How attackers identify your organization's weakest links

Understanding the techniques and tools attackers use in targeted phishing attacks.

business intelligence crowd binary virtual world
Getty Images

Attackers use a variety of techniques to infiltrate corporate networks, but one tried and true way it to find out who works for a company and then target phishing attacks to those employees.

Famed hacker Kevin Mitnick reportedly used a paperback edition of the who’s who in Washington business owners to gain more information on local businesses, but these days we all have access to a much better database that exposes much more information: LinkedIn. The social network is often the starting place for determining who is a good target in an organization as well as a source for usernames and email addresses. 

From LinkedIn scraping to Office 365 attacks

As noted in the OSINTframework, there are several tools used by attackers to scrape information from LinkedIn.  Scraping tools such as LinkedInt, ScrapeIn, and Inspy allow the attacker to enumerate email addresses from domains. 

Once the attacker has the email addresses of targeted users, there are a number of techniques attackers can use to infiltrate a network. 

One tool that specifically targets Office 365, office365userenum allows an attacker to  go through a list of possible usernames and then observes the response. Given that many usernames start with the email address, the would-be attacker can first determine email addresses from social locations, and then use those emails to see if there are valid user accounts.  Once the attacker finds valid usernames, he can enumerate a list of valid users who can then be targeted for more attacks.   The tool sends a command to the activesync service, which then responds back with codes that attackers can use to determine if the username exists or not.

The attackers can then directly attempt to brute force compromise the account by guessing the user's password, or they can use the email address/username pairs in phishing attacks targeting known valid users.  The office365userenum tool exposes to the attacker which users have multifactor authentication enabled and which do not to better identify the weak links in the organization.  Shared mailboxes that are used for processes, and are less likely to be monitored by users, often do not have strong passwords  or have multifactor authentication, are often a weak link targeted for brute force attacks to guess passwords and gain access to the network.

Preventing Office 365 attacks

Microsoft has deemed that this user enumeration attack sequence is not a vulnerability but rather a feature of the activesync service.  Thus, there is no way to disable this service from responding. However, you can set alerts set so that you'll know if a user has several failed logins in a short timeframe, a sign that attackers are surveying your network. 

Phishing attacks are so often used as a means to attack Office 365 accounts that consultants that control other customer accounts have been a key target in attacks.  Starting August 1st, Microsoft will mandate that partners and consultants that manage other customers’ accounts have multifactor authentication enabled.  If you work with a consultant who assists you in your Office 365 implementation, ensure that they are aware of these mandates and are doing all that they can to avoid being the entry way into your networks.  Ensure that they have disabled basic authentication as well.

If you happen to be attending the upcoming Black Hat Security conference in Las Vegas, be sure to check out the talk by Mark Morowczynski, principal program manager at Microsoft, and Trimarc CTO Sean Metcalf titled “Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD),” which will explore some of the most common attacks against the Microsoft cloud, including password spraying attacks, which have become so prevalent that even US Cert has identified it as a problem. 

Microsoft has a full detailed blog post about actions that can be taken to help protect you from password spraying techniques and there are other posts on the web with actions you can take, but it boils down to mandating multifactor authentication and changing your password policy and user education to avoid weak passwords that are easily guessed. 

Your users are indeed your weakest links. Take the time to review how your firm might be a juicy target for attack. 

Don’t forget to sign up for the IDG Tech Talk YouTube channel where you can see more videos of my Windows security tips.  I'll be at The Experts Conference in Charleston South Carolina August 27th and 28th talking about Office 365 and the Windows update crisis.  Hope to see you there!

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!