Threat Actors Take Advantage of Exchange Online and Outlook on the Web with New Levels of Sophistication
New insight from Accenture Security highlights specific ways attackers are changing their tactics to make Microsoft’s email platform a tool rather than an obstacle for phishing attacks.
We all tend to think of our email platform as something that helps create a more secure environment four our networks. But new disturbing information found in Accenture’s 2020 Cyber Threatscape Report shows that, in the wild, parts of Microsoft Exchange (and Exchange Online), as well as Outlook Web Access are being used as part of sophisticated phishing campaigns:
- Threat groups like Belugasturgeon are hiding within Exchange traffic to obfuscate both command relays and data exfiltration
- Hackers are attempting to gain access to Exchange servers responsible for the Client Access Server role to deploy web shells that facilitate the harvesting of credentials during an Outlook on the Web session.
- Belugasturgeon even went as far as to register one of their pieces of code as a Microsoft Exchange Transport Agent (reputable transport agents include antivirus, mail filtering, etc.) so that they could gain access to email passing through Exchange and be able to create, modify, or delete messages.
This level of sophistication makes it clear that the bad guys are willing to do whatever it takes to gain access to your credentials and email.
While the means to mitigate the issues mentioned above likely revolves around keeping any Exchange systems you still manage up to date with patching, it’s still important that users be vigilant around any abnormal communications issues – emails not being received by an intended recipient or not receiving an email from an external party could both be signs that, (assuming the user in question is involved with either a financial aspect of the organization, intellectual property, customer data, or employee information) a bad guy could be messing with your email conversations and inserting themselves in a case of business email compromise.