Microsoft is under attack!

Also: The Cryptography Continues

Author

Disable User
May 11, 2023

Microsoft users are the target of the week, find out how to protect yourself.

Furthermore I’ve added part two in our exhilarating journey in the world of cryptography.

Oh brother..

Welcome to another edition of Disable User!

In this week's edition:
🔬 Phishing-as-a-Service tool targeting Microsoft 365 users
🔐 Cryptography part dos: Hashing algorithms and digital signatures
Disable User explains:
🔥 the quick and dirty

Reading time: 03:39

Phishing-as-a-Service tool targeting Microsoft 365 users

Let me start by apologizing for the clickbait title.
It’s not really Microsoft that’s under attack, it’s you.

If you’re using Microsoft 365 that is.

But since people rather read about Microsoft being under attack, than worry about their own..
I had to do something to get you lookie-loo’s attention.

New phishing-as-a-service tool “Greatness” already seen in the wild

So let’s start at the beginning. D’uh.

There’s a new Phishing-as-a-Service tool in town, called ‘Greatness’.

The tool offers phishing services specifically tailored to trick Microsoft 365 users.

Where it differs from other tools is the customization options for the hacker.

Phishing is old, and we have MFA to protect us.”

Sure, that is true. But this is made to perform a man-in-the-middle attack.

  • Unsuspecting victim receives a fake mail, with an attachment. A file with a HTML/JavaScript payload built in.

  • Victim clicks the link and sees an Office file (Word/Excel) loading. This redirects to a tailored login page. This page even includes the company’s logo.

  • When the user logs on, the information is siphoned to the real Microsoft page on the attackers server. This is done for MFA as well.

  • After a successful login from the user, including MFA, the attack can begin their way. Using the authentication cookie to log other Microsoft services.

So if MFA is “useless” in this scenario, what can you do?

  • The easy one: Implement Microsoft Defender for Office 365 - great anti-phishing and anti-spoofing tool if you’re on the Microsoft 365 platform. A clear no-brainer.

  • The harder one: Use anomaly based Intrusion Detection System - Technical, expensive, but very valuable. Good examples are Microsoft Cloud App Security and Azure/Microsoft Sentinel. Probably not for any organization though.

  • The hardest one : train your users - I say hardest, because this is a forever ongoing process. Raise awareness, create responsible users.

Look at me being clever, hehe.

Cryptography part dos: Hashing algorithms and digital signatures

Did you know?
These are all Security+ topics, so if you’re studying for the exam be sure to read up.

First off, honest question: am I the only one having a hard time typing the word ‘algorithm’?
Or is my limited IQ telling me not to use big-boy words?

Anyway..

Ready to dive into hashing algorithms and digital signatures?
I’ll explain how they help us keep our data secure and trustworthy!

Hashing Algorithms: Creating Unique Codes

Imagine you have a huge library of books, and you want to find a specific book quickly.
You could scan every shelf, but that would take a lot of time.
Instead, you assign each book a unique number. You find the section for that number and bam, there's your book!


This is like how hashing works.

In cybersecurity, hashing is used for secure password storage.
When you create an account on a website, your password is hashed and the hash code is stored, not the password itself.

When you log in, the password you enter is hashed again and the hash is compared to the stored hash.

If they match, you're in!

If a hacker steals the hash codes, they still don't have the passwords.
You can't derive the original input from the hash code.

  • Why we use them: To protect passwords, verify if data has changed, and creating digital signatures.

  • Popular hashing algorithms: MD5, SHA-1, and SHA-256

Meet the hashing all-stars:

  1. MD5: An older option, but not very safe now.

  2. SHA-1: Better than MD5, but still has some issues. People are using it less.

  3. SHA-256: A strong and modern choice! Part of the SHA-2 family and offers great security.

Digital Signatures: Proving who sent the data

A digital signature is a way to verify the authenticity and integrity of digital data, such as a document, message, or software.
It works like a handwritten signature, but for the digital world.

Digital signatures use cryptographic techniques, like public key cryptography and hashing, to ensure their security.

  • Why we use them: To ensure the authenticity and integrity of data, confirming that a document or message hasn't been tampered with and verifying the identity of the sender.

  • Popular Digital Signatures: DSA (Digital Signature Algorithm), RSA (Rivest–Shamir–Adleman), and ECDSA (Elliptic Curve Digital Signature Algorithm) cryptographic schemes.

Next week we’ll cover Digital Certificates and Certificate Authorities!

Plottwist: it ain’t.

Intrusion Prevention/Detection System (IDS/IPS)

Tools that are designed to detect the attempts to gain unauthorized access and prevent the attempts from becoming successful.

Where the Prevention and Detection differ, is that an IPS will prevent the attempt, and a IDS will just log it and - possibly - alert.

The quick and dirty