Microsoft 365 | Breaking Cybersecurity News | The Hacker News

A previously undocumented "phishing empire" has been linked to cyber attacks aimed at compromising Microsoft 365 business email accounts over the past six years. "The threat actor created a hidden underground market, named W3LL Store, that served a closed community of at least 500 threat actors who could purchase a custom phishing kit called W3LL Panel, designed to bypass MFA, as well as 16 other fully customized tools for business email compromise (BEC) attacks," Group-IB  said  in a report shared with The Hacker News. The phishing infrastructure is estimated to have targeted more than 56,000 corporate Microsoft 365 accounts and compromised at least 8,000 of them, primarily in the U.S., the U.K., Australia, Germany, Canada, France, the Netherlands, Switzerland, and Italy between October 2022 and July 2023, netting its operators $500,000 in illicit profits. Some of the prominent sectors infiltrated using the phishing solution include manufacturing, IT, consultin...

New research has disclosed what's being called a security vulnerability in Microsoft 365 that could be exploited to infer message contents due to the use of a broken cryptographic algorithm. "The [Office 365 Message Encryption] messages are encrypted in insecure Electronic Codebook ( ECB ) mode of operation," Finnish cybersecurity company WithSecure  said  in a report published last week. Office 365 Message Encryption (OME) is a security mechanism used to send and receive encrypted email messages between users inside and outside an organization without revealing anything about the communications themselves. A consequence of the newly disclosed issue is that rogue third-parties gaining access to the encrypted email messages may be able to decipher the messages, effectively breaking confidentiality protections. Electronic Codebook is one of the simplest modes of encryption wherein each message block is encoded separately by a key, meaning identical plaintext blocks wi...

Vulnerability Management (VM) has long been a cornerstone of organizational cybersecurity. Nearly as old as the discipline of cybersecurity itself, it aims to help organizations identify and address potential security issues before they become serious problems. Yet, in recent years, the limitations of this approach have become increasingly evident.  At its core, Vulnerability Management processes remain essential for identifying and addressing weaknesses. But as time marches on and attack avenues evolve, this approach is beginning to show its age. In a recent report, How to Grow Vulnerability Management into Exposure Management (Gartner, How to Grow Vulnerability Management Into Exposure Management, 8 November 2024, Mitchell Schneider Et Al.), we believe Gartner® addresses this point precisely and demonstrates how organizations can – and must – shift from a vulnerability-centric strategy to a broader Exposure Management (EM) framework. We feel it's more than a worthwhile read an...

Microsoft on Thursday warned of a consumer-facing attack that made use of rogue OAuth applications deployed on compromised cloud tenants to ultimately seize control of Exchange servers and spread spam. "The threat actor launched credential stuffing attacks against high-risk accounts that didn't have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access," the Microsoft 365 Defender Research Team said. The unauthorized access to the cloud tenant permitted the adversary to register a malicious OAuth application and grant it elevated permissions, and eventually modify Exchange Server settings to allow inbound emails from specific IP addresses to be routed through the compromised email server. "These modifications to the Exchange server settings allowed the threat actor to perform their primary goal in the attack: sending out spam emails," Microsoft  said . "The spam emails were sent as part of a...

A "dangerous piece of functionality" has been discovered in Microsoft 365 suite that could be potentially abused by a malicious actor to mount attacks on cloud infrastructure and ransom files stored on SharePoint and OneDrive. The cloud ransomware attack makes it possible to launch file-encrypting malware to "encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker," Proofpoint  said  in a report published today. The infection sequence can be carried out using a combination of Microsoft APIs, command-line interface (CLI) scripts, and PowerShell scripts, the enterprise security firm added. The attack, at its core, hinges on a Microsoft 365 feature called AutoSave that creates copies of older file versions as and when users make edits to a file stored on OneDrive or SharePoint Online. It commences with gaining unauthorized access to a target user's SharePoint Online...

Microsoft 365 (M365), formerly called Office 365 (O365), is Microsoft's cloud strategy flagship product with major changes ahead, such as the deprecation of their legacy authentication protocols. Often stored on or saved to the device, Basic Authentication protocols rely on sending usernames and passwords with every request, increasing the risk of attackers capturing users' credentials, particularly if not TLS protected. Basic Authentication, while necessary for companies using legacy software, is unable to enforce MFA and is superseded by Modern Authentication. The legacy settings have been on Microsoft's radar to fix for years. In 2018,  Microsoft announced  it would introduce a series of changes — and ultimately deprecation — to its authentication controls as a means to help organizations mitigate the risk. These changes were set to take place over a number of years, and in September 2021,  they announced  that they will begin to permanently disable Basic Auth ...