Just as they did with PowerShell for Windows, threat actors are abusing native O365 capabilities for lateral movement, command-and-control communication, and other malicious activity.
With more than 258 million active users users per month, Microsoft’s Office 365 environment — like several other Microsoft technologies — has become a popular target for attackers.
Vectra AI recently analyzed data gathered from over 4 million Office 365 accounts between June and August. The security vendor found attackers are widely using Office 365 accounts to move laterally to other users and accounts within an enterprise, to carry out command-and-control communications, and other malicious activities.
According to Vectra, attackers are taking advantage of multiple useful capabilities available within Office 365, particularly Power Automate and eDiscovery, to orchestrate many of their malicious tasks — just as they did with PowerShell for Windows.
“Within the new work-from-home paradigm, user account takeover in Office 365 is the most effective way for an attacker to move laterally inside an organization’s network,” says Chris Morales, head of security analytics at Vectra. “And when there, attackers use the existing tools present to live off the land and avoid detection.”
Vectra’s study found signs of lateral movement on 96% of the Office 365 customer accounts sampled. Seventy-one percent of the accounts exhibited suspicious Power Automate activity, and 56% exhibited similarly suspicious behavior with regard to the Office 365 eDiscovery capability. Vectra discovered that in addition to lateral movement and command-and-control communications, attackers are using breached Office 365 accounts to steal data