Detecting Anomalous O365 Logins and Evasion Techniques

Summary

Businesses across multiple industries, regardless of size, are at risk of being targeted with Microsoft 365 phishing campaigns. These campaigns trick users into visiting fake Microsoft login page where threat actors capture the user’s credentials. Even accounts with MFA can be victim to these types of attacks. There are several ways in which MFA is being bypassed with these types of campaigns.

MFA Fatigue is one of the ways threat actors are bypassing MFA and this method attempts to exploit human error by repeatedly logging in with the stolen credentials causing an overwhelming number of MFA prompts in attempts to get the user to approve the login.

Another MFA bypass technique is SIM Swapping. A SIM card is a small chip that your mobile carrier uses to hold identification information to tie your phone to you and your mobile carrier. Threat actors have found a weakness in this because there are scenarios where a customer may need a new SIM card (for example, they lost their phone). Carriers can transfer your identification information from your old SIM card to new one. SIM Swapping is when a threat actor abuses this feature and impersonates you to convince your mobile carrier to switch your phone number to a SIM card that is in the threat actor’s possession. This then allows the threat actor to receive MFA codes sent to your number via phone call or SMS.

Man in the Middle Attacks are another notable MFA bypass technique. With this method, threat actors will wait for a user to enter credentials into a fake login page, then wait for you to allow the login with a push notification or steal the session or token after you enter in your code.

After gaining access to an O365 account, the threat actor typically does some reconnaissance on the user’s inbox and then will use the access to the user’s account to try to phish other users, typically with a financial motive. We commonly see inbox rules abused to try to hide the emails, so the user is unaware of the emails coming from their account.

Detection

24/7/365 Monitoring and Threat Detection such as Vertek’s Managed AlienVault Services

• AlienVault Unified Security Management uses a User Behavior Analytics platform to detect anomalous M365 logins by tracking user behaviors and login data.
• Enabling anomaly detection policies in Microsoft’s Defender for Cloud Apps. These alerts can be enabled in Defender, and then pulled into USM Anywhere where alerts can be investigated by Vertek’s SOC team when they occur.
• Custom alerts to alarm on suspicious logins and inbox rules.
• Monthly reporting to identify risky users and missing security controls.

Mitigation

• Implementing regular user training, so users can identify phishing attempts and understand the importance of good passwords and only approving logins if they know the sign-in is legit.
• Leveraging Microsoft tools to flag users that have been phished as risky users.
• Disabling legacy protocols as they are favored in credential attacks because they cannot enforce MFA.
• Utilize Microsoft Intune or other mobile device management (MDM) tools to block sign-ins from unregistered devices.
• Using a Managed Threat Intelligence service that helps your organization identify risky users by using Dark Web monitoring tools to identify leaked credentials.