Skip navigation

Evasive Brute-Force Attacks Target Office 365 Accounts

There’s a new sneaky brute-force attack targeting enterprise Office 365 customers, according to a new report from cloud access security broker, Skyhigh Networks.

Named KnockKnock, the attacks originated from 16 different countries, targeting the manufacturing, financial services, healthcare, consumer products industries and the U.S. public sector, according to Help Net Security. Attackers used 63 different networks and 83 IP addresses to conduct attacks.

To evade detection, attackers avoided casting a wide net, instead choosing to target a small set of companies and certain high-level employees using Office 365. They also only made 3-5 password-cracking attempts per account to avoid setting off any security alerts, according to SecurityWeek.

Attackers also leveraged the infrastructure of public hosting services to launch an attack against software as a service (SaaS) - Office 365.

They first acquired a set of corporate usernames and passwords that may have been tied to multiple cloud services, then used public cloud tenants to launch the brute-force attacks against Office 365 accounts.

Targeting Unprotected Accounts Without MFA or SSO

According to Skyhigh, “They hoped for companies not to have multi-factor authentication (MFA) and single sign-on (SSO) activated for apps that stored sensitive data.”

To increase their odds, the attackers targeted administrative/system accounts, not user accounts, which tend to have higher access privileges and weaker protection. Those included:

  • Service accounts used for user provisioning in larger enterprises
  • Automation accounts used for automating data and system backups
  • Machine accounts used for apps within data centers
  • Marketing automation accounts used for marketing and customer communication
  • Internal tools accounts used with JIRA, Jenkins, GitHub, etc.

Once compromised, attackers can exfiltrate data in the inbox, create a new inbox rule and launch internal phishing attacks against employees that are much harder to detect.

By enabling multi-factor authentication (MFA), the password guessing attack would be largely thwarted. Combining MFA with a single sign-on solution makes access more secure and easy for users, while allowing administrators to set up stronger access controls for cloud applications housing sensitive data.

Thu Pham

Information Security Journalist

@Thu_Duo

Thu Pham covers current events in the tech industry with a focus on information security. Prior to joining Duo, Thu covered security and compliance for the infrastructure as a service (IaaS) industry at Online Tech. Based in Ann Arbor, Michigan, she earned her BS in Journalism from Central Michigan University.