Office 365: APTs Use Office to Avoid Detection

If Many threats are fleeting thanks to the development of adequate patches for exploits. Unfortunately, Advanced Persistent Threats (APTs) are resilient to patches. Cybercriminals alter them to create new attack vectors. APTs are continually evolving and finding ways to avoid detection. A recent trend of downgrading Office 365 E5 licenses to E3 is now used to bypass E5 security detection

Cybercriminals that leverage APT’s are generally well organized and funded. Many have all the time in the world to come up with new exploits. This includes stealing data and implementing ransomware attacks. Some are going after third party vendors in supply chains to get a better payout over the longer term.  

Many organizations aren’t securing mailboxes by using multi-factor authentication (MFA). You should lock applications, like Outlook, and Teams, with a pin so slicker attacks can’t access your system. Here, we’ll look at this and some other measures you can also use.

Let’s first take a look at Office 365 licenses and why going from E5 to E3 is helping attackers!

Office 365 Licenses

If you are new to Office 365, here is a quick rundown of the licensing. You can get many licenses for both business and personal use. E1, E3, and E5 are the enterprise-specific licenses for Office 365. Each has a range of features, but the E5 license has security tools that make it desirable for businesses.

The E5 license gives you a vast amount of features including identity management, threat protection, and Information Protection (IP). This license allows you to monitor, detect, and manage threats. This is either in your on-premises network or online Office 365.

Microsoft created E1 and E2 enterprise licenses that don’t have security features. This means if cyberattackers can downgrade a license to E2 they can use an APT without detection. As E2 features are like E3’s, users are also none the wiser and sleeper attacks achieved over a period of time.  

Illustration showing Office 365 applications in a stylized start menu.
Are these windows or tiles?

Office 365 MailBox Security

Mailbox attacks escalate permissions and enable full control over a system. This compromises attached accounts, devices, networks, or even a business’s supply chain. Continuing the attack due to the lack of alerts is possible until a user notices the license change . 

Imagine, an attacker reduces one of your high-end Executives’s E5 Office 365 licenses to E3. Attackers gain access to their device to put in a backdoor to gain further access. Very soon, the whole organization is theirs from one weakness in security. You need to get your ducks in a row and follow a standardized security policy. 

Let’s now take a look at possible security measures that can help reduce your risk to cybercriminals.

Security Zones and User Escalation Attacks

An APT that can gain access to an end user’s standard account can traverse security zones. Security zones use a traffic light system

  • Red zones; for the general public and visitors these aren’t trusted
  • Orange zones; for internal staff that can have an external connection. Some trusted security policies. 
  • Green zones; for administrators only; the safest zone trusted but the most restrictive. 

Air-gaps also help secure each security zone. Adequate firewalls and other security measures can also help.

Attackers that don’t work for the company won’t know your infrastructure. They will also not know hardware names or device capabilities. Attackers will not know how to transition from a user to some of your most secure infrastructures

Once on a system, cybercriminals need time to scope out each zone and find the bridges they need. Some companies try to obfuscate servers, but it’s just a question of time before they’re found!  

The attack process for external attackers involves elevating their user’s privileges. This helps them gain full control of systems. Even the lowest users have the potential to become an administrator!

Targets include Exchange, Active Directory, SQL, or Oracle databases and even Office 365. I can keep going on this topic, but security is vitally important for every user in your organization. Don’t think targets are only executive or administrative users.

License Monitoring

After creating security zones, attention may be put on license monitoring. You’ll need to have a baseline established first before you can detect anomalies. This means creating a list of licenses to periodically check against users.

Office 365 reports if an account is compromised or a potential compromise exists. You need to audit global administors’ movements and record them. This is because if an account with this level of access is compromised, you’re in trouble! Cyber attackers can do anything to any account in the organization. 

Multi-Factor Authentication

It’s difficult for some admins to implement multi-factor authentication. Users say they feel the company is invading their privacy. What users don’t understand is that an unprotected device means attackers can access their data. 

Get your users to comply, or restrict their personal devices from being used for business work. This could mean that they’re given a mobile phone already secured or a pin device. Forcing users to have multiple devices on them could make them think differently.

Illustration of how multi-authentication works. Three icons are presented with a plus sign between them. The first is a phone on the left with the text 'something you have'. The second icon is a hashed password with the words 'something you know'. Finally the third is a thumb print with a checkmark next ot it. The words under the last says 'something you are'.
More authentication the better.

Final Thoughts

The more visibility you have, the better you can detect something suspicious. Monitoring, appropriate zoning, infrastructure obfuscation, and MFA can all help stop APT attacks. You can protect the business and the users. You also need to be aware of new exploits that may be a threat and apply patches as soon as they’re available.

MFA, strong passwords, device control, and pin access to applications are now a necessary norm. You may also want to disable USB ports depending on the security zone. This will help reduce internal attacks from social engineering.

The more you teach your users, the more they will learn. In the end, they will start asking questions instead of ignoring everything. Make sure you tell your users why they need to follow security policies and what they’re doing.



What are APTs?

Advanced Persistent Threats (APTs) are fundamental flaws that exist within software and systems. This means attackers re-engineer them to work after a previous version is patched. Cyberattackers can use APTs to piggyback exploits on them. 

What’s so good about MFAs?

Multi-factor authentication (MFA) checks that the user logging in to a solution is them. This can be through a registered mobile that is sent a code, a pin generation device assigned to the users account or another means. These systems aren’t infallible but difficult for cyberattackers to bypass

What are security zones?

Security zones define what type of access a user has within a company’s network. Administrators create these when they’re developing the company’s infrastructure and network. Security zones follow a traffic light system. A red zone provides visitors superficial access and is unsafe. Orange zones are for internal staff, and green zones for administrators; the safest of the two. Air-gaps and separate infrastructure can, for instance, help keep red zone users from accessing orange and green zones.  

How can I monitor my Office 365 licenses?

APT attacks that downgrade office 365 E5 to E3 licenses can be stopped by regular monitoring. Create a list of licenses and check if these have changed. It’s possible that they could have changed due to a promotion, so you will need to check these against each user. 

How should I train users to protect them against cyberattacks?

Users don’t know anything about cybersecurity. Start by giving them information on attacks. Explain how they work and how they can stay safe. If you are starting a new security policy, tell them why. If you ask someone to work a certain way without explanation, they’ll seldom do it correctly.



TechGenix’s Azure Multi-Factor Authentication Article

Discover Azure’s MFA feature in this one-hour to better security article.

TechGenix’s Multi-Factor Authentication Interview Article

Read more about MFA in this interview with industry leader Darren Siegel here.

TechGenix’s Security Zones Article

Explore security zones in more detail in this article.

TechGenix’s Security Commandments Article

Learn what key security commandments to apply to your enterprise.

TechGenix’s DNS Best Practices Article

Find out how to protect your network with DNS best practices here.

TechGenix’s Office 365 License Monitoring Article

Read this review article on Office 365 license monitoring features.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top