Executives Being Targeted for Spear-Phishing
We have seen an increased number of calls into our cyber response team lately regarding executives whose email was hacked though their instance of Microsoft’s Office 365 (O365). The issue is not a bug with O365, rather it is improper security with how the users are being setup by the administrator.
The primary attack vector is pretty basic. Through reconnoissance a user is targeted based on their role in the company. The focus is on executives and accounting personnel. The chosen user is then sent an email in an attempt to get them to click on a link or open an attachment, the purpose of both is to get their credentials. If the email is unsuccessful the users passwords is attempted to be broken through brute force and password cracking.
Once access to Office 365 is gained, emails can be sent on behalf of that user at which time they attempt to extract money from either the organization or from an outside party they conduct business with. The success rate is fairly high.
What You Can Do About This
It is not uncommon that executive passwords are weak. There is a common fear on the part of IT to enforce standards on these users and the use of multi-factor authentication is not widely deployed. They, for obvious reasons, want the executives to not be frustrated or have issues. That weakness in security is what is being exploited.
This is the opposite of what should be taking place. If anything, greater security standard need to be applied to high profile users.
Follow these five steps to add security to your high-profile users (it really should be all users but start here!):
Enforce a Strong Password Requirement
Add in Multi-Factor Authentication
Enforce Logging of Login Attempts on the Users
Review The Logs Regularly
Set Geographical Restriction on the Logins Where Possible
Do two or more of these steps and you will go a long way to protecting the executives of the company.