An Iran-backed hacking crew has been blamed for a new password spraying campaign aimed at Office 365 accounts.
Researchers with Microsoft say that the state-sponsored group of hackers, identified as DEV-0343, have been behind a recent spate of attempts to guess passwords for more than 250 companies. The malware preys on the Autodiscover and ActiveSync components of Office 365 to help the attackers enumerate and work out user passwords.
Once the password is discovered, Microsoft said the hackers look to gain access to things like shipping plans and satellite imagery. Thus far, indications are that the operation is part of an intellectual property theft campaign aimed at defense and fossil fuels interests.
“Targeting in this DEV-0343 activity has been observed across defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems,” Microsoft said of the attack.
“Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.”
While fewer than 20 Office 365 accounts have be compromised so far, Microsoft is asking companies to implement two-factor authentication and, if possible, move to password-less sign-in methods like fingerprint authentication. Admins are also advised to block traffic from anonymizing services, as the actors use Tor proxy IP addresses to disguise their repeated login attempts.
According to Microsoft’s researchers, the aggressors have been using automated tools to mimic login attempts from Firefox and Chrome browsers, blasting commonly-used passwords obtained from the open-source 0365spray security research tool. Once guessed and listed, the passwords are used to get at shared Office files.
The targeted files related to communications and shipping plans. While Microsoft stopped short of flat-out blaming Iran’s government for the hack, they were not subtle in attributing the operation to hackers that were acting with Tehran’s best interests at heart.
“Microsoft assesses this targeting supports Iranian government tracking of adversary security services and maritime shipping in the Middle East to enhance their contingency plans,” Microsoft said. “Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program.”
This is not the first time Autodiscover and Exchange have been targeted by hackers looking to harvest user credentials. Just last month, Microsoft disclosed a flaw in Exchange that was allowing criminals to collect user credentials en-masse.
SearchSecurity asked Microsoft if the current password spraying threat was connected to the Autodiscover vulnerability. The company had not responded at press time.