The following case study details a case where SECMON1 was engaged to conduct a security review of an organisation’s O365 environment. The organisation had received some information from clients which caused them to suspect they had been breached.
It was clear from the outset that a breach had occurred. A significant amount of sensitive information had been used to commit fraud through a process of altering the banking details on invoices. The extent of the fraud, was over $400,000.
The O365 security review (SECMON1 O365 Health Check) includes an examination of all aspects of O365 including Exchange online, SharePoint and OneDrive. The review is conducted in three stages;
Stage 1 – Visibility
- An examination of logging and current rulesets is conducted to determine if an appropriate level of visibility into activity is available.
Stage 2 – Security configuration
- Out of the box the security of O365 is not optimal. Additionally, over time, as new options and features are introduced into O365, security configurations can become outdated and result in increased risk.
Stage 3 – Compromise assessment
- We examine historical activity within the O365 environment to determine whether the has been any suspicious activity which may indicate compromise.
Key Security Configuration and Process Errors
In summary there were some key security configuration issues which had resulted in the compromise. They were;
1. Activity monitoring – There was no monitoring of activity to any extent. In this attack, monitoring would have detected the attack within hours of it occurring
2. Multi Factor Authentication (MFA) was not used for all accounts, including some user accounts and some accounts with global administrator privileges
3. Passwords – A number of staff were provided a common password when onboarded and not required to reset the password on first login.
4. Inactive accounts – There were many active accounts for inactive users
The Anatomy of the Attack
The attack on the client was a situation we were all too familiar with unfortunately.
1. The attacker gained access to a user account. The attack was mounted from Nigeria.
2. The attack identified additional accounts where MFA was not enabled including some accounts which had with global administrator privileges. These accounts were also subsequently compromised.
3. Additional accounts were created by the attacker, including some with admin privileges.
4. The attacker gained access to key user accounts which contained sensitive financial information in the form of invoices which had been sent to clients.
5. The attacker implemented some forwarding rules which resulted in them receiving intelligence to aid the fraud.
6. The attacker created rules to redirect certain email correspondence so that the victim was unaware of any future correspondence which might expose the fraud.
7. The attacker sent fraudulent communications to the victim (or a third-party payor) asking for payment. The original invoices had been changed to alter the payment banking details.
Lessons Learned and Actions Taken
• If activity monitoring had been in place the attack would have been detected on the first day
• Daily monitoring of activity was implemented. Interestingly there were additional attack attempts over the first few weeks of monitoring. None were successful.
Multi-Factor Authentication (MFA)
• If MFA had been in place for the compromised accounts it would have made it very difficult for the attack to occur
• MFA was implemented for all accounts, including accounts with admin privileges
Mail forwarding rules
• Blocking mail forwarding rules would have made the fraud more difficult for the attacker to gain key information
• Mail forwarding rules were blocked for all accounts
• A complete review of all mail rules was undertaken, with many rules created by the attackers being deleted.
Onboarding and Offboarding
• The Onboarding and offboarding processes were not documented or communicated adequately to the service desk team resulting in constant variations and shortcuts.
o New accounts being provisioned with poor security
o Unnecessary additional O365 licensing fees for the client
• Onboarding and offboarding processes were rewritten and the service desk team were retrained. Simple checklists were also used to ensure consistent processes.
• Additionally, an account clean-up was undertaken resulting in many accounts, which should have been inactive, being decommissioned.
• Accounts created by the attackers were also decommissioned
Contact the Author
Director | SECMON1
PH 0428 183 095
The Rialto, 525 Collins St. Melbourne
Take control of information in your organisation.
Act now before the data breach storm reaches you. Contact us today.