Understanding the techniques and tools attackers use in targeted phishing attacks. Credit: Getty Images Attackers use a variety of techniques to infiltrate corporate networks, but one tried and true way it to find out who works for a company and then target phishing attacks to those employees.Famed hacker Kevin Mitnick reportedly used a paperback edition of the who’s who in Washington business owners to gain more information on local businesses, but these days we all have access to a much better database that exposes much more information: LinkedIn. The social network is often the starting place for determining who is a good target in an organization as well as a source for usernames and email addresses. From LinkedIn scraping to Office 365 attacksAs noted in the OSINTframework, there are several tools used by attackers to scrape information from LinkedIn. Scraping tools such as LinkedInt, ScrapeIn, and Inspy allow the attacker to enumerate email addresses from domains. Once the attacker has the email addresses of targeted users, there are a number of techniques attackers can use to infiltrate a network. One tool that specifically targets Office 365, office365userenum allows an attacker to go through a list of possible usernames and then observes the response. Given that many usernames start with the email address, the would-be attacker can first determine email addresses from social locations, and then use those emails to see if there are valid user accounts. Once the attacker finds valid usernames, he can enumerate a list of valid users who can then be targeted for more attacks. The tool sends a command to the activesync service, which then responds back with codes that attackers can use to determine if the username exists or not.The attackers can then directly attempt to brute force compromise the account by guessing the user’s password, or they can use the email address/username pairs in phishing attacks targeting known valid users. The office365userenum tool exposes to the attacker which users have multifactor authentication enabled and which do not to better identify the weak links in the organization. Shared mailboxes that are used for processes, and are less likely to be monitored by users, often do not have strong passwords or have multifactor authentication, are often a weak link targeted for brute force attacks to guess passwords and gain access to the network. Preventing Office 365 attacksMicrosoft has deemed that this user enumeration attack sequence is not a vulnerability but rather a feature of the activesync service. Thus, there is no way to disable this service from responding. However, you can set alerts set so that you’ll know if a user has several failed logins in a short timeframe, a sign that attackers are surveying your network. Phishing attacks are so often used as a means to attack Office 365 accounts that consultants that control other customer accounts have been a key target in attacks. Starting August 1st, Microsoft will mandate that partners and consultants that manage other customers’ accounts have multifactor authentication enabled. If you work with a consultant who assists you in your Office 365 implementation, ensure that they are aware of these mandates and are doing all that they can to avoid being the entry way into your networks. Ensure that they have disabled basic authentication as well.If you happen to be attending the upcoming Black Hat Security conference in Las Vegas, be sure to check out the talk by Mark Morowczynski, principal program manager at Microsoft, and Trimarc CTO Sean Metcalf titled “Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD),” which will explore some of the most common attacks against the Microsoft cloud, including password spraying attacks, which have become so prevalent that even US Cert has identified it as a problem. Microsoft has a full detailed blog post about actions that can be taken to help protect you from password spraying techniques and there are other posts on the web with actions you can take, but it boils down to mandating multifactor authentication and changing your password policy and user education to avoid weak passwords that are easily guessed. Your users are indeed your weakest links. Take the time to review how your firm might be a juicy target for attack. Don’t forget to sign up for the IDG Tech Talk YouTube channel where you can see more videos of my Windows security tips. I’ll be at The Experts Conference in Charleston South Carolina August 27th and 28th talking about Office 365 and the Windows update crisis. Hope to see you there! Related content news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Regulation Regulation news UK data regulator warns that data breaches put abuse victims’ lives at risk The UK Information Commissioner’s Office has reprimanded seven organizations in the past 14 months for data breaches affecting victims of domestic abuse. By Michael Hill Sep 28, 2023 3 mins Electronic Health Records Data Breach Government news EchoMark releases watermarking solution to secure private communications, detect insider threats Enterprise-grade software embeds AI-driven, forensic watermarking in emails and documents to pinpoint potential insider risks By Michael Hill Sep 28, 2023 4 mins Communications Security Threat and Vulnerability Management Security Software news SpecterOps to use in-house approximation to test for global attack variations The new offering uses atomic tests and in-house approximation in purple team assessment to test all known techniques of an attack. By Shweta Sharma Sep 28, 2023 3 mins Penetration Testing Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe