Threat actors craft and send convincing emails that get users to disclose their application login credentials or download malicious files as attachments. These phishing emails are a significant vector through which ransomware attacks infiltrate a network.
An unsuspecting employee could reveal their login credentials when replying to an email in Outlook. Or, an employee could download an attachment that infects their local machine. Without sufficient controls in place, phishing emails can feasibly result in a damaging ransomware attack.
It’s common for a company to synchronise Active Directory accounts from on-premise Active Directory to their Office 365 tenancy. As our Technical Director, Conor Scolard, explains: “These companies often synchronise their administrator accounts. They probably have the same administrator account on their internal domain and Office 365 or Azure.”
If an administrator gets phished, the attacker will gain admin access to your M365 or Azure instance, which means they can delete, exfiltrate or encrypt data and demand a ransom.
“In any ransomware, or even a DR event” Conor explains: “the first system you bring online is authentication, the second is email. So if they take out your 365 and they take your internal servers or Azure servers, they've taken out both which–apart from everything else–means that you can’t even talk to your staff.”
“Make sure the backdoor accounts can’t be abused, and make sure you have the relevant alerting turned on for any admin-level functions. None of this is standard, out of the box M365, but it is available within the product. It just requires the right setup.”
When one local machine gets infected by ransomware, it’s not good, but it’s not game over. The real headaches begin when ransomware infects many hosts through lateral movement, eventually leading to a complete business shutdown.
An attacker could compromise a single local workstation and upload a malicious file to SharePoint. If users interact with this file, perhaps as an attachment to an email or a link shared in Teams, more and more workstations are infected and ransomware begins to take hold. Not following the principle of least privilege adds fuel to the fire, with employees given access to SharePoint libraries they don't need.