The Cloudlock CyberLab, our security intelligence arm, unearthed an Office 365 login attack where hackers were leveraging username enumeration specifically targeting the users in the IT department.
Back in February 2017, we published this cloud security infographic where we discussed how hackers have moved onto the cloud, specifically going after the users who hold the keys to the kingdom (e.g., CISOs and Security Managers). The Office 365 attack is another data point proving this hypothesis: Hackers understand the cloud systems have become mission critical and privileged users with their complete and unrestricted access to cloud services create an incredibly attractive attack surface.
Leveraging machine learning based sensors across 10 million users and 16 billion events, we surfaced brute force login attempts from 32 IP addresses across several domains within our customer base. Attackers were trying various combinations of first and last names for users, in an effort to verify these users’ email aliases. The targeted users are mostly part of the IT departments within their respective organizations: They are employees with system authority, such as IT directors, system architects, and database administrators.
The logs indicate that attackers try up to 40 different combinations per user, immediately stopping after they get the correct email address to move on to the next user. This email harvesting effort is probably part of a larger and coordinated spear phishing attempt, where the attackers sift through professional databases or online networks, such as LinkedIn, zeroing in on specific users with privileged access rights to cloud systems.
What did CyberLab do?
As soon as we surfaced this pattern, we extended our research to look into a wider net of IP addresses and customers within the last week. So far we have seen hundreds of attempts with approximately 2% success rate (meaning that the attackers actually found the right email alias for the user.) There is no indication that the attackers have the passwords for these users as of now, which increases the likelihood of a very targeted phishing attempt.
We have reached out to the relevant customers, with the list of users and IP addresses involved, raising awareness for a larger targeted attack against their privileged users.
The majority of the largest breaches of all time started with the compromise and misuse of a single privileged user account (Sony, Anthem, Target, OPM, etc.). Given the colossal damage inflicted by the compromise of a single privileged user, it is of paramount importance to make the security of privileged accounts a priority in the cloud.