Fingerprints of the Invisible Man

Over the past several months, we have seen a significant uptick in cyber incidents involving Microsoft Office 365 (O365), specifically hackers gaining access to corporate email accounts through spear phishing attacks. In most of these cases, an email is received by the unsuspecting company. This email looks remarkably like an O365 “Expiring Password” notification asking the person to click on a link to log into their account and change their password. Unfortunately, when the user follows the instructions, the hacker obtains the user’s current username and password, as well as the new password selected. Before the user knows what had happened, the hacker has already changed the password in the “real” version of O365 to their new password.

That’s where the problems begin! With access to O365, the hacker can now have access to all the same functions of O365 as the user. They can log in and read emails without restrictions, including confidential emails from within the organization, customers, attorneys, or other private contacts. They can learn the processes of the finance department, like how to request payments to be made, what the documentation looks like, and who needs to approve such payment. They can download any information from within O365 to their device, including protected data like personally identifiable information, protected health information, or financial account information. They can also send emails from the user account, even setting up filters to hide their activities and communications from the user. Basically, if the user can do it or see it in O365, so can the hacker.

What makes this situation even more terrifying is that the person identifying the hack isn’t the hacked organization; it’s someone outside the company, like a bank, vendor, or customer. At that point, it can often be too late. Data may have already been exfiltrated, cash transferred, and the company reputation impacted. So how can a company watch for this activity? Isn’t it like looking for the fingerprints of an invisible man? The fact is, an incident like this can be easily detected and monitored if organizations were following a basic proactive strategy to protect their network – a strategy called log monitoring.

While the hacker may have access to the user’s O365 account, they are limited to the same access and abilities as the user. In a typically well-controlled environment this does not include administrator access. This means if O365 logging is turned on, the hacker cannot turn it off. Logging allows O365 to track information about the user activity within the application, including log-in date and time, log-in location, data size transferred in and out, and other workplace analytics. Monitoring these logs can indicate the first signs of a compromise and allow IT to proactively protect the user account. For example, if a controller working in Boston suddenly logs into O365 from Taiwan, IT would be able to flag the account to either a) verify the controller isn’t in Taiwan to manually shut down the account or b) automatically disable the account until the location can be verified.

Monitoring can be a daunting task though, especially if done manually in a larger organization. Luckily there are tools to assist IT in monitoring and responding to suspicious activity. A Security Information and Event Manager (SIEM), whether monitored by IT or actively monitored by a vendor, can be a viable solution, accumulating logs from across the organization and between applications looking for trends or unusual activity. These tools can be the difference between proactively identifying a breach or losing significant data or cash to an unauthorized user. The most important aspects to this strategy are:

1. Ensure O365 logging is turned on.
2. Ensure the O365 logs are being maintained for an appropriate period of time – typically to 12 months (standard logging retains the log records for seven days which does not provide sufficient time to investigate a potential incident).
3. Establish a method for someone (internal or external) to review the logs on a regular basis.

For more information on how you can proactively protect your organization’s data and significantly reduce the chance of your business becoming the next victim of a cyber-criminal, contact Michael Camacho at mcamacho@citrincooperman.com or Kevin Ricci at kricci@citrincooperman.com.