Recently, we’ve helped several organizations respond to a string of fast-paced phishing attacks. While phishing isn’t new, the speed and tactics of these attacks were noteworthy. Instead of simply exploiting compromised accounts, the attacker installed malicious applications within the victims’ Microsoft environment, exfiltrating data and creating a backdoor into the organization’s IT. It took the attacker less than 10 minutes to get inside the user’s account and establish a backdoor into the organization’s IT.
This attack method is especially dangerous because it allows the threat actor to obscure their movements, making it difficult to detect them through traditional monitoring. Even if the compromised user resets their password, the attacker’s backdoor—via the malicious application—remains intact. This sophisticated approach emphasizes the importance of not only securing your accounts with conditional MFA but also controlling what can be installed within your Microsoft environment.
Attack Overview: How It Happened
In this attack, the threat actor posed as a legitimate vendor and sent a Dropbox share request via email. Upon clicking the embedded link, the recipients were redirected to a fraudulent login page where they unknowingly gave away their Microsoft credentials. With these credentials in hand, the attacker gained access to their accounts.
Once inside, the attacker took advantage of a default Microsoft service permission that allows users, for convenience, to both request and approve new applications from the Microsoft Store. By leveraging two malicious cloud apps, ‘PerfectData’ and ‘EMClient’, the attacker exfiltrated sensitive information from the victims’ inboxes and set up a backdoor for future access.
Why Standard Security Clients Are Already Protected
Fortunately, if you’re subscribed to our Standard Security, your organization is protected from this particular attack. As part of your Standard Security onboarding, we took proactive measures to tighten your Microsoft configurations, including disabling the setting that allows non-administrative users to install new applications. This move significantly reduces your organization’s attack surface and minimizes the risk of unauthorized app installations being exploited by threat actors.
Moreover, our Standard Security offering includes a Security Information and Event Management (SIEM) system, which adds another layer of protection. SIEM continuously monitors for unusual activity within your Microsoft account, providing an early warning system for our security team to detect and respond to threats. If any suspicious behavior were to occur, our team would be alerted and able to take immediate action, mitigating potential risks.
The Convenience Factor: Why This Default Setting Isn’t a “Vulnerability”
It’s important to note that the default Microsoft settings aren’t inherently bad. Allowing non-administrative users to add and approve apps can be a convenient feature, especially for businesses that want to empower their users to act without having to involve IT every time an application needs to be installed or integrated.
However, with greater convenience comes greater responsibility. While the default setting might work well for some, it also opens up potential vulnerabilities that can be exploited by attackers, as seen in this recent phishing attack. For businesses that prioritize security, especially those handling sensitive information, limiting unnecessary permissions is a crucial step in strengthening defenses.
Staying Informed and Proactive
This phishing attack serves as a reminder of the ever-evolving threat landscape. For those who were affected, our Security Operations Center (SOC) quickly intervened, identifying compromised users, revoking the changes made to their accounts, and expelling the threat actor. Unfortunately, while we were able to shut down the attack, any data that had been exfiltrated from the inboxes was beyond recovery.
For our clients already subscribed to Standard Security, this is precisely the type of threat our layered security approach is designed to defend against. You’ve already taken the right steps to protect your business from such attacks, and with our SIEM capabilities, we’re constantly monitoring for unusual activity to detect and stop threats before they can do significant damage.
Remember, while the current threat was mitigated by the safeguards in place, staying informed and proactive is key. We will continue to monitor for new exploits and provide you with regular security advisories to help you navigate and reduce exposure to emerging threats.
About The Author
Seth Bursell, the Senior Cybersecurity Engineer at Aldridge, has over two decades of experience in technology, including a decade focused on cybersecurity, Seth specializes in Data Protection, Threat Hunting, PAM, policy formulation, Access Management, and risk assessment. Notably, Seth also owned his own MSP for 12 years, further enhancing his expertise. His professional journey comprises pivotal roles at two Dallas-based MSPs, engagements with healthcare corporations, and a significant tenure at McAfee, a global security firm.
Seth is responsible for investigating security indicators inside Aldridge and our client’s environments, validating threats, and leading our threat containment and recovery efforts. Seth also educates Aldridge clients on the threat landscape, creating cybersecurity advisories like these to update our clients on new threats, and steps they need to take to defend against them.