Office 365 May Be Popular Target for Bad Actors, But Difficult to Hit
A new Data Security Incident Response report from Baker & Hostetler shows that hackers are gravitating toward Office 365, possibly in the hopes of stealing contact information or reselling account access online.
May 01, 2020 at 11:30 AM
4 minute read
A takeover of Microsoft Office 365 accounts may be the first item on the to-do list of bad actors who have breached an organization's cybersecurity. Baker & Hostetler released its 2020 Data Security Incident Response Report on Thursday, indicating that ransomware is thriving with the help of stolen contact lists pilfered from underprotected accounts.
The report is based on information gleaned from 950 cyber incidents that Baker & Hostetler consulted on over the course of 2019. In 31% of the cases featured, bad actors initiated an Office 365 account takeover after the initial breach. Deployment of ransomware was the next most common step (24%), followed by the installation of malware (13%).
But why did an Office 365 takeover comprise the largest percentage of cases? Craig Hoffman, editor of the report and leader of Baker & Hostetler's digital risk advisory and cybersecurity team, said the additional contacts and email addresses stored inside an Office 365 account can provide hackers with their next targets for phishing or other schemes. But there's also the potential for immediate gratification as well.
"[Bad actors] run searches to look for invoices so they can trick people into wiring money out, and they are very effective at doing that. And then they sometimes sell off access to the account. … There are about 15 different flavors of what people do when they get access to your account," Hoffman said.
This could be of some concern to law firms or corporate legal environments, where Office 365 is often a popular choice. However, those accounts aren't low-hanging fruit if set up properly. Hoffman indicated that if multifactor authentication protocols are correctly installed, it would be very difficult for hackers to gain entry to accounts.
But even if Office 365 accounts are secured, ransomware doesn't seem like a preferable alternative for organizations to maneuver, especially as the number of dollar signs involved continues to increase. In the 2018 report, the average ransomware payment was $28,920, but that figure increased dramatically in 2019 to $302,539.
The sudden inflation could reflect the more aggressive tactics that purveyors of ransomware have begun to deploy. Hoffman pointed out that bad actors have typically used ransomware to cut an organization off from data in its system, with the access key held hostage. Now, hacker groups such as Maze are imposing additional pressure on victims by threatening to publish stolen data online.
The Texas-based firm of Baker Wotring experienced this firsthand last February after Maze hacked its "client site" and published such sensitive data as Health Insurance Portability and Accountability Act consent forms and fee agreements online. That same month, Maze also attacked three South Dakota law firms: Bangs McCullen; Lynn, Jackson, Shultz & Lebrun; and Costello Porter.
"We're seeing more groups steal data before they encrypt data," Hoffman said.
As for how organizations are faring in detecting ransomware and other intrusions, the report lists the average time that passes between the occurrence and discovery of an intrusion at around 90 days. The average number of days to contain a threat, however, increased from 10 days in 2018 to 14 days in 2019.
Both those numbers are more encouraging than statistics featured in a recent report by e-discovery provider Special Counsel, which placed the U.S. average for identifying a breach at 206 days, with the average containment time at 73 days. Still, confusion around figures such as these may be par for the course, since information technology personnel, for example, may view timelines differently than other members of an organization.
"What they don't account for is when their tools fail. A goalie is going to stop 99 out of 100 shots. In a security context, when they miss a shot and something gets past the goalie, it sits undetected for a long time," Hoffman said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250