Finance teams targeted as ‘email hijack attacks’ rise by 22%

Two out of three UK companies (66%) suffered brute force attacks against Microsoft 365 accounts during the past three months – up from 48% in the first quarter, according to bluedog Security Monitoring.

It reports that around 8% of all companies suffered breaches in the second quarter as a result of the attacks. bluedog has also seen a 22% rise in phishing attacks targeting the creation of apps within Azure. It believes every company is now being targeted at least once a week by this type of attack and in some cases, five or six times a day.

Tim Thurlings, CTO of bluedog, says the fraudsters are in particular targeting accounts, finance departments and credit collections teams. “The phishing attacks trick users into going to the legitimate Microsoft login page and giving permission to create an app that allows access to files, emails and mailbox settings.

“They can then set up a ‘forward and delete’ rule. Any emails the employee sends out are automatically forwarded to the hacker who can then amend the bank account number or insert a request to change the payment details before sending on to the victim. The original email is then deleted from the sender’s mailbox.

“This attack pattern can be mitigated by regulating the access of third-party integrated apps. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. IT teams should only allow access to necessary apps that support robust security controls. [See below.]

“It is also vital to enable the use of multi-factor authentication on all M365 accounts as this will help stop brute force attacks.”

bluedog says the rise in attacks is linked to the lockdown, Tim Thurlings says “As more companies switch their employees to the Microsoft 365 system, it is harder to to safeguard against these risks and ultimately companies need to use monitoring to detect where a breach has occurred.

“A Microsoft 365 monitoring service is a simple, low-cost solution that can activated remotely and will spot the warning signs, such as a change of settings or permissions, so companies can step in and block access before any real damage is done.”

……………………………………………………………………….

TIP: How to prevent third-party apps from accessing Office 365

To prevent users in your organization from allowing third-party apps to access their Office 365 information, and require future consent operations to be performed by an administrator, go to the Azure Active Directory admin center > Enterprise applications > User settings > Enterprise applications (https://go.microsoft.com/fwlink/?linkid=2119526)

Set the toggle “Users can consent to apps accessing company data on their behalf” to No.

Optionally, you can set up a process for your users to request access to third-party applications. In the Azure portal, configure an admin consent workflow by going to Enterprise applications > User settings (https://go.microsoft.com/fwlink/?linkid=2119526)

Under  “Admin consent requests,” set  “Users can request admin consent to apps they are unable to consent to ” > Yes Select your preferences for the rest of the Admin consent requests options Select Save. It can take up to an hour for the feature to become enabled.

This recommendation is just one of many which bluedog gives on a daily basis to users of its Microsoft 365 Monitoring Service.