We help IT Professionals succeed at work.

phishing attacks and exploits

If someone manages to compromise your user credentials/account via a phishing email (office365 email account in this case) what is there typical objective(s) in doing so, and how would they typically follow that through to the next stage. I would have assumed if there target would be to steal emails they would not just casually start forwarding them on to an external address?  Trying to determine what they may or may not do if they do get a victims credentials would be interesting. there must be something in it for them but to determine what that is and how they execute 'phase 2' once access is achieved would be most useful,
Comment
Watch Question

A lack of information provides a lack of a decent solution.
CERTIFIED EXPERT
Commented:

Money,


If it were me, I'd yank the entire address book, I'd find someone in the finance department and perform social engineering on them, get approval from management to transfer funds (for example, hack one person, then get a director or something) and then go from there.


I mean, that's.... Nevermind, it's money they are after, or maybe just the challenge.


regards

Alex

Author

Commented:
>I'd yank the entire address book
would exchange/office365 capture yanking of the address book though? Or could they be done discretely with access.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Persistence is something you want to maintain, so attempt compromising a number of other users.

Then at least one of the following:
  • Grab address book. May sell this info later.
  • See what company systems you can access.
  • Look for high value data.
  • Attempt changing payroll data.
  • Scan emails for customers, and trick someone into changing the account they send money to.

Author

Commented:
'Then at least one of the following' - I assume this would all be automated not manual process by whoever got the compromised credentials, and typically sophisticated enough to leave little traces of what they did do.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Azure logs would have at least some information to assist. But count on them covering their tracks.

Author

Commented:
>Azure logs would have at least some information to assist

would they just be connections though rather than specific actions?

>But count on them covering their tracks.

what kind of techniques would they use to cover their tracks if theyd only compromised a standard user acct.
Brian BEE Topic Advisor, Independant Technology Professional
CERTIFIED EXPERT
Commented:

What kind of techniques? Normally, things so you couldn't discover what they sent, such as removing sent and deleted items. In some cases they would try and download the whole mailbox so they can look over it offline.


Also if the account was a normal user, but the hacker didn't know, there might be an increased number of attempts for the compromised account trying to access things they shouldn't like servers, file shares, etc.


… "normal user account"... Ah, but you administrators have separate admin accounts from the user accounts... and those accounts don't have email, right? (best practice)

btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:

I am thinking of below possible threat scenario 


1. ...hackers often use stolen passwords from personal email accounts to gain access to business email. Then there’s the problem of simplistic passwords which can be “brute-forced” using applications that use dictionary lists and variations to quickly crack them with relative ease. Businesses that require users to change their passwords every month or two play into this scenario as users will often end up with the same word but just numerically incremented so they can remember them.


 2....once an account has been compromised, the hackers don’t usually launch an immediate attack. Rather they bide their time to “monitor email and track activity in the company, to maximize the chances of executing a successful attack.” During this reconnaissance phase of an attack, cybercriminals will even set up new mailbox rules to hide or delete those emails they have sent from the compromised account.


3.... Compromised accounts are also used to launch external attacks targeting partners and customers, with conversation hijacking, hackers insert themselves into important conversations or threads, such as during a wire transfer or other financial transaction.”

Author

Commented:
>What kind of techniques? Normally, things so you couldn't discover what they sent, such as removing sent and deleted items

>During this reconnaissance phase of an attack, cybercriminals will even set up new mailbox rules to hide or delete those emails they have sent from the compromised account.

thank you for your input, but would they really be able to wipe/hide entries from central message trace logs if all they compromised was a standard user account, I assume an admin could, but not a standard user. The downloading of the mailbox makes some sense though to avoid detection and forwarding of emails which are more likely to leave a trace. .Just interested technically how they would do such a thing with standard user privileges.
CERTIFIED EXPERT
Commented:
1. ...hackers often use stolen passwords from personal email accounts to gain access to business email. Then there’s the problem of simplistic passwords which can be “brute-forced” using applications that use dictionary lists and variations to quickly crack them with relative ease. Businesses that require users to change their passwords every month or two play into this scenario as users will often end up with the same word but just numerically incremented so they can remember them.

Been there, done that

In the past, email accounts have had to be reset or even changed in some cases due to their accounts being compromised because they were phished and used a familiar password for everything.

Now nobody knows their email password, for that matter they don't even know their email login account.
Email addresses will never lead to a successful login because they have next to nothing in common with the login credential

Email - john.doe@somecompany.com - actual user-id: doejohn.dsO43s.xTX  password: $d34Dn$!W
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:

If it is not insider doing, the audit trails would have surfaced and the details can be articulated in the recordtype and more, just make sure it is not been overridden and still there..

https://docs.microsoft.com/en-gb/microsoft-365/compliance/detailed-properties-in-the-office-365-audit-log


But many a time, either auditing is not enabled or modified due to upgrade or misconfigured etc, the short it is not foolproof. 


As you mention, the technicalities is of interest and you can find it in the below.


The release of a security research tool called Ruler enables an attacker to install a persistence mechanism once an account has been breached to maintain access even through a password roll.


https://docs.microsoft.com/en-gb/archive/blogs/office365security/defending-against-rules-and-forms-injection


Another is via such interface. Key is even user mode is good enough to do very stealthy stuff.


The Microsoft Messaging Application Programming Interface (MAPI), is “… a set of functions that mail-enabled and mail-aware applications use to create, manipulate, transfer, and store mail messages….”. Furthermore, according to Microsoft “… MAPI also provides a common interface that application developers can use to create mail-enabled and mail-aware applications independent of the underlying messaging system.”