Hackers are targeting your Office 365 account - Here's how you can stop them

By now, you’re probably familiar with the concept of phishing attacks; cyber-attacks that are often email-borne and aim to steal login credentials, financial information or infect a user’s machine with malware like ransomware. If you’re not familiar with phishing attacks, you can read our blog on the most common threats.

What you might not be aware of is account takeover (ATO) attacks, which result in very calculated and convincing phishing attacks 78% of the time. Why are they so convincing? Because they come from the real-life email address of your colleague.

What is an ATO attack?

ATO attacks are on the rise according to Barracuda, with attackers using stolen login credentials to send phishing or malware attacks from a person’s legitimate business email address. Think about it; a lot of the advice around cybersecurity consists of checking that the sender of an email is legitimate and, for the cyber-savvy, the email address is the first place they’ll look. But if you see your colleague’s actual email address there, will you still be suspicious? Perhaps not, but you should be.

The research conducted looked at 50 random organisations, of which 19 had experienced an account takeover attack between April and June 2018. In total, 47 phishing attacks occurred; that’s more than 2 phishing attacks per ATO attack. Hackers also used the compromised accounts to launch spam attacks, utilising the high reputation attached to the email domains for maximum deliverability.

As you’d expect, these hackers need access to your email account. So how are they targeting victims to steal credentials in the first place? They’re posing as Microsoft with fake Office 365 notifications.

Stealing Office 365 credentials

Phishing emails posing as an Office 365 notification, in order to harvest your email credentials, are becoming more convincing and harder to spot than ever. Once your login has been stolen, hackers can pose as you to perform particularly convincing attacks on your co-workers. Often, these emails will claim your account has been suspended, or there’s an issue and you’re not receiving emails, prompting you to click on a link to ‘reset your password’ or ‘release your emails’.

The use of urgent messaging, like a suspended Office 365 account, is a long-time tactic of hackers, with the intention of tricking users into immediate action before they take the time to look out for suspicious elements in the email or webpage. However, 2018 has seen a huge upsurge in spoofed Office 365 emails as detailed in the original exposé.

How can I prevent an account takeover attack?

These attacks are harder to spot than traditional phishing emails, even if they are getting more sophisticated by the day, because the initial phishing email will appear to come from what is probably the most essential system in your business, Office 365. Then, once you or a colleague falls victim to the initial email, fraudulent emails will come from the actual email address of someone you and your colleagues trust.

Look for anything out of the ordinary in the email

Some of the initial phishing emails and fake landing pages don’t look like the real Office homepage or its email notifications; but chances are, you don’t get a lot of emails regarding your Office 365 account, so you might not know exactly what to look out for.

If you’re familiar with the Office and Microsoft style, you might be able to spot out-of-place fonts or imagery, or even a completely different layout and off-brand colours. But fear not, this isn’t the only way to spot a phishing email.

Check email addresses and URLs

The initial phishing email purporting to be from Microsoft Office 365 is unlikely to come from an official Microsoft or Office email address, so always check the sender email address. It could be completely different to a Microsoft address – some of the summer attacks came from noreply@notifications.com – or they could use a common spoofing tactic of replacing similar letters, so the domain could be mlcrosoft.com or microscft.com – see what they did there?

Check your account separately if you’re worried

If you get an email telling you that your Office 365 account has been suspended, don’t click the link in the email. You can either login using the Office portal online or speak to your internal IT team or support provider like TSG to see if it’s a legitimate message.

This isn’t just good advice when it comes to avoiding account takeover attacks – if you receive an email that demands immediate action, don’t click on the link in the email. You could be prompted by LinkedIn to change your password for example, but by logging into your account directly from LinkedIn itself, you’ll find out whether it’s a legitimate request or not. And speaking of legitimate requests…

Don’t open or click on anything you didn’t expect

This is particularly pertinent for the second phase of the account takeover attack when the hacker, posing as your colleague, will send you an email with a malicious link or attachment. If you weren’t expecting that email, you should get in touch with that colleague immediately using a different method of communication – like speaking to them in person, calling or Skyping them – to ask if they sent the email.

A little while back, we came across an instance where a hacker had gained access to someone’s business email address and lay quietly for a while, specifically keeping tabs on an email conversation between that person and a customer of theirs. The hacker cleverly waited until the right time to strike, interjecting into the conversation with the supplier’s “new bank details”. In addition to taking over the account, the hacker was archiving the real emails from the customers so the person whose account they’d taken over wouldn’t see them. Thankfully, the customer was surprised enough by unexpectedly receiving these “new” details and called the supplier immediately to verify the email.

You can read more about what happened here and our advice on staying safe in our blog on email squatting.

Use 2-factor authentication and be vigilant

There are a number of other security measures you can put in place to keep hackers out of your inbox. Microsoft is dedicated to giving its customers robust security options, so if you don’t have 2-factor authentication set up on your account, talk to your IT team or external provider.

The most important thing is being cyber-savvy and aware of these threats. If you’re looking to find out how your employees fare in the face of phishing attacks, you can use a tool like Phish Threat to simulate realistic attacks – based on real, successful attacks – to gauge how many colleagues are likely to fall victim. Rather than chastising them, you’ll instead direct them to training if they click on a link in the simulated email.

Our blog is constantly updated with security tips to keep your and your business safe from hackers. Check out some of our top blogs below: