Azure customers are facing the biggest threat to their privileged accounts. A cybersecurity firm has identified the spread of a new phishing campaign aimed at privileged users like sales directors, account managers, finance managers, vice presidents, presidents, chief financial officers, and CEOs. The campaign’s first set of attacks started around November 2023 and is still a looming threat. The good thing is that you can safeguard against and mitigate this attack.
The attack plan explained
The attack is initiated by sending out phishing emails to get the Microsoft 365 account credentials of the privileged users in an organization. When a victim clicks the link in the phishing email and is sent to the attackers’ website, a payload file is downloaded to their machine to target their Microsoft 365 apps.
Once the Microsoft 365 account is breached, the attackers gain access to all the user’s data and settings. To extend their hold over the access they exploited, the attackers create the following impediments:
-
MFA: The attackers replace the affected user’s single-factor authentication with their own MFA methods, like an alternate email address, a phone number, or Microsoft Authenticator. This gives them ample time to wreak havoc until the user’s MFA is reset as the user won’t have access to the authentication factors.
-
Alternating proxies: The attackers utilize proxies to conceal their sign-in locations and IP addresses, enabling them to disguise their true whereabouts and mimic the sign-in behaviors of the original user.
-
Internal phishing: The hackers attempt to broaden their access by sending customized phishing emails from the compromised internal account and by leveraging other accounts to move laterally within the organization. Since the email appears to be from a legitimate internal user, other users are less likely to recognize it as potential spam.
-
Modifications to mailbox rules: Attackers modify existing mailbox rules or create new ones to delete, redact, or obfuscate any traces of malicious activity from affected mailboxes to cover their tracks.
How can you protect against a phishing attack?
The following measures can help you prevent or safeguard against phishing attacks.
-
Implement MFA: Identify the points of interest for the attackers and remediate them. These can include accounts protected only with single-factor authentication, policies that cannot identify brute-force attempts in time, and privileged accounts with access to data they probably don’t need. Make sure your privileged accounts are secured using strict MFA methods to ensure that only authorized users can access them.
-
Centralize strict management: Keep an eye on all of your privileged accounts by using a single administrative unit and implementing strict conditional access policies.
-
Plan ahead for breaches: Have an action plan on what to do if your accounts are compromised. Once the affected accounts have been identified, block them from all services immediately, forcibly sign them out to prevent any effect on the Microsoft 365 environment, and reset their credentials and access factors.
How ManageEngine can help against phishing attacks
ManageEngine M365 Manager Plus is a Microsoft 365 administration solution that helps you secure privileged accounts. It allows you to get better visibility into your environment, carry out all your required tasks in bulk easily without resorting to PowerShell scripting, create custom audit and alert profiles to inform you of specific activities to track, and create automations to carry out actions sequentially without any human intervention.
Here is how you can use M365 Manager Plus to your advantage to protect against breaches:
Separate privileged users with single-factor authentication into a single virtual tenant
In M365 Manager Plus, you can create virtual tenants to house user objects that satisfy certain conditions under a single point of control, just like an administrative unit. Consolidate all your privileged accounts in one location for easy report generation, task execution, and frequent auditing—without the need to process other accounts.
Create profiles to track changes to MFA configurations
Since the attackers’ most effective way of covering their tracks is to enable MFA, the best way to identify and act on the attackers’ presence is to track this activity as soon as it occurs. M365 Manager Plus can be set up to track if MFA is enabled or disabled for users in your environment or in a particular virtual tenant. Once a change takes place, administrators are notified via emails with all the details required to take further remedial action on the objects.
Set up automation policies to speed up remedial actions
Traditionally, once you get a list of affected users, you have to revoke their user access, block them, and reset their MFA methods and passwords. However, by configuring automation policies in M365 Manager Plus, you will only need to revoke users’ Azure access, and the other actions will be carried out automatically.
You can download the free, 30-day trial of M365 Manager Plus to see these features in action for yourself and explore the other features this tool has to offer. You can also contact us for a free, personalized demo on setting these up to secure your environment.
