, if the attacker was able to successfully authenticate and access the Office 365 account.
Microsoft also recommends actively monitoring failed logins to find discernible patterns and track them over time. With Blumira’s advanced search and reporting (seen below), you can quickly use pre-built queries to search your logs for failed user account logins, or account lockouts that could indicate attacker behavior.
When it comes to prevention, one recommended security best practice is enabling multi-factor authentication (MFA) on your Office 365 accounts to provide an additional layer of security at login, after primary authentication (typically a username and password). Without access to a physical device with an MFA/authenticator app, remote attackers cannot easily log in using brute-force or password spraying tactics.
Blumira also integrates with many different identity providers, like Duo Security, Okta and Microsoft Active Directory (AD) to give you immediate insight into fraudulent MFA access attempts and other authentication-related indicators of anomalous activity.