[TheRecord] Microsoft: Iran-linked hackers breached Office 365 customer accounts

Microsoft said today that a new Iran-linked hacking group has targeted more than 250 Office 365 tenants and compromised accounts for less than 20.

The attacks, which the company disclosed today in a security alert, have been carried out via password spraying, a technique where hackers try the same password over and over again—while rotating the username.

Image: OWASP

The Redmond-based software company said the attacks were carried out by a new group the company is now tracking as DEV-0343, but which they linked to Iran because of similarities in offensive techniques, targeting, and other patterns.

Microsoft said the group’s attacks, which are still ongoing, have “a focus on US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East.”

Targeting in this DEV-0343 activity has been observed across defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems. Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.


Microsoft’s security teams said the password spraying attacks are usually conducted from Tor IP addresses, mimic a Firefox browser user agent, and take place during Iran’s daytime timezones — namely, between Sunday and Thursday between 7:30 AM and 8:30 PM Iran Time (04:00:00 and 17:00:00 UTC).

When attacks hit, the hackers first enumerate active employee accounts within an organization and then move to the actual password spraying routine.

To enumerate accounts, hackers abuse two Exchange email server features (Autodiscover and ActiveSync), Microsoft said.

“On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization,” the OS maker explained.

Microsoft has released indicators of compromise and instructions for Office 365 tenants on how to find past attacks in their logs and determine what accounts were compromised.

“We encourage our customers to use this information to look for similar patterns in logs and network activity to identify areas for further investigation,” the company said today.

The post Microsoft: Iran-linked hackers breached Office 365 customer accounts appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] NSW Department of Education struck by cyber attack

All posts, ZDNet

The state department has taken its systems offline as a precaution as it readies for the start of Term 3 next week. Source: Read More (Latest topics for ZDNet in Security)

Read More

[ZDNet] Apple says it’s time to update your iPhone… again

All posts, ZDNet

iOS 14.6 is out, and there are a bunch of new features, as well as a lot of bug fixes. Source: Read More (Latest topics for ZDNet in Security)

Read More

[SecurityWeek] US Cryptocurrency Promoter Pleads Guilty to Advising NKorea

All posts, Security Week

A prominent American cryptocurrency promoter and former hacker has pleaded guilty to advising North Korea on using virtual money to avoid international controls, a New York court said Monday. read more Source: Read More (SecurityWeek RSS Feed)

Read More