ITButler e-Services

Blog

Microsoft 365 Account

Insider Threats-Microsoft 365 Account Hijack and Darktrace’s Role in Prevention

Microsoft 365 account hijacking has become a growing concern, allowing attackers to exploit compromised accounts for insider phishing. Cybercriminals are increasingly impersonating trusted SaaS platforms to steal credentials. However, once inside an organization, they can operate undetected for hours or even days. Therefore, Darkrace plays a crucial role in detecting and responding to such attacks. Through Microsoft 365 account hijack detection, Darktrace enables monitoring of unusual login behavior and phishing campaigns.

+This blog explores Darktrace’s Microsoft 365 account hijack detection, the attack timeline, and how organizations can enhance security.

Growing Threat of Microsoft 365 Account Hijack

Attackers directly target internal trust connections thus seizing control of valid Microsoft 365 user accounts. Moreover, perpetrators execute this attack pattern according to a particular step-by-step method.

1. Initial Compromise via Phishing

Cybercriminals create deceptive email messages that pretend to be from the trusted SaaS software Microsoft Teams, QuickBooks, and OneDrive. So the emails direct users to simulation login interfaces that steal authentication credentials.

2. Unauthorized Login

However, during the period when attackers access compromised credentials, they start logging into profiles from locations outside the usual regions. The criminals explore mailbox content while examining all shared materials to gauge equity targets before conducting their assaults.

3. Modifying Inbox Rules to Evade Detection

To hide their activities, attackers set up automatic forwarding rules, delete security alerts, and filter out messages from IT teams.  Hence, the unauthorized access is concealed through these actions to prevent detection for an extended period.

4. Internal Phishing Campaigns

Attacker control of the exploited account enables the sending of deceptive messages to both internal staff members and external business affiliates. These emails succeed because they come from familiar email addresses.

5. Privilege Escalation & Data Exfiltration

Hence, the attackers use their multi-account access to gain elevated system permissions and steal sensitive company data.

Darktrace’s Detection of a Microsoft 365 Account Hijack

Darktrace’s AI was actively monitoring a leading technology firm in the APAC region when one of its employees became the target of a Microsoft 365 account takeover. However, the attack unfolded over a weekend when security teams were less likely to respond immediately.

Timeline of the Attack

  1. Phase 1: Account Compromise

An employee unknowingly entered their credentials into a phishing page mimicking Microsoft OneDrive. But within hours, an attacker logged in from an unusual location and began suspicious activities.

  1. Phase 2: Suspicious Inbox Modifications

The attacker quickly modified inbox rules, hiding incoming alerts and forwarding emails externally. So this was an early sign of malicious activity within Darktrace.

  1. Phase 3: Launching a Phishing Campaign

Over 200 phishing emails were sent from the compromised Microsoft 365 account to internal and external contacts. The emails included a OneDrive link titled “Contract & Proposal – Customer,” leading to another credential page.

  1. Phase 4: Secondary Account Compromise

However, less than an hour later, Darktrace detected an unusual login to a second employee account from the same IP address. Thus, this suggested a second compromise was underway.

Domain Monitoring

Keeping track of domain registrations to identify and mitigate phishing sites or domains that mimic the brand.