Microsoft Office is one of the most widely used application suites in the world, but in 2020 there were over one thousand vulnerabilities identified, of that, 40% of them were privilege escalation vulnerabilities. So, an important O365 application that you’d want to keep secure is ‘Outlook’. Outlook is the most used O365 application with over 400 million users utilising the service. As a result, it becomes a highly sought after target for attackers as it can lead to great rewards relating to internal business communications, files and even network information.
A common exploit of Outlook is through its Outlook Web Application (OWA) portal. This portal is susceptible to brute force attacks and this increases when businesses don’t update their outdated systems. In particular, OWA hosted on-premise are highly susceptible to those sorts of attacks, due to the manual security configuration required, whereas OWA in O365 is secured by MS who constantly monitor and update their systems.
The general attack structure involves an initial discovery phase where attackers would use port scanning tools to identify open ports a target host. For this application to work as intended, web-based ports must be opened to allow users to browse to the application to login in, which can’t be helped, but through numerous phishing methods, attackers can gain credentials to compromise the target application.
The easy fix to exploits like this is to implement multi-factor authentication (MFA). Brute force attacks rely on the ability to ‘silently’ fail logon attempts, but since MFA sends a message to the user when logging in, attackers are less able to execute attacks like this. Furthermore, using Microsoft provided monitoring like Microsoft Cloud App Security (MCAS), these sort of failed logon attempts will be logged and, if a Managed Detection and Response system is being used, the security analyst would flag this behaviour as irregular and appropriate actions can be taken to neutralise the attacker.
Another common fix is to block web access to the OWA and make it accessible via an established virtual private network (VPN) connection. This makes it almost impossible for attackers to exploit as the OWA wouldn’t even be identified in a port scan or through directory enumeration resulting in a hidden OWA portal. In addition, a test like a Penetration Test can provide this insight for customers as ‘pen testers’ use the same methodology as malicious hackers. This would give the customer a decisive response as to how this is exposed to the public and how it can be exploited.
O365 applications are a valuable target for attackers, given the level of sensitive files & contacts within the system. Applications like OWA on-premise & O365 cloud apps being exposed to the Internet are important attack vectors for attackers and securing this exposure using a VPN or enabling MFA can prevent against these attacks to reduce the attack surface.