Identity-based cyberattacks (including credential theft, credential abuse and long-term access key theft) accounted for 56% of all incidents in Q2 of 2022, and Microsoft 365 remained the prime target for SaaS attacks, according to Expel's Quarterly Threat Report.
Expel is a Top 250 MSSP and Top 40 managed detection and response (MDR). The company's research findings are based on incidents collected through its security operations center (SOC) and investigations into alerts, email submissions and hunting leads in Q2 of 2022.
Among the key findings:
- Business email compromise (BEC) and business application compromise (BAC) access to application data represented 51% of all incidents.
- Identity-based attacks in popular cloud environments like Amazon Web Services (AWS) accounted for 5%.
Amid that backdrop, Expel emphasized the importance of incorporating identity security into endpoint protection strategies.
Ransomware Groups Change Tactics
Also of note: Ransomware threat groups and their affiliates have all but abandoned the use of Visual Basic for Application (VBA) macros and Excel 4.0 macros to gain initial entry to Windows-based environments.
- In Q1, a macro-enabled Microsoft Word document (VBA macro) or Excel 4.0 macro was the initial attack vector in 55% of all pre-ransomware incidents. In Q2, that figure fell sharply to 9%.
- This change is likely in response to Microsoft’s announcement that it would block macros by default in Microsoft Office applications, Expel suggested.
- Instead, ransomware operators opted to use disk image (ISO), short-cut (LNK) and HTML application (HTA) files to gain initial entry.
Cloud Attacks Becoming More Sophisticated
Meanwhile, 14% of identity attacks against cloud identity providers tackled the multi-factor authentication (MFA) requirement by continuously sending push notifications.
Fast ID Online (FIDO) authentication provides the best protection, Expel asserted. For MSSPs and customers that have not yet implemented FIDO, Expel recommends:
- Limit push notifications to one per minute to reduce the likelihood of brute-forcing.
- Then, configure MFA or identity provider policies to restrict access to managed devices only as an added layer of security.
Expel "strongly recommends" that security teams educate employees that repeated push notifications on MFA applications, like Okta, are not attempts by IT to perform maintenance or push updates. Rather, the push notifications are active attacks that attempt to gain application access. Employees should report this activity to their security teams immediately.
Microsoft 365: A Common Threat Target
BEC in Microsoft Office 365 (O365) remained the top threat to organizations in Q2.
- 45% of all Q2 incidents were BEC attempts in O365. None of the BEC attempts we identified were in Google Workspaces.
- 19% of BEC attempts bypassed MFA in O365 using legacy protocols, a 16% increase of compared to Q1.
- Organizations should disable legacy protocols like IMAP and POP3. This step is critical, especially after going through the process to enable MFA. Once you turn those off, strongly consider disabling BasicAuthentication to prevent any pre-auth headaches on O365 tenants.
For context, Expel monitors roughly twice the amount of O365 tenants compared to Google Workspaces. “But the fact that we didn’t identify a single BEC attempt in Google Workspaces is certainly interesting,” Expel asserts.
The Top Email Subject Lines Targeted
The top subject lines in malicious emails that resulted in an employee click or compromise were: "Review document” and “Available?”
Expel’s data shows that social engineering themes that create urgency, a fear of missing out (FOMO), or potential financial loss are most likely to get a person’s attention and result in action (open, click, interact).
Of the top subject lines used in emails that Expel’s phishing team confirmed as malicious in Q2, the most common was no subject line. The attacker left it blank. This stayed consistent from Expel’s Q1 findings, suggesting this remains one of the more effective subject lines for phishing attempts.
Regarding Misconfigurations and Credentials
Common misconfigurations and exposed long-term credentials resulted in cloud security incidents.
- 5% of incidents were the result of misconfigurations and exposed long-term credentials in AWS.
- Expel recommends performing scans for exposed credentials using open-source tools like gitleaks.
- Remove unnecessary AWS identity and access management (IAM) access keys and rotate access keys often to ensure least privilege in AWS IAM security policies.
Although Expel saw fewer AWS cloud security incidents overall, it’s still important to practice good hygiene when it comes to configurations and credentials. Expel recommends regularly checking these settings and taking appropriate actions to fix lingering issues.