Cybercriminals are using a sophisticated cyberattack to target Microsoft Office 365 Exchange Online email accounts, according to cloud access security broker (CASB) Skyhigh Networks.
The cyberattack, dubbed "KnockKnock," began in May and remains ongoing, Skyhigh said in a prepared statement. KnockKnock attacks emphasize precision targeting instead of high volume targeting, Skyhigh stated, and average five email addresses for each Office 365 customer.
KnockKnock targets administrative accounts that are commonly used to integrate corporate email systems with marketing and sales automation software, Skyhigh stated. These accounts are not linked to a human identity and require automated use, Skyhigh noted, and are less likely to have multi-factor authentication (MFA), recurring password reset or advanced security measures in place.
KnockKnock Office 365 CyberAttacks: The Risks
After cybercriminals gain access to an Office 365 account, KnockKnock enables them to exfiltrate any data in an Office 365 inbox, create a new inbox rule and initiate a phishing attack from this controlled inbox, Skyhigh indicated. Then, cybercriminals can attempt to spread the infection across an organization.
A Skyhigh analysis of KnockKnock attacks provided the following insights:
- Hackers used 63 networks and 83 IP addresses to launch their attacks.
- Roughly 90 percent of the login attempts came from China, with additional attempts originating from Russia, Brazil, the United States, Argentina and 11 other countries.
- KnockKnock targets included infrastructure and Internet of Things (IoT) vendors, along with departments related to infrastructure and IoT in large enterprises. These targets came from multiple industries, including manufacturing, financial services, healthcare, consumer products and the U.S. public sector.
- Most of the affected Office 365 email accounts were "non-human" system accounts.
A cloud-native security approach to KnockKnock and similar cyberattacks may prove to be ideal, Skyhigh Chief Scientist Sekhar Sarukkai said in a prepared statement. With this approach, an organization can gain complete visibility into Office 365 threats, Sarukkai said, and address these dangers before they escalate.
Office 365 Cyberattacks on the Rise
KnockKnock represents one of several cyberattacks to affect Office 365 customers over the past few months.
Cybercriminals recently have used hexadecimal escape characters, a sophisticated type of character encoding, to bypass Office 365 security protocols. That way, cybercriminals can encode malicious content in hexadecimal escape characters as part of phishing attacks against Office 365 customers, cloud security platform provider Avanan said in a prepared statement.
Also, hackers have launched brute force attacks against at least 50 Office 365 customers this year, according to Skyhigh. These attacks involved automated systems that repeatedly guessed the usernames and passwords for specific Office 365 applications or services.
Office 365 boasts more than 100 million monthly active users, Microsoft CEO Satya Nadella said in a prepared statement. Meanwhile, as more organizations deploy Office 365, sophisticated cyberattacks likely will follow.
To combat Office 365 cyberattacks, organizations require a dedicated cloud security solution that provides visibility and control over cyberattacks, Skyhigh Senior Vice President of Engineering Slawomir Ligier said in a prepared statement. Furthermore, this cloud security solution must enable organizations to secure their infrastructure, Ligier stated, and limit access to sensitive data.
