Recently, Varonis Threat Labs uncovered an attack that used Microsoft 365’s Direct Send feature to phish sensitive information from the employees at more than 70 organizations.
Microsoft 365 Direct Send is designed to allow internal devices like printers to send emails without authentication. Threat actors abused this feature to spoof internal users and deliver phishing emails without ever needing to compromise an account.
Varonis Threat Labs uncovered the exploit in June. Armed with that intelligence, the Varonis Incident Response team proactively searched for indications that customers had been affected and remediated the threats.
In this article, we'll examine how the Varonis Incident Response team stopped attackers affected by the phishing campaign before a breach could occur.
Notifying customers of high-risk activity
In one example, Varonis’ Incident Response Team identified malicious Direct Send activity and escalated the incident to the customer. After receiving the escalation and working with the Varonis team, the customer confirmed the risk by reviewing other platforms in their security stack.
After reviewing the activity, Varonis scanned the customer’s environment for additional messages originating from the associated IP range and began implementing org-wide measures to block Direct Send.
In another instance, a customer similarly received escalated threat information from Varonis, leading to measures that protected their network and data. In this instance, the customer added the associated indicators of compromise to their security stack’s IP block list, added the email subject to their email security application’s dictionary, and added spoofing rules to their Exchange Online ruleset.
Leveraging Varonis' inbound escalation service
In addition to the proactive measures that the Varonis MDDR takes on behalf of customers, customers can contact the MDDR team to investigate suspicious activity. In one example, the targeted customer confirmed that a suspicious email with an attachment had evaded their email security platform and reached eight users.
The phishing emails appeared to have been sent from the user’s own email account and included an attachment with a QR code. The QR code helped to obfuscate the attack vector, minimizing the email security tool’s ability to identify a malicious link.
In addition, the QR code significantly increased the likelihood that an employee would use their own device to scan the QR code and access the malicious link outside of the organization’s network.
The customer leveraged Varonis’ inbound escalation service to request Incident Response Services. Further investigation determined that the organization had been targeted with an email relating to a voicemail message, the email had originated from outside the organization, and the email authentication checks for the email, such as SPF, and DMARC, had failed.
After reviewing the attack, Varonis Threat Labs identified it as likely an exploitation of the Direct Send feature.
How Varonis stops attackers in their tracks
The combination of the Varonis Threat Labs and the MDDR service ensures:
- Early warning on critical vulnerabilities like Microsoft 365 Direct Send abuse
- 24x7x365 incident response and a 30-minute SLA on ransomware
- World-class breach support and forensics
Want to learn how Varonis can help your organization? Take our free Data Risk Assessment to have access to the Varonis Platform and your own dedicated IR analyst.
