The Microsoft Exchange hack reported in March 2020 is just one of many recent assaults on Microsoft by cyber espionage groups. If the SolarWinds hack of December 2020 didn’t make it abundantly clear, this latest hack proves that Microsoft is one of the biggest and most lucrative hacking targets in the world.
The evolution of the Exchange hack
On March 2, 2021, Microsoft announced multiple vulnerabilities affecting its Exchange servers and released patches for all versions. As it turns out, attacks on Exchange servers began in January, leading to speculation that hackers had been tipped off about the vulnerabilities in advance, potentially with leaked proof-of-concept code shared with Microsoft’s cybersecurity vendors and partners.
Hackers who gained access to victims’ Exchange servers installed web shells that provided remote access to affected systems. With unlimited access and a back door to return at will, hackers had free rein to download email data and install ransomware on affected systems.
Patching, although recommended, does not reverse the damage. Microsoft has since released a one-click Exchange mitigation tool that helps admins quickly identify compromised systems, but for many businesses the help came too late.
While the original hack has been blamed on Hafnium, an advanced persistent threat (APT) group from China, other groups quickly lined up to take advantage of businesses that had not yet patched their systems. As of today, up to 30,000 US customers and 250,000 global customers have been affected.
What’s next?
In a marked shift from most large scale attacks, the Exchange hack primarily affected SMBs, which, unlike large enterprises that have moved to Microsoft 365, are behind in migrating to the cloud. It’s worth noting that “small” doesn’t mean insignificant: defense contractors are small businesses; city governments are small businesses. Their customers, contacts, and vendors are now equally exposed.
While the affected organizations have been hit with ransomware attacks in the immediate aftermath of the breaches, other attacks of the email variety are likely to ensue. With access to email addresses and contact lists, hackers can now launch phishing and spear phishing attacks, both inside the organization and out, against those individuals whose email addresses were exposed.
Combined with the Exchange hack, the expense and challenge of managing on-premise servers and disaster recovery plans could signal an impending migration of SMBs to Microsoft 365. It’s been moving in that direction for quite some time. With low upfront costs, limited IT resource requirements, and scalability, Microsoft 365 is an optimal solution for SMBs with little to no IT.
Many in the cybersecurity field, in fact, are recommending such a move in light of the recent attacks. However, while the Exchange hack might have hit only on-premise servers, that does not mean that cloud email is immune. Hackers aren’t interested in servers; they’re interested in Microsoft.
Microsoft’s lonely seat at the top
In 2018, Microsoft became the most impersonated brand in phishing attacks, a distinction that it has held for three straight years. Before Microsoft phishing took off, PayPal was most impersonated. The shift from PayPal to Microsoft marked a change in phishers’ tactics, the recognition of the long-term value of corporate data over the quick rewards associated with consumer phishing.
Today, Microsoft leads the email and office productivity suite market, with 258 million corporate Microsoft 365 users alone. As Microsoft 365 usage has grown, attacks against Microsoft have kept pace. With the treasure trove of data hosted in SharePoint and OneDrive, the possibilities for cybercriminals are endless, and they’re exploiting them.
By compromising a single Microsoft account with a phishing email, hackers have the opportunity to do untold amounts of damage before the compromise is detected. According to a recent report, 71 percent of Microsoft 365 users have experienced account takeover in the last year, and 96 percent of exploited accounts experienced lateral movement.
Lateral attacks inside Microsoft 365 can include phishing and spear phishing attacks using compromised Microsoft 365 credentials. While phishing is most commonly associated with credential theft, it’s also one of the primary delivery methods for ransomware, thanks to the relative ease and low cost of creating phishing campaigns compared to other distribution methods.
Microsoft’s dominance grew to new heights in 2020, thanks to COVID-19 and the global shift to remote work. But being #1 has its drawbacks. Popularity has made Microsoft a sizable target, and hitting a large target doesn’t require a high degree of skill. As many MSPs have found, Microsoft’s built-in security is not enough to defend against attacks. To fortify Microsoft 365, MSPs must pursue a layered, zero trust approach to cybersecurity.
