News of the attack came as part of a Proofpoint press release addressing a new product the company announced in early July. According to the release, attackers use brute force methods to steal corporate Microsoft Office 365 login credentials and log into enterprise systems. Even worse, the attacks can be successful, “even if the company has deployed single sign on or multi-factor authentication (MFA) as part of their security system,” the release said.
In the system, the hacker operates as a real user within the corporate email, the release said. This opens up multiple opportunities for malicious behavior.
SEE: Information security policy (Tech Pro Research)
According to a tweet from Proofpoint senior vice president Ryan Kalember, most of these attacks are targeting Exchange Web Services and ActiveSync. Sometimes phishing is also involved, Kalember wrote, but it’s not necessary.
Kalember went on to note that it’s very difficult for most organizations to be able to cover all of their interfaces with MFA. To protect Exchange Web Services from this vulnerability, admins must adhere to these three practices:
- Be fully migrated to O365
- Make sure to use Microsoft’s own MFA
- Be in Modern Authentication mode
“It only takes one compromised Microsoft Office 365 account to unlock access to a virtual goldmine of confidential data and access—and we have seen a major increase in organizations losing both money and data to these attacks,” Kalember said in the release.
In order to properly enable or disable modern authentication in Exchange Online, follow the steps on this Microsoft help article.
The big takeaways for tech leaders:
- A new security attack vector for Office 365 can bypass multi-factor authentication in Exchange Web Services and ActiveSync.
- To protect an organization, admins should be fully migrated to O365, use Microsoft’s own MFA, and be in Modern Authentication mode.