Office 365 MitM attack and Varonis protection

Last week, I had the opportunity to participate in a live session in French as official Speaker Varonis about Security, Data Protection & Governance as Varonis Elite member at SECURE IT DAY 2020 with Pierre-Antoine FAILLY (Security Architect – Varonis). We are seeing an uptick in adversaries using a very tricky Man-in-the-Middle (MitM) attack to bypass MFA and breach Office 365 tenants. So, during the session, we have shown how an attacker obtains access to SharePoint Online using a phishing attack.

What is a Man-in-the-Middle (MitM) Attack?

MitM attacks are attempts to “intercept” electronic communications, to snoop on transmissions in an attack on confidentiality or to alter them in an attack on integrity.

It starts with a phishing email that lures a victim to a fake Office 365 login page where the attacker can snoop on the credentials used to access data, even breaking through two-factor authentication (MFA). Users might have no idea anyone’s watching, but the attacker can use the technique to get access to systems and data both in the cloud and inside the Datacenter if they know what they’re doing.


Screenplay:

  • We trick a user into entering creds into our fake O365 login page (made with evilginx),
  • We make Microsoft send a passcode to the user,
  • User enters their passcode on our fake page,
  • We hijack the user’s session token,
  • Gain access to SharePoint Online environment,
  • Exfiltrate data from Office 365,
  • Pivot to on-prem and steal CEO’s emails,

Advanced Phishing – MFA Bypass:


Step 1 – Initial implantation:

Using advanced phishing, the attacker bypasses the “MFA”. A user spoof to download the sensitive file for this SharePoint account.

Varonis threat models:

  • Unreasonable geolocation activity from a new geolocation connection from an anonymous or malicious IP address.
  • Access to an unusual amount of inactive/sensitive data. Unusual number of sensitive / GDPR files shared with external users. Abnormal download from SharePoint

Step 2 – Lateral move using SharePoint file sharing:

The attacker downloads a Word document containing a malicious macro in SharePoint. He shares the document with the victim’s mates. When the file is opened, the macro code downloads the malware from the Internet. The attacker gets access to the users’ final points.

Varonis threat model:

  • Malicious malware download (for each compromised workstation.

Step 3 – Data exfiltration:

Basically, the attacker now has Remote Shell access to several machines in the organization. Scans and exiles sensitive files on the Internet.

Step 4 – Privilege escalation on Exchange:

One of the infected victims is an IT manager. The attacker uses his account to gain access to the CEO’s mailbox.

Varonis threat models:

  • Abnormal admin behavior: access to atypical mailboxes The authorization was modified on the CEO’s mailbox.
  • Access to mailboxes with atypical frames by a user other than the owner.

Finally, with Varonis software, you can:

  • Display an End-to-end attack,
  • Cloud and on-premise from a single interface,
  • Correlation with files,
  • View which sensitive data has been accessed and stolen,
  • Immediate correlation between different data flows DS, SPO, Proxy, Exchange.

Varonis allows to increase productivity, sustainably, reduces risk, and lowers your cost. The products automate time-consuming data management and protection tasks and extract valuable insights from your human-generated data (unstructured data).


Security and Data Governance with Varonis: Blog post

Vanguard Summit 2019 – Vanguard Summit 2019 – NAS Backup Sneak peek!!

Step by Step Guide Veeam Backup for Office365 v2 Installation – Step by Step Guide!

VeeamON 2019 Coverage – v10 is coming!

MUG – Microsoft User Group – First event in Monaco! Join us!.

 
 


Christopher GLEMOT

Data Protection & Governance Team Leader | Technical specialist around Data, Security, Backup, Disaster Recovery, Cloud, Virtualization and Storage | Veeam Vanguard 2016-19 & VMCE | Founder of ArmoricanCloud.com | Owner of original-network.com
Please follow and like us:
Advertisement

Leave a Reply

error

Enjoy this blog? Please spread the word :)