Businesses and government offices in the Washington, DC and Baltimore regions are on the watch for a recent cyber-attack that broke into Microsoft Office 365 administrator accounts.

The number of incidents are reportedly relatively small but they have caused concern, given that company email includes “critical information,” cyber security specialists have said.

One of these attacks apparently related to Deloitte in New York. “We take any attack on our systems very seriously,” a Deloitte spokesman recently told SmartCEO. “We are confident that we know what information was targeted and what the hacker actually did. Very few clients were impacted, although we want to stress that even when one client is impacted, that is one client too many.  We have concluded that the attacker is no longer in Deloitte’s systems and haven’t seen any signs of any subsequent activities.”

Microsoft declined to comment.

The incidents, however have gotten the attention of cyber security specialists, especially since Office 365 is very popular among corporations.

Since May, there have been a “handful of organized attempts,” Matthew Green, a professor at Johns Hopkins Information Security Institute, confirmed to SmartCEO, adding that “it’s not a very big attack, and it’s begun to tail off this summer, but it’s big enough given that the value of compromising even one corporate administrator account can be huge. The really distinguishing feature of the attacks is that they’re targeted: this is not some hacker going around indiscriminately trying to send everyone malware.”

“These attacks don’t specifically target the Office 365 software, but instead try to find weak passwords on important administrator accounts that customers – companies — have set up,” Green said. “They may also use phishing. If an attacker can get in — usually after a few attempts — they can then gain access to a large amount of corporate email.”

Based on what he has heard, Deloitte was one of the companies that was attacked. “I understand data belonging to other clients, as well as the US government, may have been taken,” Green said. “Everyone is at risk if they’re not configuring their servers correctly and they host sensitive information, particularly US government information. I would suggest that many Maryland/DC/VA government contractors would be potential targets.”

But there are steps that businesses can take to mitigate risk of the attack. Green recommends:

  • Accounts be heavily protected with two-factor authentication and strong passwords.
  • There should be monitoring for unauthorized logins.
  • Corporate administrator accounts are secured.
  • Review access history to see if anyone has made unauthorized attempts to access the account.

But apparently some administrators are not taking appropriate precautions, Green said. “This is the equivalent of leaving the back door unlocked…. As far as I know, 365 can be set up to use strong multi-factor authentication, but may not have been in these cases,” he said. “So much critical information is stored in email servers unencrypted.”

Green added that these accounts effectively have the “keys to the kingdom” and when an attacker can compromise one, … [he/she] can do a lot of damage to a company.”

News about the attacks came earlier this month, when Skyhigh Networks, a cyber security specialist, announced it had detected “KnockKnock,” which it described as a “previously unknown botnet.”

“This campaign is a sophisticated cyber-attack on Office 365 Exchange Online email accounts, originating from 16 countries around the world and targeted organizations in manufacturing, financial services, healthcare, consumer products and US public sector,” Skyhigh said in a statement. “The attackers behind KnockKnock targeted automated corporate email accounts not tied to a human identity, which often lacked advanced security policies.”

“Unlike the brute force campaign on corporate Office 365 accounts Skyhigh had previously reported, KnockKnock is a new campaign based on a unique attack strategy of targeting administrative accounts commonly used to integrate corporate email systems with marketing and sales automation software,” the firm added. “Since these accounts are not linked to a human identity and require automated use, they are less likely to have protection with security policies such as multi-factor authentication (MFA) and recurring password reset.”

Here is how it works: It gains access to an enterprise Office 365 account, and “typically exfiltrates any data in the inbox, creates a new inbox rule and initiates a phishing attack from this controlled inbox in an attempt to propagate infection across the enterprise,” Skyhigh explained.

More generally, with cyber-attacked aimed at businesses, there are special precautions that should be taken by CEOs and those in the C-Suite. “There have been a number of incidents of CEO scams, where an attacker forges email to or from the CEO or other corporate officials. Some of these have successfully authorized funds transfers. Others could reveal sensitive corporate strategy,” Green said. “The C-Suite email is probably the most valuable from a strategic perspective, and would absolutely be a target.”