Microsoft Security Report Points to Basic Authentication as Root of BEC Attacks

Posted on by Tony Redmond

Phishing, Inbox Rules, And Forwarding

A June 14 report from Microsoft’s Threat Intelligence Center (MSTIC) highlights the issue of basic authentication once again, this time in the context of business email compromise (BEC) attacks. Essentially, successful phishing using email like an invoice request or missed voicemail results in the collection of user credentials. Attackers use the credentials to sign into mailboxes and create an inbox rule to forward copies of messages containing terms like invoice, payment, or statement to their system. Another inbox rule then cleans up the copies of the forwarded messages so that the mailbox owner doesn’t see them in their Sent Items folder. I have experience of such an attack in a company where I worked, where attackers used the technique to copy messages from the CFO’s mailbox and eventually attempt to send a BEC message to secure funds.

There’s no surprise in learning that phishing is an ongoing problem and an attack vector used by people wishing to gather confidential data like user credentials with the aim of achieving some illegal gain.

Basic Authentication Still in Place

The sad fact is that many Microsoft 365 tenants continue to allow people to use a combination of basic authentication with antiquated connection protocols like POP3 and IMAP4 to access Exchange Online mailboxes. Microsoft is doing its best to cajole organizations to turn off basic authentication for as many connection protocols as possible, and has offered hard evidence of why basic authentication is so bad. Moving to modern authentication (MFA) reduces the likelihood of success for a password spray attack. Better again, using multi-factor authentication blocks 99.9% of account compromise attacks. And adding conditional access policies to the mix improves things even more.

All of which makes it hard to understand when organizations continue along a dangerous path that only benefits hackers.

The MSTIC report explains how the attackers likely use POP3 or IMAP4 to test credentials (MFA stops this happening) before creating the rules in the mailbox. Microsoft recently clamped down on email forwarding by blocking the ability of users to configure forwarding unless allowed by the outbound spam filter policy. The report isn’t clear if any of the organizations where Microsoft found problems used the outbound spam filter policy to block forwarding, but notes that because of the clampdown, the threat of BEC campaigns using mail forwarding rules is significantly reduced.

Checklist for Tenant Administrators

The introduction of forwarding blocks in the outbound spam policy is a big step forward. However, it’s also true that users can argue the case for exceptions and build a case to be allowed forward some email outside the organization. With an eye on minimizing risk, what should tenant administrators do? Here’s a checklist:

The most important steps are:

  • Configure the outbound spam policy with restricted exceptions to suppress as much forwarding as possible.
  • Use MFA to protect all user accounts. Remember the point above that using MFA eliminates much of the vulnerability of user accounts to attack. You can use PowerShell to find and report on the MFA status of accounts.
  • If you haven’t already done so, configure Azure AD to use Security Defaults. Microsoft enables all new tenants with Security Defaults to make sure that basic steps like enabling MFA for administrator accounts is done. If your tenant is like mine and already uses conditional access policies, you won’t be able to enable Security Defaults (Figure 1), but that’s OK because you’re already well on the way to protecting the tenant. Azure AD evaluates conditional access policies after a successful sign-in, so they won’t stop an attacker penetrating. However, they can stop attackers accessing sensitive information from unmanaged devices or unknown locations. Conditional access policies require Azure AD premium licenses.

Enabling Azure AD Security Defaults basic authentication
Figure 1: Enabling Azure AD Security Defaults
  • Microsoft has upgraded the POP3 and IMAP4 protocols to support modern authentication. If people insist on using these protocols, get them to upgrade to a client which supports modern authentication.
  • Monitor what’s happening in the tenant. If you have Office 365 E5, you can use Microsoft Cloud App Security for Office 365. The point is that administrators should use whatever data and tools are available to check the tenant. Even a periodic browse through the Office 365 audit log can turn up unexplained or suspicious events which deserve investigation.

The MSTIC report points out that Microsoft Defender for Office 365 includes a standard alert policy to detect and report suspicious forwarding activity to tenant administrators. Another alert tells administrators when users create a rule to forward email (Figure 2). These alerts should be actioned whenever they happen.

An alert because a user creates an inbox rule to forward email
Figure 2: An alert because a user creates an inbox rule to forward email

Check Mailboxes

If you don’t have Microsoft Defender for Office 365, you can use PowerShell to scan for accounts configured with forwarding addresses or with inbox rules to forward email. The outbound spam policy blocks any attempt to forward email unless the user is listed as an exception in the policy. Even so, it’s good to know where forwarding in configured via mailbox settings or rules. Here’s some code to look for forwarding configured in mailboxes and to check inbox rules with forwarding actions.

$Mbx = (Get-ExoMailbox -RecipientTypeDetails UserMailbox, SharedMailbox -Properties ForwardingSmtpAddress -ResultSize Unlimited)
Write-Host $Mbx.Count "user and shared mailboxes found. Now checking..."
$NumberMbxWithRules = 0; $NumberForwards = 0
ForEach ($M in $Mbx) {
    Write-Host "Processing" $M.DisplayName
    $Rule = $Null
    If ($M.ForwardingSmtpAddress -ne $Null) { # Mailbox has a forwarding address
       $NumberForwards++
       Write-Host $M.DisplayName "is forwarding email to" $M.ForwardingSmtpAddress.Split(":")[1] } 
    $InboxRules = (Get-InboxRule -Mailbox $M.Alias | ? {$_.ForwardTo -or $_.ForwardAsAttachmentTo })
    If ($InboxRules -ne $Null) {
       Write-Host "Processing inbox rules"
       ForEach ($Rule in $InboxRules) {
          $Ex = $Null
          $ForwardTo = @()
          $ForwardTo = ($Rule.ForwardTo | ? { ($_ -Match "SMTP") -or ($_ -Match "EX:") } )
          $ForwardTo += ($Rule.ForwardAsAttachmentTo | ? {($_ -Match "SMTP") -or ($_ -Match "EX:")})
          If ($ForwardTo.Count -gt 0) {
             ForEach ($Recipient in $ForwardTo) {
                If ($Recipient -Match "EX:") {
                   # Recipient known in Exchange directory
                   $Ex = (Get-Recipient -Identity ($Recipient-Split "Ex:")[1].trim("]}")) 
                   $EmailAddress = $Ex.PrimarySmtpAddress }
                Else  {
                  # Simple SMTP address
                   $EmailAddress = ($Recipient -Split "SMTP:")[1].Trim("]") 
                   $Ex = (Get-Recipient -Identity $EmailAddress) }
             }
             Write-Host $M.RecipientTypeDetails $M.DisplayName "has a rule to forward email to" $EmailAddress -ForegroundColor Red
             # Remove the rule if the address is unknown to the directory
              If ($Ex -eq $Null) {
                 Remove-InboxRule -Identity $Rule.Identity -Confirm:$False
                 Write-Host "Rule" $Rule.Name "removed from mailbox!" }
              Else {
                 Write-Host "Destination is known to the tenant directory. Please remove" $Rule.Name "manually if necessary" }
             $NumberMbxWithRules++ }
       }
     }
}

Comment out the relevant lines if you don’t want to remove the inbox rules from user mailboxes. You can download the script  from GitHub and amend it to suit the needs of your organization.

A Long Road to Remove Basic Authentication

Microsoft announced their intention to remove basic authentication from Exchange Online connectivity protocols in September 2019. It’s taken a lot of effort so far to educate, convince, and move customers. The signs are that even more effort will be necessary to complete the transformation. If you’ve been hanging back, maybe now’s the time to consider jumping in to improve the security of your tenant. After all, you wouldn’t like to be the subject matter for the next MSTIC report.

Update (September 1): Microsoft is granting tenants the ability to get a three-month extension before retiring basic authentication. See this article for more detail. January 1, 2023 is the new drop-dead date.

Learn about protecting Exchange Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s importance and how best to protect your tenant.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.