Skyhigh Networks reveals sophisticated cyber attack campaign on enterprise Office 365 users

Skyhigh Networks, the provider of Cloud Access Security Broker (CASB) platform, announced it has detected and remediated one of the first examples of an operationalised cloud-to-cloud threat in the enterprise. Attackers used popular cloud service platforms to conduct a persistent attack to log into corporate Office 365 accounts.

Known as a ‘brute force’ attack, Skyhigh has been tracking the campaign since early 2017, with targets including high-level employees at multiple Fortune 2000 organisations.

Cloud services are on path to become the standard for enterprise IT solutions. Office 365 has taken a dominant role as the productivity solution of choice for enterprise data; 58.4% of all sensitive corporate data in the cloud is stored in Office 365. This new cloud-to-cloud attack points to an IT security blind spot and anticipates the ‘new normal’ of cloud-based attacks.

“Sensitive data has already moved to cloud applications, so it is only natural sophisticated attacks are following,” said Slawomir Ligier, SVP of Engineering, Skyhigh. “While companies traditionally have invested extensively in perimeter security, those without a dedicated cloud security solution will lack visibility and control for a growing category of attacks. Enterprise cloud providers secure their infrastructure, but the ultimate responsibility to control access to sensitive data lies with the customer.”

Anatomy of the attack

Earlier this year, Skyhigh’s CASB platform detected and defended against a ‘slow-and-low’ pattern of coordinated attacks on high-value targets, including more than 100,000 failed Office 365 logins from 67 IP addresses and 12 networks. The attempts all came from instances hosted on cloud service platforms and targeted 48 different organisations. The duration and measured pace of the attacks suggest a determined effort and the desire to avoid detection. Within each organisation, the attackers targeted a small number of senior employees across multiple departments.

A brute force attack typically refers to repeated guesses at an account password. In this case, the attackers tried logging in with different versions of employees’ Office 365 usernames, suggesting they may already possess some combination of employee names and passwords and were seeking valid Office 365 usernames for data access or spear phishing campaigns.

Password data could have been obtained in a database breach of a service like Yahoo or a phishing attack; studies have shown nearly half of online users reuse passwords across accounts. If the attackers confirmed an accurate Office 365 username with a correct reused password, they could successfully log into corporate Office 365 applications and potentially additional cloud service accounts.

Detection and impact

Skyhigh’s CASB detected and defended against the attack by correlating Office 365 API login data across employees and customers. The platform’s Threat Protection feature analyses cloud-user activity with cross-tenant machine learning algorithms to identify correlated anomalous behaviour indicative of persistent threats that would have otherwise flown under the radar.

Skyhigh brought the attacks to the attention of targeted customers and have been working to help clients audit all cloud services in use, enforce secure login policies and provide a comprehensive picture of threat intelligence across cloud environments.

Comment on this article below or via Twitter: @IoTNow OR @jcIoTnow

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

Transsion and HERE partner to enhance location accuracy experience for smartphone users

Posted on: January 25, 2022

HERE Technologies, the location data and technology platform, announced that Transsion, the provider of smart devices and mobile services in global emerging markets, has selected HERE Network Positioning to improve its location accuracy capabilities in emerging markets such as Kenya, Nigeria, Ghana, Bangladesh, India, Pakistan, Indonesia and Thailand.

Read more

Francisco Partners to acquire IBM’s healthcare data and analytics assets

Posted on: January 25, 2022

Armonk, NY and San Francisco, CA, USA. 21 January 2022 – IBM and Francisco Partners, a global investment firm that specialises in partnering with technology businesses, announced that the companies have signed a definitive agreement under which Francisco Partners will acquire healthcare data and analytics assets from IBM that are currently part of the Watson

Read more