How to recognize a compromised Microsoft 365 account?

Barracuda Networks conducted their own research and found hackers are targeting Microsoft 365 accounts with a worrying degree of success. The report identified a rise in the number of account takeover (ATO) attacks. 29% of organisations interviewed had seen their Microsoft 365 accounts compromised. Cyber criminals use Microsoft 365 account-takeover attacks to learn how a company operates, how it uses email signatures and how it handles financial transactions. Using compromised accounts, the hackers were able to send in excess of 1.5 million malicious and spam emails.  

Company activities & login credentials 

ATO attacks are executed using a number of methodologies. They generally begin with social-engineering tactics to lure email recipients to a phishing website. After an Microsoft 365 account is compromised, hackers can track company activities and use harvested credentials to target other high-value accounts.  

Another option is to buy login credentials from data breach databases that are published across criminal forums. The Barracuda report points out how hackers often use stolen passwords from personal email accounts to gain access to business email. Brute force applications are used by criminals to crack simplistic passwords. Businesses that require users to change their passwords every month or two, play into this scenario; as users will often end up with the same word but just numerically incremented so they can remember them. Social engineering tactics such as brand impersonation and phishing campaigns are also being used in order to compromise Microsoft 365 accounts. 

The researchers noted hackers don’t usually launch an immediate attack on compromised accounts. Instead they monitor email and activity in the company, to maximise the chances of executing a successful attack. Researchers noted that hackers set up malicious rules to hide their activity in 34% of the nearly 4,000 compromised accounts. The cyber criminals will usually target high value accounts such as those belonging to executives and employees working within the finance department. Compromised accounts are also used to launch external attacks targeting partners and customers.  

What are the signs of a compromised account? 

Users might notice and report unusual activity in their Microsoft 365 mailboxes. Here are some common symptoms according to Microsoft: 

• Suspicious activity, such as missing or deleted emails. 
• Other users might receive emails from the compromised account without the corresponding email existing in the Sent Items folder of the sender. 
• The presence of inbox rules that weren’t created by the intended user or the administrator. These rules may automatically forward emails to unknown addresses or move them to the Notes, Junk Email, or RSS Subscriptions folders. 
• The user’s display name might be changed in the Global Address List. 
• The user’s mailbox is blocked from sending email. 
• The Sent or Deleted Items folders in Microsoft Outlook or Outlook on the web (formerly known as Outlook Web App) contain common hacked-account messages, such as “I’m stuck in London, send money.” 
• Unusual profile changes, such as the name, the telephone number, or the postal code were updated.
• Unusual credential changes, such as multiple password changes are required. 
• Mail forwarding was recently added. 
• An unusual signature was recently added, such as a fake banking signature or a prescription drug signature.