Microsoft Office 365 a Major Supply Chain Attack Vector
Performance issues are not the only concern users have about Microsoft Office 365 and Azure cloud services: the office productivity suite also represents a major threat vector and an attractive target for network and supply chain attacks.
On a quantitative level, Office 365 draws over 250 million active users, according to Microsoft statistics. Attackers can thus intuitively guess that a certain percentage of these users lack proper security protection, and as a bonus, often serve as an easy entry point into an organization’s Azure cloud data, including APIs. A conservative estimate, for example, might peg the percentage of vulnerable machines at 10%—the word “vulnerable” varies depending on the talents of the hacker, which can also include ethical hackers—which would represent over 25 million easy targets to penetrate.
All told, a global survey of 1,112 security professionals revealed how network attackers consistently bypass security protection, such as multi-factor authentication (MFA), according to cybersecurity firm Vectra, which gathered and analyzed the data in the report.
“Emerging threat detection trends involve following the attackers’ shift in focus to increasingly include the cloud as part of their attack progression–sometimes the cloud is an entry point to establish the foothold necessary to attack a traditional datacenter target, sometimes the data and services that exist in the cloud are central to an attacker’s objectives,” said Tim Wade, technical director, CTO Team at Vectra. ”Regardless of whether the cloud plays a point in the beginning, middle or end of an attack, security leaders need to both establish adequate visibility and have a means to discover an attack progression before material damage is done.”
In Vectra’s report, Wade described how 2020 saw the cloud transformation roadmaps and timeframes for most organizations compressed from years to months, and “Office 365 adoption was a major part of that,” said Wade. “Our focus on Azure and Office 365 reflects that transformation, and the importance for security leaders to have an effective strategy to balance the risks present in that new frontier with the obvious business benefits.”
Supply chain infrastructure attacks are especially important, as attackers are increasingly able to bypass often ineffective authentication controls, such as by forging SAML tokens to first gain access to a user’s Office 365 account. This type of attack may not necessarily trigger an alarm if the proper security platform and tools are not in place.
“Supply chain attacks exploit trust, and many security programs rely on preventing things from going wrong but stumble when something finally does. A supply chain attack presents an opportunity to bypass 99% of the security investments of organizations like that and go straight for the throat,” said Wade. “This sort of prevention-focused security philosophy has been shown to fail time and time again–effective programs focus instead on assuming the breach, and building resilience against the inevitable.”
Supply chain security will, therefore, continue to be an issue for many organizations in the future, Jack Mannino, CEO at cybersecurity firm nVisium said. “In addition to traditional software security testing techniques, such as penetration testing and code reviews, a growing number of businesses may be interested in understanding how software behaves through malicious code reviews,” says Mannino. “These types of tests explore the probability that software contains embedded malware, through malicious code commits or by compromised third-party dependencies.”
For the software development process, it is also critical not to forget that security lockdown processes—and tools—need to start from the very beginning of the production pipeline. Software development tools used with Azure, for example, must also be checked and monitored to help reduce potential weak links in the supply chain.
“Poor security practices during the software life cycle can lead to a defining moment when cybercriminals take advantage of a vulnerability,” Rajeev Gupta, co-founder and chief product officer, Cowbell Cyber, said. “Patching and vulnerability management is important, but vetting suppliers, including each of the software vendors in your supply chain, is essential for effective risk management.”
