Forum Discussion

Cian Allner's avatar
Cian Allner
Silver Contributor
Oct 05, 2017

KnockKnock cyber attack on Office 365 Exchange Online email accounts

It's been reported there is an ongoing cyber attack against Office 365 Exchange Online mailboxes called KnockKnock. 

 

Not to sensationalize any reports but I think it's worth reviewing some of the outcomes to highlight the methods involved, which I have tried to summarize below along with a few best practices that can disrupt much of this. 

 

  • Apparently, the KnockKnock campaign started in May 2017 and is ongoing, reportedly widespread though the bulk of the activity was from June to August.
  • Attacks are targeted rather than a mass strike, with system accounts the aim, as these are typically are less well protected like with a poor password policy or lacking MFA etc, yet these accounts often have elevated rights. Examples given include service, automation and internal tool accounts as well as distribution lists and shared and delegated mailboxes.  The attack is very low key and designed to avoid detection.
  • Once an account has been comprised, an inbox rule is setup for data exfiltration, then the attack tries to spread via a phishing campaign using the infected inbox.

Source

 

Here are a few tips, from my perspective that makes some sense:

 

  • Don't skimp on security with service, system, middleware, automation accounts etc., have strong measures in place to protect them.
  • Minimize the use of these ‘non-human’ system accounts, give them no more rights than they need, track their usage and retire them as systems are no longer needed.
  • Look at the Client External Rules Forwarding Block that Secure Score can implement easily on your behalf, that stop email rules forwarding outside the organization
  • Protect privileged accounts with all the means available, MFA for Admins (at least), just in time administration for these accounts where available, see options here -  Securing privileged access in Azure AD

 As Tony Redmond revealed via an Ignite stat "only 0.73% of Office 365 administrative accounts are protected by multi-factor authentication", which is disappointingly low and make attacks like this, that bit easier to pull off.

  • C_the_S's avatar
    C_the_S
    Bronze Contributor

    As Tony Redmond revealed via an Ignite stat "only 0.73% of Office 365 administrative accounts are protected by multi-factor authentication", which is disappointingly low and make attacks like this, that bit easier to pull off.


     

    Until Microsoft makes it so that MFA is usable throughout ALL its services I won't be using it. So they only have themselves to blame.

Resources