Account compromise, new inbox rules designed to hide malicious activity, and multifactor authentication bypass are the most popular hacking tactics being utilized by threat actors so far in 2023, according to a new report from cybersecurity firm Expel.
According to the managed detection and response provider, identity-based attacks such as account compromise, account takeover and access key theft accounted for 57% of all cybersecurity incidents identified by Expels’ security operations center (SOC).
When narrowed down to Microsoft 365 attacks, account compromise and takeover accounted for 50% of all incidents, according to Expel’s first quarter threat report.
New inbox rules
As detailed in the report, hackers that have successfully compromised email accounts are creating inbox rules to automatically delete or hide certain emails from the compromised account. In all Microsoft 365 account takeovers in the first quarter of 2023, this happened in 50% of cases, according to Expel.
Creating those inbox rules essentially reduces the chance of the victim or IT administrator spotting unusual activity.
Of those new inbox rules in M365 accounts, 54% were named “.”, 18% were named “..” and 16% were named with just a single letter. The most common inbox rules automatically delete specific emails or marking certain emails as “Read” and then moving them to the “Archive” and “RSS Subscription” folders.
To maintain persistence, attackers are registering new multifactor authentication (MFA) devices in Azure, which Excel detected in about 25% of account takeover cases.
Inbox rules designed to forward emails to an attacker-controlled account has been a common tactic, but Expel detected just 5% of such cases in M365 account takeovers.
Jonathan Hencinski, vice president of security operations at Expel, cautions organizations to implement alerts for new Outlook inbox rules created with suspicious names.
“We recommend security teams implement alerts for new Outlook inbox rules created with suspicious names—two to three characters in length, or repeating characters could be a clue. Employees should also be vigilant and check their Outlook inbox for any abnormal or suspicious rules they didn’t set up by clicking ‘File’ and then ‘Rules & Alerts’ to review the rules they’ve implemented.
Expel’s threat report for the first quarter of 2023 also details what is becoming a common hacking tactic: MFA bypass.
The company says attackers are targeting SaaS applications like Okta and M365 by stealing session cookies, launching MFA fatigue attacks, registering malicious OAuth applications and authenticating using legacy protocols.
According to Expel’s report, 5% of all identity-related incidents in the quarter involved frameworks such as Evilginx2 to steal login credentials and session cookies for initial access and subsequent bypassing of MFA.
This represents an important shift in threat actor tactics, Hencinski says.
“This is an important shift: threat actors are moving away from authenticating using legacy protocols to bypass MFA in M365, and are instead adopting frameworks to launch Attacker-in-the-Middle (AiTM) phishing campaigns—a new tactic effective at end-running MFA defenses,” Hencinski says.
In most of these situations, once attackers access the email account, they typically query the email inbox for the phishing email that contains a link to their proxy site. Then they move the email to the deleted items folder to hide evidence of the attack.
Finally, they register a new MFA device to establish persistence before the session cookie expires, Hencinski adds.
Organizations should adopt FIDO2 and certificate-based authentication to protect against these attacks. However, most organizations don’t use FIDO Factors for MFA.
“In this case, deploy phish-resistant MFA,” Hencinski instructs. “If that’s unrealistic, disable email, SMS, voice, and TOTPs, and instead opt for push notifications.”
According to Expel, the company saw the exploitation of software vulnerabilities to gain initial access in a small percentage of first-quarter incidents, but the security bugs that were leveraged by threat actors tend to be at least a year old.
According to Expel, the most common vulnerabilities leveraged by hackers in the first quarter of 2023 were:
- CVE-2022-47966 – Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability
- CVE-2022-21587 – Oracle E-Business Suite Unspecified Vulnerability
- CVE-2021-4034 – Red Hat Polkit Out-of-Bounds Read and Write Vulnerability
- CVE-2020-14882 – Oracle WebLogic Server Remote Code Execution Vulnerability
This is a common theme in threat reports, as organizations are still struggling to prioritize and patch vulnerabilities.
“This indicates that organizations may not understand which vulnerabilities pose the biggest threats to their environment,” Henscinski says. “But by evaluating and understanding the vulnerabilities that could most impact their orgs, security teams can prioritize patching them and eliminate critical risks in the cybersecurity kill chain.”
Another hacking tactic briefly detailed in Expel’s report is the rise of insider threats so far in 2023. The company said it detected a bump in cases of misuse of cloud storage and file synchronization services like Google Drive, although these still only accounted for a small percentage of incidents.
In these cases, employees with legitimate access to Google Drive uploaded gigabytes of information, including sensitive intellectual property.
“While these officially qualify as insider threats, we can’t speculate on the motivations in these incidents,” Hencinski says. “Regardless, orgs should be aware of the potential risks associated with cloud storage and file synchronization services.”
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!