External penetration tests are a critical component, and often one of the first steps, of an organisation's defence strategy. These engagements typically focus on the infrastructure that an organisation controls or hosts. However, this leaves a blind spot within the security posture - services hosted by third parties, such as Microsoft's M365, which grant users access to company resources like SharePoint and Outlook.
Background
For over 10 years, many Microsoft products (including the M365 login function) have contained enumeration flaws which allow malicious actors to determine if an account is valid. The first step to any password attack against an organisation's userbase is to compile a list of targets, and tooling exists to automate this process. Microsoft has not indicated that they are going to address these user enumeration flaws.
Tooling also exists to automate the process of systematically attempting to log into each account in that list of targets.
The Budget Problem
This kind of threat is typically only tested during a simulated attack against the organisation (such as during a red team engagement), but these projects are covert, comprehensive, and usually last for weeks or months. A cost-effective way to address this initial access threat is to carry out a targeted credential attack against your organisation's M365 user accounts. A straightforward engagement will confirm whether any leaked credentials are still valid and whether any users utilise a weak password and can usually be carried out in one or two days.
The Password Problem
Would you consider the following password policy strong?
at least 10 characters in length
upper case character
lower case character
a digit
and a special character
Well, "Password1!" meets these guidelines and is occasionally the condition for an initial compromise. You may think you are fine as you utilise multifactor authentication; however, there are several methods to defeat these controls. It's worth noting that users with weak passwords may be less security conscious in general and more likely to fall victim to a phishing attack designed to capture sensitive information such as an MFA token. A user may utilise the same password elsewhere which does not enforce MFA. We have also found that some organisations have special shared accounts where MFA is not enforced for quality-of-life purposes.
Contact Us
If you want peace of mind regarding this attack vector, contact us and we can tailor the engagement to your organisation's needs. We can perform a simulated credential attack and many other kinds of review to secure this gap. www.fortiscyber.co.uk
Kommentare