Cyber criminals are increasingly using phishing campaigns to attack cloud offerings such as Office 365. A compromised account belonging to an insider is worth its weight in gold for them, as it not only allows them to read emails, but also access connected services – and launch further attacks. NTT Ltd. explains how businesses should respond to the threat of phishing.
With several million active company users every day, cloud offerings such as Office 365 are becoming increasingly attractive for cybercriminals: They can use the attack techniques and tools developed for several attack targets, i.e. companies. In addition, cloud accounts and the services associated with them are very worthwhile targets because of their data abundance.
Attack: analysis of contact relationships
Cyber criminals use a compromised access authorization to analyze contact relationships, for example, in order to identify more worthwhile targets within the company. From the hijacked account, they then send phishing emails to employees who presumably have higher rights. This makes them an insider threat with a particularly high chance of success - after all, an email from a colleague is more trustworthy than one from a stranger. If organizations do not recognize such attacks early, the potential for damage increases rapidly.
In the current GTIC Monthly Threat Report, NTT has summarized experiences from the analysis of phishing attacks and recommends companies to consider the following aspects:
- Train employees: Maintaining employee security awareness is a fundamental element in defending against phishing attacks. Organizations should therefore continuously train their workforce in recognizing social engineering tactics to better spot fraudulent emails.
- Monitor Mailboxes: Businesses should use analysis tools to continuously check mailbox log files to detect anomalies. This allows them to determine, for example, when a mailbox is being accessed from multiple IP addresses within a short period of time.
- Block IP addresses: As soon as those responsible use security tools to identify IP addresses of an attacker or known malicious IP addresses, they should block them.
- Check forwarding rules: Cyber criminals rarely access a hijacked mailbox to disguise their activities and prevent possible detection. Instead, they often create rules to forward all emails sent in order to gain access to company internals. Therefore, organizations should review all forwarding rules to detect threats and remediate tampering.
- Enable MailItemsAccessed verification: The MailItemsAccessed event is a mailbox monitor action that is triggered when mailbox data is accessed through email protocols and clients. Organizations typically search these records for a compromise to identify messages and data accessed by an attacker. You can also use the option available for Office 365 E5 preventively to check sensitive accounts for unauthorized access.
- Implement multi-factor authentication: The silver bullet of all measures against phishing is the activation of a multi-factor authentication (MFA): This requires users to provide additional proof of identity in addition to their username and password when accessing applications. Companies should use an MFA especially when using cloud accounts like Office 365, because even with a hijacked account, cybercriminals can access not only emails but also sensitive data from other services linked to the account. By expanding the use of MFA to other services like VPN, organizations can drastically strengthen security.
"Phishing still poses a threat to companies with enormous potential for damage," explains Sebastian Ganschow, Director Cybersecurity Solutions at NTT Ltd. “Companies have to counter this danger with all technical means. But that alone is not enough: You should train your employees so that they can reliably recognize fraudulent e-mails. A comprehensive security awareness of the workforce is an important factor in defending against phishing emails – especially when using cloud services such as Office 365, which can serve as a gateway for cybercriminals to enter the company.”
BITKOM: 220 billion damage per year
Investing in security technologies and applying proven security measures is more than necessary in view of the great potential for damage to companies. The costs of cyber attacks on the German economy the industry association BITKOM puts this at more than 220 billion euros per year.
More at Global.ntt
About Security Division and NTT Ltd.
Security is a division of NTT Ltd., a leading global technology services provider. The Security Division helps companies build a digital business that adheres to the security-by-design principle. Based on global threat intelligence, the Security Division provides prevention, detection, response and response to cyber threats while supporting business innovation and managing risk. The Security Division has a global network of SOCs, seven research and development centers, more than 2.000 security professionals, and handles hundreds of thousands of security incidents annually on six continents. The division also ensures efficient use of resources by providing the right mix of managed security services, security consulting services and security technology.