The following section provides in-depth explanations of the various actions a threat actor might take after compromising an Office 365 mailbox. Each category from the mind map above is detailed below, with examples and real-world incidents where applicable. Understanding these potential threats is crucial for developing effective security measures.
Phishing attacks involve using the compromised mailbox to send deceptive emails aimed at tricking recipients into revealing sensitive information or performing actions that compromise security.
Internal phishing targets colleagues within the same organization. The attacker leverages the trust between employees to send spear-phishing emails, often impersonating a high-level executive like the CEO. These emails may request urgent actions, such as transferring funds or sharing confidential data, exploiting the recipient's inclination to comply with authority figures.
External phishing targets clients, partners, or other external contacts. The attacker sends spoofed emails that appear to come from the compromised account, often containing malicious links or attachments. A common tactic is invoice scams, where fake invoices are sent to trick recipients into making payments to fraudulent accounts.
Lateral phishing involves using the compromised account to target other Office 365 tenants. By exploiting the trust between organizations, the attacker can send phishing emails to external domains, potentially compromising multiple organizations. This tactic was notably observed in 2019 campaigns targeting various industries.
Once inside the mailbox, the attacker can exfiltrate sensitive information, including emails, attachments, and credentials, which can be used for further attacks or sold on the dark web.
The attacker can search for and download emails containing sensitive information, such as financial records, personal identifiable information (PII), or strategic business plans. In 2020, a major data breach at a financial institution was traced back to a compromised Office 365 mailbox, where thousands of emails were exfiltrated, leading to significant financial and reputational damage.
Confidential files attached to emails, such as contracts, legal documents, or intellectual property, can be downloaded by the attacker. These files often contain valuable information that can be exploited for competitive advantage or blackmail.
The attacker can extract saved credentials from email chains or auto-saved passwords in the mailbox. This can provide access to other systems or accounts, amplifying the scope of the breach.
With access to the mailbox, the attacker can leverage single sign-on (SSO) to access other Office 365 services, potentially gaining entry to sensitive data stored in those platforms.
SharePoint Online often hosts critical business documents, such as financial reports, strategic plans, or intellectual property. In 2020, several organizations reported breaches where attackers downloaded confidential files from SharePoint after compromising an employee's mailbox.
OneDrive stores personal and company files in the cloud. An attacker can access and steal these files, which may include sensitive personal data or proprietary business information.
Through SSO, the attacker can access other integrated applications like Microsoft Teams, Power BI, or third-party tools (e.g., CRM systems). This can lead to further data exfiltration or manipulation of business processes.
The attacker can use Office 365 services to distribute malicious content, leveraging the trust associated with the compromised account to bypass security measures.
By uploading malware-laden files to OneDrive and sharing links with unsuspecting users, the attacker can spread malware within the organization or to external contacts.
OneNote notebooks can be used to embed malicious scripts or links. Shared notebooks can serve as a vector for phishing or malware distribution.
The attacker can create SharePoint sites or pages with embedded malware or phishing forms, tricking users into entering sensitive information or downloading malicious content.
Mailbox rules can be manipulated to automate data theft, hide malicious activity, or maintain persistent access to the compromised account.
The attacker can set up rules to automatically forward specific emails (e.g., those containing keywords like 'invoice' or 'payment') to an external address, allowing continuous data theft without maintaining direct access.
Rules can be created to delete emails that might alert the user to suspicious activity, such as notifications about account changes or security alerts, helping the attacker cover their tracks.
By setting rules to move or mark certain emails as read, the attacker can hide their presence and avoid detection, making it harder for the user to notice unusual activity in their mailbox.
Using the compromised account, the attacker can engage in various forms of financial fraud, exploiting the trust and authority associated with the account holder's identity.
The attacker can send fake invoices to clients or partners, tricking them into making payments to fraudulent accounts. This is a common tactic in Business Email Compromise (BEC) scams.
By altering payroll information, the attacker can redirect employee salaries or bonuses to their own accounts, a tactic that has been used in several high-profile fraud cases.
Pretending to be an executive, the attacker can request that employees purchase gift cards and share the codes, which can then be redeemed or sold for profit.