KnockKnock. Who’s There? The latest attack on Office 365
The recently disclosed Knockknock attack brings up a few key lessons on Office 365 security.
Broadly used platforms make easy targets for attackers
As the popularity of a platform rises, attackers increasingly focus on it. In this case, the runaway success of Office 365 has drawn the focus of a botnet master, but many other malicious actors are also increasingly focused on it. Back in the day, of course, malware was primarily written for the Windows platform, in large part because the probability of bumping into a vulnerable Windows system was quite high. Now with the rapid movement of common business applications to the cloud, the probability of finding a vulnerable Office 365 tenant is increasingly high. Couple that with the minuscule expense for the attacker to set up a test environment and they have a perfect setup for launching an attack.
Admin or system accounts provide entry points into an organization.
Attackers often assume – correctly – that with these system accounts, organizations “set it and forgot it”. This age-old attacker technique didn’t go away with the movement to the cloud, in fact, it got easier, as by definition these admin accounts are Internet accessible and thus easy to access and “knock-on”. And how many of you have these privileged accounts protected only with a single authentication factor – passwords?
Lateral movement leverages internal-to-internal phishing emails.
This portion of the attack is notable and increasingly common. How many of your employees will be wary of clicking links or opening attachments in an email that literally comes from an internal sender? And how many organizations have their cloud-based email security systems reviewing internal-to-internal emails? While it is understandable that most organizations focus their email protections on inbound emails, it is increasingly important to also focus on protecting against malicious internal emails, as internal phishing has now become a classic way a targeted email attack is spread.
The bottom line is attackers are “knocking” all around your enterprise, including your cloud-based services. It is important to recognize this so you can improve your defenses where they are needed most.