Articles & E-Books


How to prevent and detect Office 365 account takeovers

Nov 18, 2019

Organizations both large and small are targets of Office 365 account takeovers. 

In fact, 29% of organizations had their Office 365 accounts compromised by hackers in March 2019, according to a recent study by Barracuda Networks. This equates to one out of every three customers suffering an account takeover during a one-month period. 

Mass or targeted phishing campaigns, social engineering and brute-force attacks can all lead to unauthorized control of an account and organizational data.

Consider the impact of these two examples:

1. A phishing campaign led to the compromise of a business owner’s account. 

The attacker leveraged their access to identify the business owner’s cell phone provider, configure mailbox rules to send any communication from the cell phone provider domain name to the Deleted Items folder and immediately delete it.   

The purpose of the rule was to conceal communication from and between the business owner’s account and anyone from the cell phone provider. The attacker then placed an order for 10 iPhones. The unauthorized activity was only discovered when the cell phone provider called the business owner to validate the order. A review of the Office 365 account revealed one or more attackers had had access for more than three months.

2. A phishing campaign led to a compromise of an account that the organization did not know was granted global administrative privileges. 

The attacker leveraged this access to grant themselves further permissions to the CFO’s account, as well as an administrative assistant’s account that they identified as responsible for invoice creation and billing.  

The attacker then spent time identifying customer accounts and how invoices from the organization look. They then identified two client accounts to target with fake invoices.  

Similar to the first example, the attacker configured mailbox rules to send any communication from the client’s domain name to the Deleted Items folder, and immediately delete it. Neither the CFO or the administrative assistant saw any communication between the organization and their client.  

Finally, they leveraged the Send on Behalf permission, which they had granted themselves for the administrative assistant’s account, to send the fake invoices. The fraudulent billing and payment activity was only identified when one of the clients called the organization and one of the banks identified the suspicious activity in the receiving accounts that the attacker had setup.   

These are just two examples of the risks, both financial as well as reputational, that an organization faces from an Office 365 account take-over.

The challenges of securing Office 365

So how does account takeover happen? Office 365 presents quite a few new and unique challenges to organizations, including:

  • Email services are no longer on premises but rather hosted in a cloud environment the organization has very little control over.
  • Access to Office 365 accounts are available world-wide via the internet. Organizational logins are not protected behind a firewall or via a secure web portal.
  • There are multiple Office 365 plans available, each with varying products, security settings and data storage capability, which can lead to customer confusion.
  • Microsoft frequently changes the interface(s), making effective administration challenging.
  • Although not a new issue, end-users typically treat their mailboxes as filing cabinets, storing multiple years of information. All of this stored data is now at risk in a cloud-based mail environment.
  • Unless you are paying for higher levels of service, these are also challenges:
    1. Only basic authentication is supported.
    2. Auditing functionality is limited, and logging exists for shorter time frames.
    3. You will not have access to advanced eDiscovery and information governance.
    4. You will not have access to advanced threat protection.

Account takeover prevention

There are several ways you can prevent Office 365 email account takeovers. 

1. Enable multifactor authentication (MFA)

This is one of the best defenses against attacks aimed at Office 365.

It’s turned on by enabling Modern Authentication. There are a lot of configuration settings related to MFA, so be sure the read the documentation or get qualified help with its implementation. We have seen a lot of misconfiguration of MFA leading to end-user access issues, including a false sense of security that it is working.

Note that, unfortunately, MFA is not supported at the lower level of licensing.

2. Limit access to Office 365 by geographic regions 

This is another effective defense. It prevents the ability of an attacker to leverage hosts across the world in brute-force authentication attacks. 

It also prevents the ability of an attacker to log in from blocked geographic areas. Yes, they could still leverage proxy servers or other compromised hosts in allowed regions to launch attacks. However, you will still have limited the scope of potential hosts that could be used in an attack, as well as make it easier locate suspicious IPs within the logs.

Note that, like MFA, this is not supported at the lower level of licensing.

3. Train users

User training is still an effective method of defense. Train your users to pay attention before they click on links or open attachments, even from internal email addresses.

4. Purchase advanced threat protection

Purchasing a higher-level license that supports advanced threat protection limits the amount of potentially malicious emails reaching your end-users, decreasing the risk of account takeovers.   

5. Configure activity alerts to identify suspicious changes to the Office 365 environment

This is configured by first enabling audit logging for your organization and the recording of all user and administrative activity. Then you create individual alert rules for suspicious activity like the creation of forwarding rules, changes to mailbox permissions and sharing of external content.  

Note that this is not supported at the lower level of licensing.

6. Perform a regular review all existing Office 365 permissions 

This will help identify accounts that are active that should not be, as well as suspicious rules, Send on Behalf permissions, suspicious permissions to access other accounts, and accounts configured with administrative privileges.

Account takeover detection

One of the first places you might identify a potential account takeover is in the “Risky Users” or “Risky Sign-ins” area of the administrative interface. 

One interesting note: Several times we have noted that not every suspicious behavior is caught. For example, only one suspicious IP was identified in the interface, but a review of the logs showed five more suspicious IPs. 

From the Risky Sign-ins area, select a user and drill down into Sign-in events. Review the IPs associated with the suspicious events. Then search the rest of the logs for that suspicious IP address to identify any other impacted users.  

If you identify a compromised account, immediately export all logs. This will ensure that you have a copy of the logs from when you first identified the activity. Lower level licenses do not allow for more than a 30-day log retention period. After that, earlier events are overwritten. 

If you suspect something is amiss in your environment, export the Office 365 logs for the whole organization. Search them for “ForwardingSmtpAddress” and “DeliverToMailboxAndForward.” These two terms will identify if forwarding rules have been created. 

If you identify a compromised account, immediately lock the account and change the password. Export the entire contents of the account to a .PST file for further review. Log in to the account and review all existing mailbox rules. Force the restoration of items deleted from the Deleted Items folder. This will potentially reveal suspicious communication that had been hidden.

Audit the Active Directory (including Azure AD) to ensure that each account belongs to a known user. Look for the creation of new user accounts.

Consider completely disabling the ability to auto-forward email. There is a nice writeup about why and how to do so here.

Finally, when reviewing audit logs, look at the following areas for suspicious behavior:

  • UserLoginFailed
  • PermissionLeveAdded
  • AnonyousLinkCreated
  • SharingSet
  • GroupAdded
  • FileAccessed
  • Set-Mailbox
  • PageViewed

Prevent account takeover fraud

If you have any questions about account takeover fraud, how it happens and how to prevent it, contact Wipfli. Or keep reading on about Office 365 security:

Office 365 Security: The threats are evolving. Are you doing enough?

Secure your cloud — Five best practices


Lead Cybersecurity Consultant
View Profile