Bekker's Blog

Blog archive

Office 365-Focused Botnet Puts Spotlight on Security of System Accounts

The recent discovery of a botnet aimed at Office 365 customers puts a spotlight on a commonly overlooked category of system accounts.

Skyhigh Networks this month reported a botnet it dubbed "KnockKnock" that it discovered several weeks ago. Active since at least May, and especially active from June through August, the relatively small botnet seems to have been highly targeted in both the types of accounts it attacked and the types of organizations it went after.

"The reason this is interesting is not that a botnet is trying to get into accounts, but the fact that it is trying to get into system accounts," said Sekhar Sarukkai, chief scientist at Skyhigh Networks, in an interview.

What the attack does, according to Skyhigh's description, is go after the system accounts that are commonly used to connect the Exchange Online e-mail system with marketing and sales automation software. In cases where the system accounts were compromised, KnockKnock exported data from the inbox, created a new inbox rule and began a phishing attack from the account against the rest of the organization.

Skyhigh picked up evidence of the botnet through its Cloud Access Security Broker (CASB) Threat Protection engine when the company's customers were attacked. Skyhigh says the traffic came from 63 networks and 83 IP addresses, with 90 percent of traffic coming from IP addresses in China. In all, the attacks came from 16 countries.

The attacks averaged only five e-mail addresses per customer. Additionally, the organizational targeting was extremely specific -- aimed at infrastructure and Internet of Things (IoT) departments within the manufacturing, financial services, health care and consumer products industries, as well as U.S. public sector agencies.

"It just seems like it's orchestrated in a controlled manner, rather than a free-for-all, get-what-you-can kind of campaign," he said.

Sarukkai said that what is helping the effectiveness of the attack is that non-human system accounts are less likely to be protected by multi-factor authentication or security policies, such as recurring password reset requirements. "Once these accounts have been provisioned, they're really sort of forgotten," he said. "I think these actors have a pretty good understanding of the weakest link in Office 365 and in general the security infrastructure -- almost like the hidden weakness."

Posted by Scott Bekker on October 12, 2017


Featured

  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • Microsoft Sets September Launch for Purview Data Governance

    Microsoft's AI-powered Purview solution to address governance and security challenges is set to become generally available on Sept. 1.

  • An image of planes flying around a globe

    2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • End of the Road for Kaspersky in the United States

    Kaspersky on Monday said it is shuttering its U.S. operations, just days before a nationwide ban on sales of its security software was set to take effect.