It is becoming more commonplace to hear of cyber attacks that compromise large sets of user data. Hackers have many different attack vectors in their arsenal. These range from complex attacks to simple phishing attacks yielding login credentials for a privileged user. Individuals in executive positions (CXO, VP, etc) and in IT operational roles are likely to have privileged access to information systems.
Recently, a Bitglass customer identified a marked increase in authentication attempts from strange locations. Upon further investigation, it appeared the majority of these users were from the executive team. In short order, these users were locked out of Active Directory and Office 365 resources, first sporadically then frequently to the point where lockouts became untenable. The company’s domain security policy was set to lock users out after several unsuccessful logins in a short period of time.
A quick investigation via Bitglass’ access dashboards showed that one member of the executive team (chosen as a test case) had logged into Office 365 from his home in the morning using Outlook and also Word. Later in the day, this individual had physically moved to the office, when they were suddenly locked out. As the user had successfully logged in at every access attempt throughout the day, it seemed that this occurred for no apparent reason.
Digging into the issue further, a number of failed login attempts were found, originating from several different IP addresses. Each of these login attempts were from emulators attempting to masquerade as actual Office applications (Outlook, Word, etc). After filtering unsuccessful login attempts against a list of these IP addresses, the attack vector was found. The hacker had a list of executive, management, and IT ops email addresses and had scripted logins emulating real applications, attempting to brute force credential theft. The variety of IP addresses, emulated applications, and user accounts were an attempt to hide the attack from Office 365 in plain sight.
Through Bitglass security policies, access from the source IP addresses in the attacks was blocked. Users were no longer randomly locked out of their accounts and the organization was able to conclude their investigation of the issue. No data was leaked and a very intelligent attack was successfully thwarted.
This is just one example of how attackers are beginning to leverage public cloud applications to get their hands on corporate data and user credentials. Given that only 24 percent of organizations routinely monitor SaaS and IaaS applications for security risk, most organizations are exposed to this type of attack. Fortunately, the organization in question had protected their Office 365 deployment with a cloud access security broker.