Getty Images/iStockphoto

Iranian password spraying campaign hits Office 365 accounts

The Iran-backed DEV-0343 threat group has launched a password spraying offensive against Office 365 accounts in the defense, maritime and oil industries.

An Iran-backed hacking crew has been blamed for a new password spraying campaign aimed at Office 365 accounts.

Researchers with Microsoft say the state-sponsored group of hackers, identified as DEV-0343, have been behind a recent spate of attempts to guess the passwords of more than 250 companies. The malware preys on the Autodiscover and ActiveSync components of Office 365 to help the attackers enumerate and work out user passwords.

Once the password is discovered, Microsoft said, the hackers look to gain access to items like shipping plans and satellite imagery. Thus far, indications are that the operation is part of an intellectual property theft campaign aimed at defense and fossil fuels interests.

"Targeting in this DEV-0343 activity has been observed across defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems," Microsoft wrote in a blog post.

"Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East," according to the post.

While fewer than 20 Office 365 accounts have been compromised so far, Microsoft is asking companies to implement two-factor authentication and, if possible, move to passwordless sign-in methods like fingerprint authentication. Admins are also advised to block traffic from anonymizing services, as the actors use Tor proxy IP addresses to disguise their repeated login attempts.

According to Microsoft's researchers, the aggressors have been using automated tools to mimic login attempts from Firefox and Chrome browsers, blasting commonly used passwords obtained from the open source 0365spray security research tool. Once guessed and listed, the passwords are used to get at shared Office files.

The targeted files relate to communications and shipping plans. While Microsoft stopped short of blaming Iran's government for the hack, they were not subtle in attributing the operation to hackers acting with Tehran's best interests at heart.

"Microsoft assesses this targeting supports Iranian government tracking of adversary security services and maritime shipping in the Middle East to enhance their contingency plans," Microsoft wrote. "Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program."

Iran-sponsored hackers have previously been blamed for everything from data theft to voter intimidation.

This is not the first time Autodiscover and Exchange have been targeted by hackers looking to harvest user credentials. Just last month, Microsoft disclosed a flaw in Exchange that enabled criminals to collect user credentials en masse.

SearchSecurity asked Microsoft if the current password spraying threat was connected to the Autodiscover vulnerability. The company had not responded as of press time.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing