This article is more than 1 year old

Two-factor auth totally locks down Office 365? You may want to check all your services...

A network's only as strong as its weakest link or worker

Hackers can potentially obtain access to Microsoft Office 365 emails and calendars even if multi-factor-authentication is in place, we were warned this week.

Cybercrooks are able to force their way into corporate Office 365 accounts, bypassing single sign-on or multi-factor authentication, by targeting older systems that aren't well protected, email security biz Proofpoint has argued.

The trick, we're told, is to target legacy services that use weak or known passwords, are not secured behind multi-factor-authentication, and, once commandeered, can be used to poke around inside a corporate structure. If you don't know a target's password, it could be phished via email or instant message.

This all may seem obvious, but apparently some people are being stung by it.

"The current wave of attacks mostly goes after Exchange Web Services and ActiveSync," said Ryan Kalember, Proofpoint's senior vice president of cybersecurity strategy, earlier this week. "A little real-time phishing gets mixed in, but is usually not necessary."

Real-world examples

For example, Proofpoint said it recently saw an attacker access the Office 365 account of the chief exec of a 15,000-user financial services and insurance firm. The hacker viewed the CEO's emails and calendar in order to sniff out an opportunity to run a sneaky scam.

Two beer glasses clash and splash frothy beer into the air. Cheers! Photo by Shutterstock

Office 365 celebrates National Beer Day by popping out for a pint


At the same time the chief exec was in scheduled meetings with suppliers, the intruder used the compromised account to send an email to the chief financial officer asking for funds to be shifted. The unnamed financial services firm lost $1m over the course of several transfers, it is claimed.

Compromised Office 365 accounts in a 75,000-user real-estate investment biz were used to run another scam. Five executives, including some regional general managers, had their accounts compromised. With access to their Office 365 email, attackers managed to change the ABA routing numbers for corporate funds. The company lost over $500,000 as a result, according to Proofpoint.

By the most remarkable of coincidences, the security shop has released something called Proofpoint Cloud Account Defense (CAD) to detect and proactively protect against compromised Microsoft Office 365 accounts. Kalember explained the need for additional layers of defenses.

"It's really hard for most orgs to cover all the interfaces to Exchange with MFA [multi-factor authentication]," Kalember told El Reg.

"Particularly with EWS [Exchange Web Services], you need to be 1) fully migrated to O365, 2) use Microsoft's own MFA, and 3) in Modern Authentication mode. The tech can't support native iOS/Android mail clients, etc."

In other words, you may think you're fully protected – but maybe you should double check, and increase defenses for all service interfaces, particularly concerning Exchange Web Services. Save yourself some pain in the future.

Cloud security guru Rich Lilly commented: “EWS [Exchange Web Services] is a legacy protocol using basic auth that can't be secured by MFA. [The] correct direction is move to a modern auth-capable client to plug the hole and block all basic auth.

Proofpoint's Kalember acknowledged that the method of attack is a well known but emphasised that what’s changing is that cybercriminals are making “extensive use of the vector at scale” in order to hack into email accounts, largely in furtherance of other scams. ®

More about

More about

More about


Send us news

Other stories you might like