Occasionally I like to schedule a time to share the stories that come across our support desk so that, as a community, we understand what is out there.
Only by sharing and trying to be straightforward can we stay ahead of the tsunami of hacking that most of our networks face.
A Real–Life Hacking Scenario
A few weeks ago, we had a client call us regarding a suspected hack – a member of staff was hit by a convincing phishing scam and had managed to get through the pop–ups and warnings to get to the hacker's desired page.
This staff member came and said that they thought they had dropped the ball and put their password into a website and were worried.
Slight spoiler alert – the client had Multi-Factor Authentication (MFA) enabled, so no actual data was lost, but that wasn't the exciting feature of this hack or the evolution we saw.
As we tried to investigate, we realised that once someone entered their details into the site, it was checking to see if the user was correct through the office API. If the user had a valid account, it let them proceed. Still, if they tried to test it with a dummy account, it checked and could come back and tell them that the version they were using had not been found – something that may facilitate the less IT literate into thinking that the site was genuine.
Hackers Are Getting Smarter
Something else was happening too. If you typed your details in once, it would, from that point on, direct you to the proper https://portal.office.com to try to hide the fact that it was a phishing site.
Ultimately, the most essential thing for sites like this is that they stay up long enough to get a decent amount of hacked accounts, and tactics like this can confuse people and allow the place to be left up for a significantly extended period.
Also, I find it interesting to see the gradual increase in evasive measures these hacks are taking. However, while you can easily see where things are heading, we need to realise the additional ingenuity these hackers demonstrate to collect user data by hacking your data, files and email.
Preventing Hacks with Multi-Factor Authentication
It also rams home the message on MFA. For the longest time now, it has been clear that MFA is probably the most critical security measure you can implement in your company. At a recent Microsoft event, Microsoft reiterated that the previous idea of the company front door (or business premises) being the perimeter and needing securing is now more or less dead or at least on life support. Now, the actual boundary needing protection is the user identity. Given that almost 100% of successful hacks were on user identities without MFA, not doing MFA is basically the cyber equivalent of getting the most extensive, juiciest steak you can find, strapping it to your neck and dancing around the Serengeti!
The numbers don't lie. If you still need to implement MFA, it is more a matter of when you will be hacked than 'if', which is a scary prospect.