Phishing and insider attacks are on the rise, but an even more ominous threat is gaining ground at the same time. This is the multi-phase attack, which combines phishing with spear phishing and insider attack techniques. Multi-phase attacks are difficult to detect and challenging to prevent, especially in the popular Microsoft Office 365 environment. However, it is not impossible to mitigate this risk and viable solutions are available.
What Is a Multi-Phase Attack?
Cyber-attacks have traditionally involved a single attack vector. Imagine the following: a hacker sends a PayPal phishing email to your inbox and you are tricked into divulging your account login credentials on a phishing page that looks exactly like PayPal’s website. After harvesting your credentials, the hacker empties the balance on your PayPal account and then moves onto their next target. In the case of the multi-phase attack, this initial act of deception is just the beginning.
A multi-phase attack involves the hacker taking advantage of your credentials to ultimately extract money or proprietary information from you or your business. It’s at least two steps. For example, in a multi-phase attack, the hacker might first send an Office 365 phishing email to harvest your email credentials. Then, using your Office 365 account, he or she will send an email to someone in your company who has the power to execute wire transfers.
The email recipient has no reason to suspect that it is not you who sent the email requesting a wire transfer. Indeed, “you” sent it. And, security filters will never catch it. Why would they? The message came from a legitimate user in the Office 365 system.
There are many variants on the multi-phase attack. Armed with a legitimate account, the attacker can conduct multiple accounts laterally within the organization, and also spear phish external business partners and vendors. In one recent case, the SEC revealed that an unnamed American corporation had been fleeced to the tune of $45,000,000 in 14 separate events linked to one multi-phased attack.
The Main Driver of Multi-Phase Attacks
Above all, the rapid adoption of Office 365 is responsible for the rise of multi-phase attacks. With 155 million corporate users and a single point of entry into the entire Office 365 suite, it’s a remarkably fertile environment for malicious behavior. In contrast, before this service was available, each organization had its own email server, and thus had to be hacked individually. Now, Office 365 presents one target: find a way in and hackers potentially have access to 155 million accounts!
The data and file storage functions of Office 365 further expand the attack surface area. Office 365 is much more than just an email service. It’s a complete productivity suite, complete with SharePoint data repositories and OneDrive document repositories. The attacker gains access to rich collections of data once inside the system. Microsoft has indeed been the #1 most impersonated brand on phishing sites for four quarters in a row.
Why is this important? Consider the kind of corporate information a hacker might see if he or she gets into OneDrive. There could be contracts with vendors, bank account information and so forth—all of which ma