Office 365 Threats and Inversion of the Corporate Network

By Oliver Tavakoli, Chief Technology Officer at Vectra AI

2020 presented a tidal wave of challenges businesses in every sector - from healthcare to hospitality to aviation. Every organization was forced to adapt some aspect of their strategy, whether by reducing spending, cutting staff, madly hiring or changing operating models.

While the impact the 2020 COVID-19 pandemic had on the technology industry lags in comparison to other sectors, there was still a significant amount of change. Many organizations were forced to implement and accelerate digital transformation initiatives to cater to a rapidly deployed remote workforce.

Organizations that had invested heavily in developing and creating robust on-premises security architectures had to significantly transform and update their security strategy to protect against threats on assets used outside of office walls. In fact, one of the biggest security realizations and lessons learned in 2020 is that the security of protecting an employee's device, interaction with the internet, and access to corporate applications must be able to travel with them, independent of where they happen to be at a given point in time.

As a direct result of accelerated work-from-home initiatives, the adoption and daily use of cloud and SaaS (software-as-a-service) applications surged in 2020, presenting many new threats. Attacks that target SaaS and cloud user accounts were among the fastest-growing and most prevalent problems for organizations, even before COVID-19 forced the vast and rapid shift to remote work.

With organizations having increased their cloud software usage, applications such as Office 365 dominated the productivity space. The Office 365 platform experienced more than 250 million active users each month and became the foundation of enterprise data sharing, storage, and communication - also making it an incredibly rich treasure trove for attackers.

It was no surprise then that Office 365 became the focus of attackers in 2020, leading to some massive financial and reputational losses, despite the increased adoption of multifactor authentication and other security controls intended to serve as roadblocks to attackers. Among the breaches involving Office 365, account takeovers were the fastest growing and most prevalent attacker technique.

Attackers now focus on account takeovers rather than email compromise to gain initial access in an environment. According to a recent study, lateral movement is the most common category of suspicious behavior inside Office 365 environments, closely followed by attempts to establish command-and-control communication. Two Office 365 tools that have emerged as valuable to attackers are Power Automate and eDiscovery Compliance Search.

Microsoft Power Automate, formerly Microsoft Flow, automates day-to-day user tasks in both Office 365 and Azure and is enabled by default in all Office 365 tenants. It can reduce time and effort to accomplish certain tasks for users - but similar to PowerShell, attackers tend to want to automate tasks as well. With over 350 application connectors available, the options for cyberattackers who use Power Automate are vast. Office 365 eDiscovery Compliance Search enables the search for information across all Office 365 content using one simple command. All these techniques are actively used now, and they are frequently used together across the attack lifecycle.

The number of threats targeted towards Office 365 users and other similar platforms will undoubtedly continue to grow in 2021. Identifying user access misuse has traditionally been tackled using prevention-based, policy-centric approaches or have relied on alerts that identified potential threats as they occur, leaving little time to respond appropriately. These legacy approaches will continue to fail as they only show that an approved account is being used to access resources and do not provide any deeper insight into how or why resources are being utilized and whether the observed behavior might be useful to an attacker.

In 2021, security teams must focus on implementing measures that provide a more detailed overview of how their users utilize privileged actions - known as an observed privilege - within SaaS applications like Office 365. This translates into understanding how users access Office 365 resources and from where. It is about understanding the usage patterns and behaviors, not defining static access policies.

The importance of keeping a watchful eye on the misuse of user access to SaaS data cannot be overstated, given its prevalence in real-world attacks. SaaS platforms are a haven for attacker lateral movement, making it paramount to monitor users' access to accounts and services.

As we look ahead to 2021, what are some of the other security considerations organizations should prepare for? The inversion of the corporate network will remain predominant as many enterprises around the world focus on adopting a more permanent hybrid or completely remote work structure to increase productivity, reduce overhead, and provide employees with better flexibility. It is no longer the case that highly sensitive and confidential data is only kept on-premises, where a small number of exceptions are made in the protective firewall policies to allow for outbound communication.

In 2021, de-perimeterization of the organization's networks will finally be accepted as the norm, something which has been anticipated for years and that the pandemic has accelerated. One of the leading indicators for this is companies who are ditching Active Directory (on-premises legacy architecture) and moving all their identities to Azure AD (a modern cloud-enabled technology).

One of the best things an organization can do to prepare for security challenges in 2021 is invest in network detection and response (NDR) and deliver user access via a Zero Trust architecture. Enterprises should think about where their most important data is located (most likely in the cloud and SaaS applications) and determine how efficient their security team is at ferreting out attackers from all these places before they do any substantial harm. Both NDR and Zero Trust will help organizations achieve these goals.

##

About the Author

Oliver Tavakoli is chief technology officer at Vectra AI. Oliver is a technologist who has alternated between working for large and small companies throughout his 25-year career - he is clearly doing the latter right now. Prior to joining Vectra, Oliver spent more than seven years at Juniper as chief technical officer for the security business. Oliver joined Juniper as a result of its acquisition of Funk Software, where he was CTO and better known as developer #1 for Steel-Belted Radius. Prior to joining Funk Software, Oliver co-founded Trilogy Inc. and prior to that, he did stints at Novell, Fluent Machines and IBM. Oliver received an MS in mathematics and a BA in mathematics and computer science from the University of Tennessee.