Bekker's Blog

Blog archive

Office 365-Focused Botnet Puts Spotlight on Security of System Accounts

The recent discovery of a botnet aimed at Office 365 customers puts a spotlight on a commonly overlooked category of system accounts.

Skyhigh Networks this month reported a botnet it dubbed "KnockKnock" that it discovered several weeks ago. Active since at least May, and especially active from June through August, the relatively small botnet seems to have been highly targeted in both the types of accounts it attacked and the types of organizations it went after.

"The reason this is interesting is not that a botnet is trying to get into accounts, but the fact that it is trying to get into system accounts," said Sekhar Sarukkai, chief scientist at Skyhigh Networks, in an interview.

What the attack does, according to Skyhigh's description, is go after the system accounts that are commonly used to connect the Exchange Online e-mail system with marketing and sales automation software. In cases where the system accounts were compromised, KnockKnock exported data from the inbox, created a new inbox rule and began a phishing attack from the account against the rest of the organization.

Skyhigh picked up evidence of the botnet through its Cloud Access Security Broker (CASB) Threat Protection engine when the company's customers were attacked. Skyhigh says the traffic came from 63 networks and 83 IP addresses, with 90 percent of traffic coming from IP addresses in China. In all, the attacks came from 16 countries.

The attacks averaged only five e-mail addresses per customer. Additionally, the organizational targeting was extremely specific -- aimed at infrastructure and Internet of Things (IoT) departments within the manufacturing, financial services, health care and consumer products industries, as well as U.S. public sector agencies.

"It just seems like it's orchestrated in a controlled manner, rather than a free-for-all, get-what-you-can kind of campaign," he said.

Sarukkai said that what is helping the effectiveness of the attack is that non-human system accounts are less likely to be protected by multi-factor authentication or security policies, such as recurring password reset requirements. "Once these accounts have been provisioned, they're really sort of forgotten," he said. "I think these actors have a pretty good understanding of the weakest link in Office 365 and in general the security infrastructure -- almost like the hidden weakness."

Posted by Scott Bekker on October 12, 2017 at 12:28 PM


Featured

  • The 2019 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generation of HoloLens, here's what's on tap from Microsoft this year.

  • Microsoft, Salesforce Ink Deal Around Azure Cloud and Teams

    As part of a new partnership, CRM service provider Salesforce will leverage certain Microsoft Azure services, as well as Microsoft Teams, for services to customers.

  • 2019 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss this year.

  • Version 1909 of Windows 10 and Windows Server Released

    Windows 10 version 1909, also known as the "Windows 10 November 2019 Update," was officially released by Microsoft on Tuesday.

RCP Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.