Anatomy of an Office 365 Phishing Attack

We recently had to assist a customer in dealing with a phishing attack against an Office 365 user’s account.

What is Phishing?

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website, the look and feel of which are identical to the legitimate site.

Phishing is an example of social engineering techniques being used to deceive users. Users are often lured by communications purporting to be from trusted parties such as social web sites, auction sites, banks, online payment processors or IT administrators.

Excerpt from Wikipedia (https://en.wikipedia.org/wiki/Phishing)

What Happened?

The user received an email requesting feedback on an email sent earlier. The user was distressed enough by the email to respond and apologize, whereupon the attackers sent a follow up email directing the user to a file to be downloaded.

Clicking the link loads a login page, requesting the user’s Office 365 credentials, whereupon the user is directed to some documents. At this stage the documents don’t really matter, and if the user does not realise that they’ve entered their credentials into a bogus site, their account is wide open.

The attackers then take their time reviewing the user’s email inbox, to identify a plausible method of extracting a fraudulent invoice for payment.

When they are ready to act, they enable a forwarding rule on the user’s Inbox, directing all emails to an external email address, in order to respond to any queries and send the invoice for processing. It seems they target approximately $5k – $10k, probably to remain under the compliance and authorization radar. They then trigger a mass email from the user’s inbox, to spread their attack to as many contacts in the user’s mail account as possible prior to the Office 365 SPAM rules shutting the mailbox down. Finally, the attackers tend to delete as many emails as is easy to get to, in order to wipe out the traces of their intent. They do a hard delete, which means the email goes straight to jail, and does not first stop in the Deleted Items folder.

How do you know you’ve been caught? The first real indication is the forwarding rule which triggers a “Low-Severity Alert” on Office 365 to Administrators. Other indicators are if the user’s Inbox starts behaving strangely, or access to the Inbox becomes erratic. Also watch out for new rules being created.

What should you do when your email account has been compromised? There are some excellent articles posted by Microsoft, which can be found here (https://docs.microsoft.com/en-us/office365/securitycompliance/responding-to-a-compromised-email-account), on how to respond and what to do next.

How did we respond?

  1. Reset the User’s Password
  2. Block the User’s Account
  3. Remove any Administrative Roles the User may have on Office 365
  4. Disable the mail forwarding rule via Outlook Web Access (the forwarder does not seem to come up in either the Exchange Management Console or the local Outlook client)
  5. Disable any suspicious rules in the Outlook Client (We disabled them to allow us to interrogate them in more detail as part of the post mortem)
  6. Run PowerShell script to check the audit logs, and attempt to create a timeline of events
    1. See here for the PowerShell syntax – https://docs.microsoft.com/en-us/powershell/module/exchange/policy-and-compliance-audit/search-mailboxauditlog?view=exchange-ps
    2. And here for an excellent implementation (Although it’s a bit outdated – based on Exchange 2010/2013) – https://gallery.technet.microsoft.com/scriptcenter/Generate-a-Report-of-a33cde56
  7. If email entries were deleted, restore any recoverable items using the Restore-RecoverableItems PowerShell commandlet
    1. See here: https://www.undocumented-features.com/2018/04/23/using-restore-recoverableitems-or-how-i-saved-my-own-bacon/
  8. Once the emails have been restored and operational control of the mailbox returned to the correct user, you can reset the password and enable the account

What can be done?

To avoid phishing attacks in the future, it is highly recommended enabling Multi-Factor Authentication for all users. Additionally, it would also be useful to customize the Office 365 login page, so that users will more easily identify phony login pages.

In addition to these physical measures, it is important that users are made aware of the dangers of phishing and trained on how to spot phony or suspicious links and pages. Phishing is a social engineering attack and it relies on the resemblance to a credible source to solicit the user’s details.

The instances and successes of Phishing has certainly increased over the last period, with numerous reports received by Azuro, and even reported on in the news. Be alert.

Other helpful links:

  1. Connecting to Exchange Online via PowerShell – https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-ps
  2. Office 365 Security Incident Response – https://docs.microsoft.com/en-us/office365/securitycompliance/office365-security-incident-response-overview
  3. Security best practices for Office 365 – https://docs.microsoft.com/en-us/office365/securitycompliance/security-best-practices?redirectSourcePath=%252farticle%252fSecurity-best-practices-for-Office-365-9295e396-e53d-49b9-ae9b-0b5828cdedc3
  4. Manage mailbox Auditing – https://docs.microsoft.com/en-us/office365/securitycompliance/enable-mailbox-auditing?redirectSourcePath=%252fen-us%252farticle%252fEnable-mailbox-auditing-in-Office-365-aaca8987-5b62-458b-9882-c28476a66918

What is Docker and why should I care?

I have been thinking about use cases for Docker for quite some time. In my opinion, it's an over-hyped technology (like so many new and shiny technologies at the moment). I do however believe that it becomes relevant when you want to run very specific workloads at irregular intervals and need these workloads to be able to scale quickly and cheaply. So, I now have three very interesting use cases, as well as an implementation strategy that leverages Azure.

Scenario 1:
VSTS Build Agents - Being a Dynamics Partner, we still build many plugins and integrations, and these rely heavily on the CRM Context and Generated Entities. As we move towards greater DevOps capability, it seems reasonable to want to ensure that the entities used in an application or plugin are the latest entities and therefore part of the build pipeline should refresh the generated entities. Enter Docker Containers. By using a Docker VSTS Agent Image (https://www.jamessturtevant.com/posts/Using-the-VSTS-Docker-Agent/) the image is quickly invoked, and can execute your funky custom build activities. There will be some additional work involved, deploy CRM SDK, Entity Build configuration, etc., but in principal, this will work.

Scenario 2:
Custom Excel Services Host - One of our (potential) customers sends out monthly reports in Excel format. To generate a report in Excel is generally a mess, as you need the Excel App installed and all kinds of funny things. This will obviously not fly on an Azure App service. But, enter Docker! (Whooshing Superman sounds) So, build your very special custom docker image (probably on a Windows Nano Server) with all your Excel and other Apps and voila, problem solved!

Scenario 3:
SQL Server Reporting Services - Azure SQL does not offer a deployment of SSRS, but thanks to Docker, one could spin up an instance of SSRS, produce any needed reports, and then let it all go again. https://hub.docker.com/r/microsoft/mssql-server-windows-express/ SQL Express with Advanced Services supports SSRS which should be sufficient for most scenarios, and SQL Express is also free, so no licensing risk.

Finally, how to make magic in Azure. One of the things I love most about Azure is the serverless components. Ideally, everything in an Azure deployment should be serverless, and there should simply not be any VMs. This isn't often the case, but if that is the stated goal, then how does one deploy Docker images in Azure, in a serverless manner? The first option for deploying Docker is Azure Container Services (AKS - https://azure.microsoft.com/en-us/services/container-service/ - No idea why the "K", if I remember I'll ask someone – edit – K = Kubernetes). This however deploys a Linux VM to host the Kubernetes infrastructure, so what's the point? I may as well deploy a VM directly. The next option, and by far the sexiest I've found to date, is Azure Container Instances (https://azure.microsoft.com/en-us/services/container-instances/). Enter serverless Docker deployments. Point it at your Docker Image Repository (look at Azure Container Registry - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro) and voila. Suddenly it costs you cents to run a docker image. This is what serverless compute is all about!

So, how, why and when to use Docker. I think that about covers it. Mind = Blown!

Inspiration and Aspiration

I’m sitting on the long flight home from Atlanta to Johannesburg, reflecting on the past 3 weeks I spent in the USA, what I got up to, and what I hope to achieve with these visits. I’m visiting the US quite often now, at least 3 times per year, with the intent of creating additional business opportunities for Azuro there. I generally plan the trips to coincide with a Microsoft conference, and this time it was Microsoft Inspire, previously known as Microsoft Worldwide Partner Conference.
This year it was held in Washington DC and I was quite excited to see DC, the capitol of the free world. ? This was my third time attending Inspire/WPC, but it was the first time Waldick attended one. I’ve found them to be a great networking opportunity, and there are always too many sessions, filled with great content on all the latest products, features and trends coming out of Microsoft.

Having previously found myself quite rushed when arriving on the Sunday, I arranged our travel such that we arrived on the Saturday (8 July) instead. We arrived at our Airbnb around midday, and after a quick shower, took a walk down to the convention centre to get a feel for the distances and the city. We had been invited to an Office 365 pre-conference day on the Sunday and a sightseeing excursion with some of the other South Africans. Whilst we were looking forward to seeing the sites of DC, we opted to attend the Office 365 day, which turned out to be an informative and engaging day focused largely on marketing strategy and the future of Office 365 and the CSP (Cloud Solution Provider) program. There were great talks during the day, especially the ones by Sharka Chobot and Mark Stuyt of Neural Impact. We had a choice of parties to attend the Sunday evening, so after a brief walk around the commons area, we set off for some of the nightlife. We again opted for an early night, to make sure we would be fresh for the keynotes.

Monday had finally arrived and it was time for the opening Keynote. The SA Partner team have really made an effort over the last year to improve the cohesion of the South African contingent, and arranged that we all grab a block of seats together. As luck would have the block of seats turned out to be suites, but after a few roundabouts we eventually settled in and found each other. This bit of organisational mayhem earned Danie Gordon from MS the first ever Hulk Award received outside of South Africa. ?

Satya’s keynote was inspiring as always, and set the tone for a week of interactions and learning. My key takeaway from Satya’s keynote, and the subsequent sessions, keynotes and other talks we attended or had with various Microsoft personnel, is that Microsoft is focused on their partner-channel more than ever. The massive shake-up announced to the Partner Program probably gives smaller and niche partners their best chance of breaking into the Microsoft partner ecosystem with more impact. At Azuro we’re certainly taking this opportunity to refocus our efforts, and ensure that Microsoft is aware of our offering and how we go about our business.

The other major focus was on AI, Cognitive Services and the Fourth Industrial Revolution. There’s a lot of talk of Digital Transformation, and I believe the real killer Apps of the next wave will be Intelligent Systems. We will see more and more decision-making capabilities built into applications, enabling workers to spend more time interacting and engaging with customers, while systems power the businesses. Of course, there will also be massive disruptions to many traditional jobs, and I’m certain we don’t yet know the extent to which today’s work-landscaping will be reshaped by these new and emerging technologies.

Sadly, the week ended way too quickly, but we managed to forge some new relationships, strengthen existing ones, and get great insight into the next 12 months with Microsoft.
Following on from Inspire we headed first to Denver, where we spent a quick stint doing some much-needed strategic planning after all the events of Inspire, and then we headed to New York City to meet with a client there. Here Waldick and I parted ways, as he returned home to South Africa, while I returned to Denver to work on some US opportunities.
Having spent quite some time in the US, and attended several of the Microsoft conferences, as well as reading many articles and other sources, I am again inspired by the opportunities to transform businesses, people, and the world, through the application of innovative technologies. More and more, the role of technology is to facilitate better interactions between people, systems and businesses. It’s about telling a human story, by using great technology. That’s what I see us at Azuro striving for every day, and what I hope that my team and I can offer our customers and their customers.

The aspiration then is to take our specialised team and services, and make it available to the world. Through that we will continue to inspire, and be inspired, by our great customers and partners, and their stories.

Scroll to top