Rise in Attacks and Losses Linked to Office 365 Misconfiguration

November 5, 2020 by ACA Compliance Group


Recent reports from the FBI’s Internet Crime Complaint Center (IC3) indicate a staggering rise in the rate of business email compromise (BEC), due to exploitation of Microsoft® Office 365® and other cloud-based email services. U.S. businesses have suffered over $2.1 Billion in losses from BEC scams from 2014-2019. Global losses in a similar time frame have amounted to over $26.2 Billion. Average losses were tallied at nearly $75,000 per complaint.

Business email compromises, also known as email account compromises, involve scams in which unauthorized electronic payments (e.g., wire payments, automatic clearing house (ACH) transfers) result from the compromise of legitimate business email accounts. These accounts are typically compromised via social engineering techniques (e.g., targeted phishing), and typically include exposure caused by misguided or default configuration of various settings in cloud-based email services.

ACA Aponix has seen a significant increase in the number and sophistication of attacks targeted at investment advisers in recent months, many resulting in multi-million-dollar losses. Very often these attacks have preyed on vulnerabilities created by weak or poorly implemented technical controls on cloud-based email solutions. Once inside the email system, attackers often monitor the victim’s email undetected for several weeks watching payment flows and validations to help craft a successful attack.

The FBI recommends increased vigilance to prevent BEC scams, including adjustment of cloud-based email settings, use of multi-factor authentication, and user education to prevent phishing and other social engineering efforts.

ACA Guidance

The staggering rise in business email compromise and the resulting damage correlates with the rise in cloud-based email services. From our experience, an Office 365 compromise is only a matter of time - if you haven’t locked it down.

While migration to or integration with the O365 platform is often performed well by IT providers, consultants, and other third-party technology partners, the fact that these individuals are not necessarily security experts is often overlooked. While they will get things running effectively for your company, they may also keep configuration settings in a state that can leave you exposed.

Often, IT professionals and executives don’t have affirmation of the security of their cloud-based email system. The risks are high and very real. One successful BEC or account takeover could result in significant misdirected funds, sensitive data loss, and/or reputational harm.

There are hundreds of configuration settings in O365, many that are key controls that are often overlooked. Areas like Azure AD, Exchange, OneDrive, SharePoint, Teams, and others are often configured with default settings, leaving staff and data exploitable. Knowing where you are exposed is the first step in defending against attackers. Additionally, as we approach the holiday season, we expect an increase in attacks through O365 given the susceptibility of targets this time of year.

How We Help

ACA Aponix offers an independent Microsoft® Office 365® security assessment. We can deliver a full health check of your O365 settings, with no active participation required from the firm, that will provide you with a report containing immediate and actionable guidance to fortify your O365 instance and help protect you from the rise of business email compromises.

If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com.

Contact Us