Content, Content

Office 365 Account Takeovers Surge, Research Finds


Fully 71 percent of Microsoft Office 365 deployments have suffered an account takeover of a legitimate user’s account, not once -- but on average seven times in the last year, according to Vectra research results.

In Vectra AI’s survey of 1,112 security professionals working in mid- to large-sized organizations using Microsoft Office 365, the network detection and response (NDR) provider discovered that only one-third of the respondents believe they could identify and stop an account takeover attack immediately. The majority expect to take days or even weeks to subdue a breach.

While roughly 80 percent of security teams believe their companies have good or very good visibility into cyber attacks that skirt perimeter defenses, the confidence levels between management and security operations center (SOC) analysts contrast markedly, the data showed. While managers appear to have stronger conviction in their defensive abilities, they may not be seeing the complete picture, said Tim Wade, Vectra’s CTO team technical director.

“The tendency for managers to be significantly more confident that those working at the coalface suggests that there is a level of self-delusion going on here,” he said. “Perhaps it’s because the metrics that are being shared with senior management often focus more on the volume of attacks stopped rather than the severity of the attack or the number of investigations that reach a firm conclusion,” he said.

Overall, 58 percent of the security pros in the study said that the gap between attackers and defenders is widening, sparked by a shift to the cloud and the COVID-19 fueled turn to remote working. Some 80 percent said that cyber security risks have increased in the last twelve months. Accordingly, 58 percent of businesses plan to invest more money in people and technology and 52 percent will invest in AI and automation in 2021.

With some 260 million Office 365 active monthly users worldwide, the platform is a treasure trove of critical business data and an enticing target for cyber thieves. “We’re regularly seeing identity-based attacks being used to circumnavigate traditional perimeter defenses like multi-factor authentication (MFA),” said Wade. “Account takeovers are replacing phishing as the most common attack vector and MFA defenses are speed bumps not force fields.”

This study’s results closely mirror findings in Vectra’s earlier Office 365 Spotlight Report, in which the company monitored some four million Office 365 customers over a three-month period of time. The data showed that 96 percent of networks exhibited suspicious lateral movement behavior and account takeovers were favored by attackers to move laterally between the cloud and the network.

“Organizations need to take this seriously and plan to detect and contain account compromise before a material disruption of their business occurs,” Wade said. “Malicious access, even for a short period of time, can do a tremendous amount of damage,” he said.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.