Australia’s Office 365 appetite providing “huge locus of attack”

Widespread adoption has piqued the interest of even non-technical cybercriminals

Australians have long been “disproportionately” targeted with global phishing email campaigns but recent months have seen dozens of campaigns personalised with convincing local impersonations, according to new figures tracking the changing phishing landscape.

Security analysts saw around 30 campaigns specifically targeting Australian interests in the last quarter alone, Proofpoint executive vice president of cybersecurity strategy Ryan Kalember told CSO Australia as the firm released a detailed review of campaign traffic that he said is “higher than most countries in the world with similar GDP”.

Australia is the top global region for DanaBot malware, which takes screenshots and steals sensitive personal and financial information, and is seeing ongoing compromise by the Emotet banking Trojan – which has recently awakened to threaten Australia after a hiatus.

Yet “if you look at the broader threat landscape it’s really about human vulnerabilities more than security tools,” Kalember said. “We do not see technical vulnerabilities.”

“The vast majority of cybercriminals aren’t writing their own malware or finding new exploits,” he continued. “It is quite easy to find someone who will run a Word Office macro for you, and that has let to Office 365 in particular being a huge locus of attack.”

Office 365 was proving popular because of its large-scale adoption in Australian government agencies and businesses like WA Health, mirroring a global trend that has seen the productivity suite running rings around its rivals.

Compromised accounts provide cybercriminals with a wealth of information about an individual’s contact network, organisational structure, and planned movements that can be exploited in a business email compromise (BEC) attack.

“By centralising on Office 365 we have made ourselves much more appealing targets for criminals,” Kalember said, noting that the platform’s broad reach, such as support for “ancient” mail protocols like IMAP and POP3, had provided ample vectors for attacker compromise.

“The problem is that too few organisations have taken a proper look at what risk the move to Office 365 entails, and taken steps to close it,” he said. “If we were to deploy those techniques and do them really well, we would force attackers to do something much harder.”

The ease of compromise had also been shaped by the availability of the Collections #1 through #5 password leaks, which gave cybercriminals an arsenal of nearly 2.2 billion credential sets to target in phishing campaigns and use to compromise Office 365 or other systems.

These were “grist for the mill” for cybercriminals targeting corporate victims – particularly in industries like construction and engineering, which Kalember said were being picked out “because supply chain attacks are so useful”.

“If you’re an engineering firm, you move tens of millions of dollars around without a thought. You have a complicated system of sensors in random places around the world where you are sending money to and from – and that is ideal for cybercriminals.”

Australia was also being particularly targeted by ‘stealer’ malware capable of grabbing credentials and passwords saved in browsers – “democratising access” to this information for cybercriminals whose motives are increasingly clear based on the organisational departments they target.